Package: slapd Version: 2.4.31-1+nmu2 Severity: critical Justification: breaks the whole system
Additional Justification details: - Breaks whole system: slapd is used to provide accounts -> no user accounts available -> system unusable. - Data loss: database is physically on disk, but inaccessible due to upgraded software, slapd, slapcat, slapadd cannot use it. The get_directory method used in several maint scripts contains a bug that causes it to return multiple lines of output if a commented olcDbDirectory line also exists in the configuration file. The callers of get_directory use filesystem existence checks on the output of get_directory to determine whether to actually backup the database, and silently continue without backing up when multiple lines of output are returned. Exact failure mode: 1) Begin upgrade 2) 2.4.23-7.3 prerm script doesn't perform any backups (as expected) 3) 2.4.31-1+nmu2 preinst attempts to backup, but silently skips backups due to above bug 4) 2.4.31-1+nmu2 is unpacked (database now inaccessible due to format mismatch) 5) 2.4.31-1+nmu2 postinst attempts to move old db directory (skips move silently due to same bug as above) 6) 2.4.31-1+nmu2 postinst attempts to import ldif backup (fails as no ldif backup exists) 7) dpkg exits with error, slapd is unusable and not easily recoverable, system unusable. Output from step 3 and 4: Preparing to replace slapd 2.4.23-7.3 (using .../slapd_2.4.31-1+nmu2_i386.deb) ... Stopping OpenLDAP: slapd. Dumping to /var/backups/slapd-2.4.23-7.3: Unpacking replacement slapd ... Note the expected output from line 178 of the preinst is not printed after the "Dumping... " line, this is because the check on line 176 of the preinst script returns false when presented with multi-line input in the $dbdir variable. Output from steps 5, 6 and 7: Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.23-7.3... done. Moving old database directories to /var/backups: Loading from /var/backups/slapd-2.4.23-7.3: - directory dc=katalinabrown,dc=co,dc=nz... failed. Loading the database from the LDIF dump failed with the following error while running slapadd: /var/backups/slapd-2.4.23-7.3/dc=katalinabrown,dc=co,dc=nz.ldif: No such file or directory dpkg: error processing slapd (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: slapd E: Sub-process /usr/bin/dpkg returned an error code (1) Again, the expected per suffix line is missing after the "Moving..." line, due to the check on line 384 of postinst returning false when presented with mutli-line input in the $databasedir variable. I believe the bug is found on line 293 of preinst and postinst: grep "olcDbDirectory:" `grep -l "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^ *//g' the first grep is not anchored, so if a file contains content like: olcDbDirectory: "/var/lib/ldap" #olcDbDirectory: "/var/lib/ldap" both paths are returned, and the subsequent checks of the return value cause the failures described above. The following patch (anchoring the match to start of line) would be a minimal fix for this critical issue, but a more proper fix would be for the preinst to bail out if it is unable to actually backup a database that it knows to exist from the config! --- slapd.preinst.orig 2013-09-21 16:59:18.000000000 +0100 +++ slapd.preinst 2013-09-21 16:58:25.000000000 +0100 @@ -290,7 +290,7 @@ get_directory() { # {{{ # Returns the db directory for a given suffix if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -q "$1" ; then - grep "olcDbDirectory:" `grep -l "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^ *//g' + grep "^olcDbDirectory:" `grep -l "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^ *//g' elif [ -f "${SLAPD_CONF}" ]; then # Extract the directory for the given suffix ($1) for f in `get_all_slapd_conf_files`; do The same fix would need to be made in postinst, and wherever else this command is used. Luckily, I'm testing this upgrade on my dev system... :) -- System Information: Debian Release: 6.0.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Shell: /bin/sh linked to /bin/dash Versions of packages slapd depends on: ii adduser 3.113+nmu3 add and remove users and groups ii coreutils 8.13-3.5 GNU core utilities ii debconf [debconf-2 1.5.49 Debian configuration management sy ii libc6 2.13-38 Embedded GNU C Library: Shared lib ii libdb5.1 5.1.29-5 Berkeley v5.1 Database Libraries [ ii libgcrypt11 1.5.0-5+deb7u1 LGPL Crypto library - runtime libr ii libgnutls26 2.12.20-7 GNU TLS library - runtime library ii libldap-2.4-2 2.4.31-1+nmu2 OpenLDAP libraries ii libltdl7 2.4.2-1.1 A system independent dlopen wrappe ii libodbc1 2.2.14p2-5 ODBC library for Unix ii libperl5.14 5.14.2-21 shared Perl library ii libsasl2-2 2.1.25.dfsg1-6+deb7u1 Cyrus SASL - authentication abstra ii libslp1 1.2.1-9 OpenSLP libraries ii libwrap0 7.6.q-24 Wietse Venema's TCP wrappers libra ii lsb-base 4.1+Debian8+deb7u1 Linux Standard Base 4.1 init scrip ii multiarch-support 2.13-38 Transitional package to ensure mul ii perl [libmime-base 5.14.2-21 Larry Wall's Practical Extraction ii psmisc 22.19-1+deb7u1 utilities that use the proc file s ii unixodbc 2.2.14p2-5 Basic ODBC tools Versions of packages slapd recommends: ii libsasl2-modules 2.1.25.dfsg1-6+deb7u1 Cyrus SASL - pluggable authenticat Versions of packages slapd suggests: ii ldap-utils 2.4.31-1+nmu2 OpenLDAP utilities -- debconf information: slapd/internal/adminpw: (password omitted) * slapd/password1: (password omitted) slapd/internal/generated_adminpw: (password omitted) * slapd/password2: (password omitted) slapd/allow_ldap_v2: false slapd/password_mismatch: slapd/invalid_config: true shared/organization: home.mattb.net.nz * slapd/upgrade_slapcat_failure: slapd/no_configuration: false slapd/move_old_database: true slapd/dump_database_destdir: /var/backups/slapd-VERSION slapd/purge_database: false slapd/domain: home.mattb.net.nz slapd/backend: HDB slapd/dump_database: when needed -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org