From 183429e894711642a27dbec51bb60432e44c6000 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 29 2023 07:38:50 +0000 Subject: import ipa-4.6.8-5.el7_9.15 --- diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0041-Fix-memory-leak-in-the-OTP-last-token-plugin.patch b/SOURCES/0041-Fix-memory-leak-in-the-OTP-last-token-plugin.patch new file mode 100644 index 0000000..3642e98 --- /dev/null +++ b/SOURCES/0041-Fix-memory-leak-in-the-OTP-last-token-plugin.patch @@ -0,0 +1,117 @@ +From bb224602e105859e93a52f8c9f464eb9cbe79b0a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 26 Jun 2023 13:06:51 -0400 +Subject: [PATCH] Fix memory leak in the OTP last token plugin + +Three memory leaks are addressed: + +1. String values retrieved from the pblock need to be manually +freed. + +2. The list of objectclasses retreived from the pblock need to be +freed. + +3. Internal search results need to be freed. + +Fixes: https://pagure.io/freeipa/issue/9403 + +Signed-off-by: Rob Crittenden +Reviewed-By: Rafael Guterres Jeffman +Reviewed-By: Alexander Bokovoy +--- + .../ipa-otp-lasttoken/ipa_otp_lasttoken.c | 38 +++++++++++++------ + daemons/ipa-slapi-plugins/libotp/otp_token.c | 1 + + 2 files changed, 27 insertions(+), 12 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c +index b7a2ba7f012fdbf90284ee6605788e196aa4793b..11106b239f9de9074125979cfae7c02e434936e1 100644 +--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c ++++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c +@@ -54,7 +54,7 @@ void *ipa_otp_lasttoken_plugin_id; + + static bool entry_is_token(Slapi_Entry *entry) + { +- char **ocls; ++ char **ocls = NULL; + + ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS); + for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) { +@@ -64,6 +64,7 @@ static bool entry_is_token(Slapi_Entry *entry) + } + } + ++ slapi_ch_array_free(ocls); + return false; + } + +@@ -138,7 +139,8 @@ static bool is_pwd_enabled(const char *user_dn) + static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry) + { + Slapi_DN *target_sdn = NULL; +- const char *bind_dn; ++ char *bind_dn; ++ bool rv = false; + + /* Ignore internal operations. */ + if (slapi_op_internal(pb)) +@@ -147,23 +149,35 @@ static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry) + /* Load parameters. */ + (void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); + (void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn); +- if (target_sdn == NULL || bind_dn == NULL) { +- LOG_FATAL("Missing parameters!\n"); +- return false; ++ if (bind_dn == NULL) { ++ LOG_FATAL("bind_dn parameter missing!\n"); ++ goto done; ++ } ++ if (target_sdn == NULL) { ++ LOG_FATAL("target_sdn parameter missing!\n"); ++ goto done; + } + + if (entry != NULL + ? !entry_is_token(entry) +- : !sdn_in_otp_container(target_sdn)) +- return true; ++ : !sdn_in_otp_container(target_sdn)) { ++ rv = true; ++ goto done; ++ } + +- if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) +- return true; ++ if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) { ++ rv = true; ++ goto done; ++ } + +- if (is_pwd_enabled(bind_dn)) +- return true; ++ if (is_pwd_enabled(bind_dn)) { ++ rv = true; ++ goto done; ++ } + +- return false; ++done: ++ slapi_ch_free_string(&bind_dn); ++ return rv; + } + + static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr) +diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c +index a3cbfb0621c071f8addb29f7ce02f870a807c61d..4be4ede07cbbd0d26bcc9952ef4d84d777076ae7 100644 +--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c ++++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c +@@ -398,6 +398,7 @@ static struct otp_token **find(const struct otp_config *cfg, const char *user_dn + } + + error: ++ slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + return tokens; + } +-- +2.41.0 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index 5e6669d..cc61279 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From 312afefae97cf9cdb9cfe2dd4c2e601b96398f2f Mon Sep 17 00:00:00 2001 +From 13ee263bba8f46a9f1d4c368d72524552c332dad Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -1106,5 +1106,5 @@ index 643215985e932cae6e8d954596194032655b25d4..68baa0174ed88ede3f42092fb68150b5 """) + _(""" To enable the binddn run the following command to set the password: -- -2.39.2 +2.41.0 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index 25153c9..fd08eff 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 647b13eb361f5c47ed48eeb013b5b16c5b721822 Mon Sep 17 00:00:00 2001 +From 0ca1bc7a49208ec65dd97e86cb881977145b8313 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -40,5 +40,5 @@ index 922185c4b948fa7a5d1bcab6b2be3b34e99f66d4..8fead26f50cb4f045db6d60f9ca71dd9 -- -2.39.2 +2.41.0 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 7ff17c9..ea33ea8 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From b3a5f7efdb263aaa093fa66ca8322dc3e1d0d691 Mon Sep 17 00:00:00 2001 +From 3755f0fca552596947965a0619a0b4c441c2478b Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py -- -2.39.2 +2.41.0 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index 9c51298..b9b2fc9 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From 857aad5b92ae9b489fa7440cb27e8277150ce563 Mon Sep 17 00:00:00 2001 +From 14bef27a42a6ab0ce59f1fdcb3be15d587f75d12 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000 @@ -1 +0,0 @@ -{{ options|join(";") }} -- -2.39.2 +2.41.0 diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 3caf84c..a01c350 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From 3cd6a0d933544b98b6f0ead1c5f7ff1f8e131e80 Mon Sep 17 00:00:00 2001 +From 1982419219ed9bae2931452e3feace026344b82a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check @@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b IPA_NOT_CONFIGURED = b'IPA is not configured on this system' IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' -- -2.39.2 +2.41.0 diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 9c4d18e..c0f2b6c 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -103,7 +103,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 5%{?dist}.14 +Release: 5%{?dist}.15 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -111,9 +111,9 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -158,6 +158,7 @@ Patch0037: 0037-Defer-creating-the-final-krb5.conf-on-clients.patch Patch0038: 0038-Move-client-certificate-request-after-krb5.conf-is-c.patch Patch0039: 0039-server-install-remove-error-log-about-missing-bkup-f.patch Patch0040: 0040-ipaserver-deepcopy-objectclasses-list-from-IPA-confi.patch +Patch0041: 0041-Fix-memory-leak-in-the-OTP-last-token-plugin.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -414,10 +415,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 - -%if 0%{?centos} == 0 Requires: system-logos >= 70.7.0 -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -974,9 +972,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1000,8 +998,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1022,8 +1019,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} popd %endif # with_python3 @@ -1110,11 +1106,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; -%if 0%{?centos} == 0 # RHEL spec file only: START: Replace login-screen-logo.png with a symlink ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png # RHEL spec file only: END: Replace login-screen-logo.png with a symlink -%endif %find_lang %{gettext_domain} @@ -1771,6 +1765,9 @@ fi %changelog +* Thu Aug 03 2023 Florence Blanc-Renaud - 4.6.8-5.el7_9.15 +- Resolves: 2209636 libipa_otp_lasttoken plugin memory leak + * Thu Mar 23 2023 Florence Blanc-Renaud - 4.6.8-5.el7_9.14 - Resolves: 2180919 [rhel-7] Sequence processing failures for group_add using server context - ipaserver: deepcopy objectclasses list from IPA config