diffstat of debian/ for ldb_1.1.24-1 ldb_1.1.24-1ubuntu3.1 .gitignore | 11 ---- changelog | 39 ++++++++++++++ compat | 2 control | 59 ++++++++++++++++++++-- libldb1.postinst | 7 -- patches/CVE-2019-3824-1.patch | 92 +++++++++++++++++++++++++++++++++++ patches/CVE-2019-3824-2.patch | 56 +++++++++++++++++++++ patches/CVE-2019-3824-3.patch | 34 ++++++++++++ patches/CVE-2019-3824-4.patch | 31 +++++++++++ patches/CVE-2019-3824-5.patch | 37 ++++++++++++++ patches/CVE-2019-3824-6.patch | 34 ++++++++++++ patches/pass-waf-flags.diff | 17 ++++++ patches/pyldb-util-name.diff | 21 +++++++ patches/series | 9 +++ patches/skip-ftbfs-tests-s390x.patch | 34 ++++++++++++ python-ldb-dev.install | 3 - python-ldb.install | 2 python3-ldb-dev.install | 4 + python3-ldb.install | 2 python3-ldb.lintian-overrides | 2 python3-ldb.symbols | 4 + rules | 27 +++++----- 22 files changed, 488 insertions(+), 39 deletions(-) diff -Nru ldb-1.1.24/debian/.gitignore ldb-1.1.24/debian/.gitignore --- ldb-1.1.24/debian/.gitignore 2015-12-16 01:35:13.000000000 +0000 +++ ldb-1.1.24/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -python-ldb/ -python-ldb-dev/ -python-ldb-dbg/ -libldb1/ -libldb-dev -libldb1-dbg -ldb-tools/ -tmp/ -*.substvars -*.debhelper -*.debhelper.log diff -Nru ldb-1.1.24/debian/changelog ldb-1.1.24/debian/changelog --- ldb-1.1.24/debian/changelog 2015-12-16 12:40:53.000000000 +0000 +++ ldb-1.1.24/debian/changelog 2019-02-25 13:18:19.000000000 +0000 @@ -1,3 +1,36 @@ +ldb (2:1.1.24-1ubuntu3.1) xenial-security; urgency=medium + + * SECURITY UPDATE: Out of bound read in ldb_wildcard_compare + - debian/patches/CVE-2019-3824-1.patch: fix length. + - debian/patches/CVE-2019-3824-2.patch: add extra comments. + - debian/patches/CVE-2019-3824-3.patch: improve code style. + - debian/patches/CVE-2019-3824-4.patch: use talloc_zero. + - debian/patches/CVE-2019-3824-5.patch: check tree operation. + - debian/patches/CVE-2019-3824-6.patch: fix end of data check. + - CVE-2019-3824 + + -- Marc Deslauriers Mon, 25 Feb 2019 08:18:19 -0500 + +ldb (2:1.1.24-1ubuntu3) xenial; urgency=medium + + * Build Python3 bindings. + * Bump debhelper and standards version. + * Do not generate symbols for the extension module + * Do not encode the SOABI and the multiarch string into the pytalloc-util + library, just append a '-py3'. + * Make the build log a bit more verbose. + * Remove empty maintainer script. + + -- Matthias Klose Thu, 18 Feb 2016 18:17:39 +0100 + +ldb (2:1.1.24-1ubuntu1) xenial; urgency=medium + + * Merge with Debian, remaining changes: + - debian/patches/skip-ftbfs-tests-s390x.patch: Skip FTBFS tests cases + on s390x, reported upstream. + + -- Marc Deslauriers Wed, 06 Jan 2016 07:27:01 -0500 + ldb (2:1.1.24-1) unstable; urgency=high * Drop '-b unstable' flag to Vcs-Git. @@ -7,6 +40,12 @@ -- Jelmer Vernooij Sun, 13 Dec 2015 16:11:45 +0000 +ldb (2:1.1.23-1ubuntu1) xenial; urgency=high + + * Skip FTBFS tests cases on s390x, reported upstream. + + -- Dimitri John Ledkov Fri, 04 Dec 2015 14:08:06 +0000 + ldb (2:1.1.23-1) unstable; urgency=medium * New upstream version. diff -Nru ldb-1.1.24/debian/compat ldb-1.1.24/debian/compat --- ldb-1.1.24/debian/compat 2015-12-16 01:23:26.000000000 +0000 +++ ldb-1.1.24/debian/compat 2016-02-18 17:19:41.000000000 +0000 @@ -1 +1 @@ -8 +9 diff -Nru ldb-1.1.24/debian/control ldb-1.1.24/debian/control --- ldb-1.1.24/debian/control 2015-12-16 01:23:26.000000000 +0000 +++ ldb-1.1.24/debian/control 2016-02-18 19:18:31.000000000 +0000 @@ -1,9 +1,12 @@ Source: ldb Section: devel Priority: optional -Maintainer: Debian Samba Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Samba Maintainers Uploaders: Jelmer Vernooij -Build-Depends: debhelper (>> 8.1.3), +Build-Depends: debhelper (>= 9), + dh-python, + dh-exec, docbook-xml, docbook-xsl, libldap2-dev, @@ -12,11 +15,12 @@ libtdb-dev (>= 1.3.8~), libtevent-dev (>= 0.9.26~), pkg-config, - python (>= 2.6.6-3), - python-all-dbg (>= 2.6.6-3), - python-all-dev (>= 2.6.6-3), + python-dev (>= 2.6.6-3), python-talloc-dev (>= 2.1.5~), python-tdb (>= 1.3.8~), + python3-dev, + python3-talloc-dev, + python3-tdb, xsltproc Homepage: http://ldb.samba.org/ Standards-Version: 3.9.6 @@ -134,3 +138,48 @@ ldb is a LDAP-like embedded database built on top of TDB. . This package contains the Python debug extension. + +Package: python3-ldb +Pre-Depends: ${misc:Pre-Depends} +Section: python +Architecture: any +Depends: libldb1 (= ${binary:Version}), + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Provides: ${python3:Provides} +Breaks: ${python3:Breaks} +Description: Python3 bindings for LDB + ldb is a LDAP-like embedded database built on top of TDB. + . + This package contains the Python3 bindings. + +Package: python3-ldb-dev +Section: libdevel +Architecture: any +Depends: libc6-dev, + libldb-dev, + pkg-config, + python3-ldb (= ${binary:Version}), + ${misc:Depends} +Description: LDB Python3 bindings - development files + ldb is a LDAP-like embedded database built on top of TDB. + . + It is a fast database with an LDAP-like API designed + to be used within an application. In some ways it can be seen as a + intermediate solution between key-value pair databases and a real LDAP + database. + . + This package contains the development files for the Python3 bindings. + +Package: python3-ldb-dbg +Section: debug +Priority: extra +Architecture: any +Depends: python3-ldb (= ${binary:Version}), ${misc:Depends}, ${python3:Depends} +Provides: ${python3:Provides} +Recommends: python3-dbg, python3-talloc-dbg, python3-tdb-dbg +Description: Python3 bindings for LDB - debug extension + ldb is a LDAP-like embedded database built on top of TDB. + . + This package contains the Python3 debug symbols. diff -Nru ldb-1.1.24/debian/libldb1.postinst ldb-1.1.24/debian/libldb1.postinst --- ldb-1.1.24/debian/libldb1.postinst 2015-12-16 01:23:26.000000000 +0000 +++ ldb-1.1.24/debian/libldb1.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -#!/bin/sh - -set -e - -#DEBHELPER# - -exit 0 diff -Nru ldb-1.1.24/debian/patches/CVE-2019-3824-1.patch ldb-1.1.24/debian/patches/CVE-2019-3824-1.patch --- ldb-1.1.24/debian/patches/CVE-2019-3824-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/CVE-2019-3824-1.patch 2019-02-25 13:17:53.000000000 +0000 @@ -0,0 +1,92 @@ +From 27c9e6cfb3492830423bc21a49506452ac98fbe0 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Fri, 18 Jan 2019 16:37:24 +0100 +Subject: [PATCH 1/6] CVE-2019-3824 ldb: Out of bound read in + ldb_wildcard_compare + +There is valgrind error in few tests tests/test-generic.sh + 91 echo "Test wildcard match" + 92 $VALGRIND ldbadd $LDBDIR/tests/test-wildcard.ldif || exit 1 + 93 $VALGRIND ldbsearch '(cn=test*multi)' || exit 1 + 95 $VALGRIND ldbsearch '(cn=*test_multi)' || exit 1 + 97 $VALGRIND ldbsearch '(cn=test*multi*test*multi)' || exit 1 + +e.g. + ==3098== Memcheck, a memory error detector + ==3098== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. + ==3098== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info + ==3098== Command: ./bin/ldbsearch (cn=test*multi) + ==3098== + ==3098== Invalid read of size 1 + ==3098== at 0x483CEE7: memchr (vg_replace_strmem.c:890) + ==3098== by 0x49A9073: memmem (in /usr/lib64/libc-2.28.9000.so) + ==3098== by 0x485DFE9: ldb_wildcard_compare (ldb_match.c:313) + ==3098== by 0x485DFE9: ldb_match_substring (ldb_match.c:360) + ==3098== by 0x485DFE9: ldb_match_message (ldb_match.c:572) + ==3098== by 0x558F8FA: search_func (ldb_kv_search.c:549) + ==3098== by 0x48C78CA: ??? (in /usr/lib64/libtdb.so.1.3.17) + ==3098== by 0x48C7A60: tdb_traverse_read (in /usr/lib64/libtdb.so.1.3.17) + ==3098== by 0x557B7C4: ltdb_traverse_fn (ldb_tdb.c:274) + ==3098== by 0x558FBFA: ldb_kv_search_full (ldb_kv_search.c:594) + ==3098== by 0x558FBFA: ldb_kv_search (ldb_kv_search.c:854) + ==3098== by 0x558E497: ldb_kv_callback (ldb_kv.c:1713) + ==3098== by 0x48FCD58: tevent_common_invoke_timer_handler (in /usr/lib64/libtevent.so.0.9.38) + ==3098== by 0x48FCEFD: tevent_common_loop_timer_delay (in /usr/lib64/libtevent.so.0.9.38) + ==3098== by 0x48FE14A: ??? (in /usr/lib64/libtevent.so.0.9.38) + ==3098== Address 0x4b4ab81 is 0 bytes after a block of size 129 alloc'd + ==3098== at 0x483880B: malloc (vg_replace_malloc.c:309) + ==3098== by 0x491048B: talloc_strndup (in /usr/lib64/libtalloc.so.2.1.15) + ==3098== by 0x48593CA: ldb_casefold_default (ldb_utf8.c:59) + ==3098== by 0x485F68D: ldb_handler_fold (attrib_handlers.c:64) + ==3098== by 0x485DB88: ldb_wildcard_compare (ldb_match.c:257) + ==3098== by 0x485DB88: ldb_match_substring (ldb_match.c:360) + ==3098== by 0x485DB88: ldb_match_message (ldb_match.c:572) + ==3098== by 0x558F8FA: search_func (ldb_kv_search.c:549) + ==3098== by 0x48C78CA: ??? (in /usr/lib64/libtdb.so.1.3.17) + ==3098== by 0x48C7A60: tdb_traverse_read (in /usr/lib64/libtdb.so.1.3.17) + ==3098== by 0x557B7C4: ltdb_traverse_fn (ldb_tdb.c:274) + ==3098== by 0x558FBFA: ldb_kv_search_full (ldb_kv_search.c:594) + ==3098== by 0x558FBFA: ldb_kv_search (ldb_kv_search.c:854) + ==3098== by 0x558E497: ldb_kv_callback (ldb_kv.c:1713) + ==3098== by 0x48FCD58: tevent_common_invoke_timer_handler (in /usr/lib64/libtevent.so.0.9.38) + ==3098== + # record 1 + dn: cn=test_multi_test_multi_test_multi,o=University of Michigan,c=TEST + cn: test_multi_test_multi_test_multi + description: test multi wildcards matching + objectclass: person + sn: multi_test + name: test_multi_test_multi_test_multi + distinguishedName: cn=test_multi_test_multi_test_multi,o=University of Michiga + n,c=TEST + + # returned 1 records + # 1 entries + # 0 referrals + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 + +Signed-off-by: Lukas Slebodnik +--- + lib/ldb/common/ldb_match.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/common/ldb_match.c b/common/ldb_match.c +index e83ad637dff..71f8b9671d5 100644 +--- a/common/ldb_match.c ++++ b/common/ldb_match.c +@@ -308,9 +308,10 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, + if (p == NULL) goto mismatch; + if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) { + uint8_t *g; ++ uint8_t *end = val.data + val.length; + do { /* greedy */ + g = memmem(p + cnk.length, +- val.length - (p - val.data), ++ end - (p + cnk.length), + (const uint8_t *)cnk.data, + cnk.length); + if (g) p = g; +-- +2.17.1 + diff -Nru ldb-1.1.24/debian/patches/CVE-2019-3824-2.patch ldb-1.1.24/debian/patches/CVE-2019-3824-2.patch --- ldb-1.1.24/debian/patches/CVE-2019-3824-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/CVE-2019-3824-2.patch 2019-02-25 13:17:57.000000000 +0000 @@ -0,0 +1,56 @@ +From 23f386668b4e2b28f69bf6d227cc2210562afae2 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Mon, 4 Feb 2019 11:22:34 +1300 +Subject: [PATCH 2/6] CVE-2019-3824 ldb: Extra comments to clarify no pointer + wrap in wildcard processing + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 + +Signed-off-by: Andrew Bartlett +--- + lib/ldb/common/ldb_match.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/common/ldb_match.c b/common/ldb_match.c +index 71f8b9671d5..b49085286a2 100644 +--- a/common/ldb_match.c ++++ b/common/ldb_match.c +@@ -306,12 +306,33 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, + p = memmem((const void *)val.data,val.length, + (const void *)cnk.data, cnk.length); + if (p == NULL) goto mismatch; ++ ++ /* ++ * At this point we know cnk.length <= val.length as ++ * otherwise there could be no match ++ */ ++ + if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) { + uint8_t *g; + uint8_t *end = val.data + val.length; + do { /* greedy */ +- g = memmem(p + cnk.length, +- end - (p + cnk.length), ++ ++ /* ++ * haystack is a valid pointer in val ++ * because the memmem() can only ++ * succeed if the needle (cnk.length) ++ * is <= haystacklen ++ * ++ * p will be a pointer at least ++ * cnk.length from the end of haystack ++ */ ++ uint8_t *haystack ++ = p + cnk.length; ++ size_t haystacklen ++ = end - (haystack); ++ ++ g = memmem(haystack, ++ haystacklen, + (const uint8_t *)cnk.data, + cnk.length); + if (g) p = g; +-- +2.17.1 + diff -Nru ldb-1.1.24/debian/patches/CVE-2019-3824-3.patch ldb-1.1.24/debian/patches/CVE-2019-3824-3.patch --- ldb-1.1.24/debian/patches/CVE-2019-3824-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/CVE-2019-3824-3.patch 2019-02-25 13:18:02.000000000 +0000 @@ -0,0 +1,34 @@ +From fb005204b4248012f49e31e4c2c452a667f3fc87 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Mon, 4 Feb 2019 11:22:50 +1300 +Subject: [PATCH 3/6] CVE-2019-3824 ldb: Improve code style and layout in + wildcard processing + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 + +Signed-off-by: Andrew Bartlett +--- + lib/ldb/common/ldb_match.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/common/ldb_match.c b/common/ldb_match.c +index b49085286a2..e332ba0da53 100644 +--- a/common/ldb_match.c ++++ b/common/ldb_match.c +@@ -333,9 +333,11 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, + + g = memmem(haystack, + haystacklen, +- (const uint8_t *)cnk.data, +- cnk.length); +- if (g) p = g; ++ (const uint8_t *)cnk.data, ++ cnk.length); ++ if (g) { ++ p = g; ++ } + } while(g); + } + val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length; +-- +2.17.1 diff -Nru ldb-1.1.24/debian/patches/CVE-2019-3824-4.patch ldb-1.1.24/debian/patches/CVE-2019-3824-4.patch --- ldb-1.1.24/debian/patches/CVE-2019-3824-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/CVE-2019-3824-4.patch 2019-02-25 13:18:06.000000000 +0000 @@ -0,0 +1,31 @@ +From 832993c20c96e51faa2e25f2d0581737fb2bfabf Mon Sep 17 00:00:00 2001 +From: Gary Lockyer +Date: Tue, 19 Feb 2019 10:25:24 +1300 +Subject: [PATCH 4/6] CVE-2019-3824 ldb: ldb_parse_tree use talloc_zero + +Initialise the created ldb_parse_tree with talloc_zero, this ensures +that it is correctly initialised if inadvertently passed to a function +expecting a different operation type. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 + +Signed-off-by: Gary Lockyer +--- + lib/ldb/common/ldb_parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/ldb_parse.c b/common/ldb_parse.c +index 5fa5a74afa9..db420091311 100644 +--- a/common/ldb_parse.c ++++ b/common/ldb_parse.c +@@ -389,7 +389,7 @@ static struct ldb_parse_tree *ldb_parse_simple(TALLOC_CTX *mem_ctx, const char * + struct ldb_parse_tree *ret; + enum ldb_parse_op filtertype; + +- ret = talloc(mem_ctx, struct ldb_parse_tree); ++ ret = talloc_zero(mem_ctx, struct ldb_parse_tree); + if (!ret) { + errno = ENOMEM; + return NULL; +-- +2.17.1 diff -Nru ldb-1.1.24/debian/patches/CVE-2019-3824-5.patch ldb-1.1.24/debian/patches/CVE-2019-3824-5.patch --- ldb-1.1.24/debian/patches/CVE-2019-3824-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/CVE-2019-3824-5.patch 2019-02-25 13:18:10.000000000 +0000 @@ -0,0 +1,37 @@ +From 52e26aaf19720ae73a9a2c683b8ddfbfd765ce1c Mon Sep 17 00:00:00 2001 +From: Gary Lockyer +Date: Tue, 19 Feb 2019 10:26:25 +1300 +Subject: [PATCH 5/6] CVE-2019-3824 ldb: wildcard_match check tree operation + +Check the operation type of the passed parse tree, and return +LDB_INAPPROPRIATE_MATCH if the operation is not LDB_OP_SUBSTRING. + +A query of "attribute=*" gets parsed as LDB_OP_PRESENT, checking the +operation and failing ldb_wildcard_match should help prevent confusion +writing tests. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 + +Signed-off-by: Gary Lockyer +--- + lib/ldb/common/ldb_match.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/common/ldb_match.c b/common/ldb_match.c +index e332ba0da53..e529b5e26a5 100644 +--- a/common/ldb_match.c ++++ b/common/ldb_match.c +@@ -244,6 +244,11 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, + uint8_t *save_p = NULL; + unsigned int c = 0; + ++ if (tree->operation != LDB_OP_SUBSTRING) { ++ *matched = false; ++ return LDB_ERR_INAPPROPRIATE_MATCHING; ++ } ++ + a = ldb_schema_attribute_by_name(ldb, tree->u.substring.attr); + if (!a) { + return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; +-- +2.17.1 diff -Nru ldb-1.1.24/debian/patches/CVE-2019-3824-6.patch ldb-1.1.24/debian/patches/CVE-2019-3824-6.patch --- ldb-1.1.24/debian/patches/CVE-2019-3824-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/CVE-2019-3824-6.patch 2019-02-25 13:18:13.000000000 +0000 @@ -0,0 +1,34 @@ +From 146bf02a8ecc81177011dd1075b37883ef0bd5e1 Mon Sep 17 00:00:00 2001 +From: Gary Lockyer +Date: Tue, 19 Feb 2019 10:26:56 +1300 +Subject: [PATCH 6/6] CVE-2019-3824 ldb: wildcard_match end of data check + +ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0' +to the data, to make them safe to use the C string functions on. + +However testing for the trailing '\0' is not the correct way to test for +the end of a value, the length should be checked instead. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 + +Signed-off-by: Gary Lockyer +--- + lib/ldb/common/ldb_match.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/ldb_match.c b/common/ldb_match.c +index e529b5e26a5..79894d0c89b 100644 +--- a/common/ldb_match.c ++++ b/common/ldb_match.c +@@ -353,7 +353,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, + } + + /* last chunk may not have reached end of string */ +- if ( (! tree->u.substring.end_with_wildcard) && (*(val.data) != 0) ) goto mismatch; ++ if ( (! tree->u.substring.end_with_wildcard) && (val.length != 0) ) goto mismatch; + talloc_free(save_p); + *matched = true; + return LDB_SUCCESS; +-- +2.17.1 + diff -Nru ldb-1.1.24/debian/patches/pass-waf-flags.diff ldb-1.1.24/debian/patches/pass-waf-flags.diff --- ldb-1.1.24/debian/patches/pass-waf-flags.diff 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/pass-waf-flags.diff 2016-02-18 17:34:21.000000000 +0000 @@ -0,0 +1,17 @@ +# Allow to pass flags to waf + +--- talloc-2.1.5.orig/Makefile ++++ talloc-2.1.5/Makefile +@@ -3,10 +3,10 @@ + WAF=WAF_MAKE=1 PATH=buildtools/bin:../../buildtools/bin:$$PATH waf + + all: +- $(WAF) build ++ $(WAF) build $(WAFFLAGS) + + install: +- $(WAF) install ++ $(WAF) install $(WAFFLAGS) + + uninstall: + $(WAF) uninstall diff -Nru ldb-1.1.24/debian/patches/pyldb-util-name.diff ldb-1.1.24/debian/patches/pyldb-util-name.diff --- ldb-1.1.24/debian/patches/pyldb-util-name.diff 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/pyldb-util-name.diff 2016-02-18 17:27:48.000000000 +0000 @@ -0,0 +1,21 @@ +# Don't encode the multiarch name into the pyldb-util library name + +Index: b/buildtools/wafsamba/samba_python.py +=================================================================== +--- a/buildtools/wafsamba/samba_python.py ++++ b/buildtools/wafsamba/samba_python.py +@@ -122,7 +122,13 @@ Build.BuildContext.SAMBA_PYTHON = SAMBA_ + + + def pyembed_libname(bld, name, extrapython=False): +- return name + bld.env['PYTHON_SO_ABI_FLAG'] ++ abi_flag = bld.env['PYTHON_SO_ABI_FLAG'] ++ # do we really want the version encoded in the library name? ++ #if bld.env['IS_EXTRA_PYTHON'] and 'DEB_HOST_MULTIARCH' in os.environ: ++ # abi_flag = abi_flag.replace('-%s' % os.environ['DEB_HOST_MULTIARCH'], '') ++ if bld.env['IS_EXTRA_PYTHON']: ++ abi_flag = '-py3' ++ return name + abi_flag + + Build.BuildContext.pyembed_libname = pyembed_libname + diff -Nru ldb-1.1.24/debian/patches/series ldb-1.1.24/debian/patches/series --- ldb-1.1.24/debian/patches/series 2015-12-16 12:40:33.000000000 +0000 +++ ldb-1.1.24/debian/patches/series 2019-02-25 13:18:13.000000000 +0000 @@ -1,2 +1,11 @@ 01_manpage_dates 02_hurd +skip-ftbfs-tests-s390x.patch +pass-waf-flags.diff +pyldb-util-name.diff +CVE-2019-3824-1.patch +CVE-2019-3824-2.patch +CVE-2019-3824-3.patch +CVE-2019-3824-4.patch +CVE-2019-3824-5.patch +CVE-2019-3824-6.patch diff -Nru ldb-1.1.24/debian/patches/skip-ftbfs-tests-s390x.patch ldb-1.1.24/debian/patches/skip-ftbfs-tests-s390x.patch --- ldb-1.1.24/debian/patches/skip-ftbfs-tests-s390x.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/patches/skip-ftbfs-tests-s390x.patch 2016-01-06 12:28:20.000000000 +0000 @@ -0,0 +1,34 @@ +Description: skip two failing tests on s390x. +Author: Dimitri John Ledkov + + import os ++import platform ++from unittest import skipIf + from unittest import TestCase + import sys + +@@ -656,6 +658,7 @@ + self.assertEqual(dn.get_component_name(2), None) + self.assertEqual(dn.get_component_name(-1), None) + ++ @skipIf(platform.machine()=='s390x', "fails on s390x, see http://pad.lv/1521722") + def test_set_component(self): + dn = ldb.Dn(self.ldb, "cn=foo,dc=base") + dn.set_component(0, 'cn', 'bar') +@@ -667,6 +670,7 @@ + dn.set_component(1, 'o', 'a,b+c') + self.assertEqual(str(dn), r"cn=bar,o=a\,b\+c") + ++ @skipIf(platform.machine()=='s390x', "fails on s390x, see http://pad.lv/1521722") + def test_set_component_bytes(self): + dn = ldb.Dn(self.ldb, "cn=foo,dc=base") + dn.set_component(0, 'cn', b'bar') diff -Nru ldb-1.1.24/debian/python-ldb-dev.install ldb-1.1.24/debian/python-ldb-dev.install --- ldb-1.1.24/debian/python-ldb-dev.install 2015-12-16 01:23:26.000000000 +0000 +++ ldb-1.1.24/debian/python-ldb-dev.install 2016-02-18 17:30:49.000000000 +0000 @@ -1,3 +1,4 @@ -usr/include/pyldb.h +#! /usr/bin/dh-exec +usr/include/pyldb.h ${DEB_PY2_INCDIR} usr/lib/*/libpyldb-util.so usr/lib/*/pkgconfig/pyldb-util.pc diff -Nru ldb-1.1.24/debian/python-ldb.install ldb-1.1.24/debian/python-ldb.install --- ldb-1.1.24/debian/python-ldb.install 2015-12-16 01:23:26.000000000 +0000 +++ ldb-1.1.24/debian/python-ldb.install 2016-02-18 17:24:51.000000000 +0000 @@ -1,2 +1,2 @@ usr/lib/*/libpyldb-util.so.* -usr/lib/python* +usr/lib/python2* diff -Nru ldb-1.1.24/debian/python3-ldb-dev.install ldb-1.1.24/debian/python3-ldb-dev.install --- ldb-1.1.24/debian/python3-ldb-dev.install 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/python3-ldb-dev.install 2016-02-18 17:29:45.000000000 +0000 @@ -0,0 +1,4 @@ +#! /usr/bin/dh-exec +usr/include/pyldb.h ${DEB_PY3_INCDIR} +usr/lib/*/libpyldb-util-py3.so +usr/lib/*/pkgconfig/pyldb-util.pc diff -Nru ldb-1.1.24/debian/python3-ldb.install ldb-1.1.24/debian/python3-ldb.install --- ldb-1.1.24/debian/python3-ldb.install 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/python3-ldb.install 2016-02-18 17:29:53.000000000 +0000 @@ -0,0 +1,2 @@ +usr/lib/*/libpyldb-util-py3.so.* +usr/lib/python3* diff -Nru ldb-1.1.24/debian/python3-ldb.lintian-overrides ldb-1.1.24/debian/python3-ldb.lintian-overrides --- ldb-1.1.24/debian/python3-ldb.lintian-overrides 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/python3-ldb.lintian-overrides 2016-02-18 18:12:35.000000000 +0000 @@ -0,0 +1,2 @@ +python3-ldb binary: binary-or-shlib-defines-rpath * /usr/lib/ldb +python3-ldb binary: package-name-doesnt-match-sonames libpyldb-util-py3-1 diff -Nru ldb-1.1.24/debian/python3-ldb.symbols ldb-1.1.24/debian/python3-ldb.symbols --- ldb-1.1.24/debian/python3-ldb.symbols 1970-01-01 00:00:00.000000000 +0000 +++ ldb-1.1.24/debian/python3-ldb.symbols 2016-02-18 18:05:40.000000000 +0000 @@ -0,0 +1,4 @@ +libpyldb-util-py3.so.1 #PACKAGE# #MINVER# + PYLDB_UTIL_PY3_1.1.24@PYLDB_UTIL_PY3_1.1.24 2:1.1.24 + pyldb_Dn_FromDn@PYLDB_UTIL_PY3_1.1.24 2:1.1.24 + pyldb_Object_AsDn@PYLDB_UTIL_PY3_1.1.24 2:1.1.24 diff -Nru ldb-1.1.24/debian/rules ldb-1.1.24/debian/rules --- ldb-1.1.24/debian/rules 2015-12-16 01:23:26.000000000 +0000 +++ ldb-1.1.24/debian/rules 2016-02-18 18:07:58.000000000 +0000 @@ -6,34 +6,29 @@ LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) CFLAGS += -Wall - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) -CFLAGS += -O0 -else -CFLAGS += -O2 -endif - LDFLAGS += -Wl,--as-needed DESTDIR=$(CURDIR)/debian/tmp export PYTHON=$(shell which `pyversions -d`) -export PYTHON_CONFIG="$(PYTHON)-config" export WAF=$(PYTHON) ./buildtools/bin/waf DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) %: - dh $* --with python2 + dh $* --with python2,python3 override_dh_auto_configure: - PYTHON="$(PYTHON)" PYTHON_CONFIG="$(PYTHON_CONFIG)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ + PYTHON="$(PYTHON)" \ + CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ $(WAF) configure --prefix=/usr --disable-rpath-install \ --builtin-libraries=ccan,replace,tdb_compat \ --bundled-libraries=NONE,pytevent \ --minimum-library-version="$(shell ./debian/autodeps.py --minimum-library-version)" \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ - --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/ldb/modules + --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/ldb/modules \ + --extra-python=python3 \ + -v get-packaged-orig-source: ./debian/build-orig.sh @@ -50,7 +45,7 @@ third_party/waf/wafadmin/Tools/*.pyc override_dh_auto_build: - $(WAF) build + $(WAF) build -vv override_dh_auto_test: ifeq (,$(findstring nocheck,$(DEB_BUILD_OPTIONS))) @@ -60,6 +55,11 @@ override_dh_python2: dh_python2 --no-guessing-versions +override_dh_install: + DEB_PY2_INCDIR=$(shell python-config --includes | sed 's,^-I\([^ ]*\).*,\1,') \ + DEB_PY3_INCDIR=$(shell python3-config --includes | sed 's,^-I\([^ ]*\).*,\1,') \ + dh_install --list-missing + override_dh_auto_install: DESTDIR=$(DESTDIR) $(WAF) install rm $(DESTDIR)/usr/lib/python*/dist-packages/_tevent.so @@ -70,8 +70,9 @@ override_dh_strip: dh_strip -pldb-tools dh_strip -ppython-ldb --dbg-package=python-ldb-dbg + dh_strip -ppython3-ldb --dbg-package=python3-ldb-dbg dh_strip -plibldb1 --dbg-package=libldb1-dbg override_dh_makeshlibs: - dh_makeshlibs -Xldb.so -ppython-ldb -- -c4 + dh_makeshlibs -Xldb. -X_tevent. -ppython-ldb -ppython3-ldb -- -c3 dh_makeshlibs -X/usr/lib/$(DEB_HOST_MULTIARCH)/ldb -plibldb1 -- -c4