Upon reviewing this bug, I've found that in stretch and later, GnuTLS
actually uses getrandom() instead of opening /dev/urandom. This was
introduced in GnuTLS 3.5.3 and requires Linux 3.18 and Glibc 2.25. The
fd-clobber program that I attached to an earlier comment [1]
demonstrates the issue in jessie, but works without issue in stretch and
buster.
[1]
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=803197;filename=fd-clobber.c;msg=25
You can observe this by running any LDAP client with
GNUTLS_DEBUG_LEVEL=2:
gnutls[2]: getrandom random generator was detected
Based on that, I believe that the issue originally reported was actually
resolved by that change, and the fd closing could probably be reinstated
for systems where getrandom() is available. I will try to patch that
back into SOGo and see what happens on a current system.
As for the cupsd issue you reported: I haven't been able to reproduce
the segfault in cupsd, but I have attached a test program that I think
demonstrates the issue as you described it. However, it crashes
consistently in stretch but not in buster. :) Not sure whether that is a
functional change or just luck of memory layout.
I need to do some more testing, but I think I will be OK with removing
the gnutls_global_set_mutex() calls in the next upload. But even so,
please do migrate to nss-pam-ldapd! Your point about libldap messing
with global state is valid, but in the specific case of PAM modules we
already have a solution, as Howard did point out to you.
