Package: release.debian.org Severity: normal Tags: security User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package lemonldap-ng Hi all, a medium security issue has been reported on upstream repo [1]. I imported the fix in 2.0.2+ds-6 patch. This unblock also would import 2.0.2+ds-5 changes: autopkgtest improvements. The full changes are: - installed files: * 6 lines added to restore username regexp check - upstream test files: * add test corresponding to this change - debian tests: * replace libauthen-u2f-perl by libauthen-u2f-tester-perl in build dependencies (was an error which makes some upstream tests ignored) * split autopkgtests to launch upstream component tests on minimal install (for example portal test are launched with only liblemonldap-ng-portal-perl dependency instead of lemonldap-ng meta package) I think it is low risky to unblock lemonldap-ng since: - lemonldap-ng has no reverse dependencies. - changes on installed files are minimal - build/autopkgtest tests are improved (and successfully passed with 2.0.2+ds-5: [2]) Cheers, Xavier [1]: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1667 [2]: https://ci.debian.net/packages/l/lemonldap-ng/ and https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/lemonldap-ng.html unblock lemonldap-ng/2.0.2+ds-6 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (600, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 252619fbb..c4c63a10f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +lemonldap-ng (2.0.2+ds-6) unstable; urgency=medium + + * Add patch to fix missing userControl calls (little security fix) + + -- Xavier Guimard <y...@debian.org> Thu, 28 Mar 2019 10:41:14 +0100 + +lemonldap-ng (2.0.2+ds-5) unstable; urgency=medium + + * Fix bad build dependency: Authen::2F::Tester instead of Authen::2F + * Split autopkgtests to test each library separately + + -- Xavier Guimard <y...@debian.org> Sat, 02 Mar 2019 13:47:29 +0100 + lemonldap-ng (2.0.2+ds-4) unstable; urgency=medium * Ignore debci GPG errors (Closes: 922265) diff --git a/debian/control b/debian/control index e68a79775..be46d2783 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 11~), Build-Depends-Indep: gpg, libapache-session-perl, libauthen-oath-perl, - libauthen-u2f-perl, + libauthen-u2f-tester-perl, libcache-cache-perl, libclone-perl, libconfig-inifiles-perl, diff --git a/debian/patches/fix-missing-userControl.diff b/debian/patches/fix-missing-userControl.diff new file mode 100644 index 000000000..f2952e92e --- /dev/null +++ b/debian/patches/fix-missing-userControl.diff @@ -0,0 +1,56 @@ +Description: Fix missing userControl calls +Author: Xavier Guimard <y...@debian.org> +Origin: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/e0204c6a79e4fffb40751a9cd0f7433b317a5bf9 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1667 +Forwarded: //gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/e0204c6a79e4fffb40751a9cd0f7433b317a5bf9 +Last-Update: 2019-03-28 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm +@@ -16,6 +16,7 @@ + PE_OK + PE_PASSWORDFORMEMPTY + PE_TOKENEXPIRED ++ PE_MALFORMEDUSER + ); + + our $VERSION = '2.0.0'; +@@ -53,6 +54,13 @@ + sub extractFormInfo { + my ( $self, $req ) = @_; + ++ if ( $req->param('user') ) { ++ unless ( $req->param('user') =~ /$self->{conf}->{userControl}/o ) { ++ $self->setSecurity($req); ++ return PE_MALFORMEDUSER; ++ } ++ } ++ + # Detect first access and empty forms + my $defUser = defined $req->param('user'); + my $defPassword = defined $req->param('password'); +--- a/lemonldap-ng-portal/t/02-Password-Demo.t ++++ b/lemonldap-ng-portal/t/02-Password-Demo.t +@@ -53,6 +53,22 @@ + ok( + $res = $client->_post( + '/', ++ IO::String->new('user=dwho*&password=dwho'), ++ accept => 'text/html', ++ length => 24 ++ ), ++ 'Auth query' ++); ++ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ++ ' PE40 found' ) ++ or print STDERR Dumper( $res->[2]->[0] ); ++count(2); ++ ++# Try yo authenticate ++# ------------------- ++ok( ++ $res = $client->_post( ++ '/', + IO::String->new('user=dwho&password=dwho'), + length => 23 + ), diff --git a/debian/patches/series b/debian/patches/series index 938933442..0d400d144 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ javascript-path.patch Avoid-developer-tests.patch ignore-gpg-errors.diff +fix-missing-userControl.diff diff --git a/debian/tests/control b/debian/tests/control index 768cc02a4..eeb2fc1ee 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1,14 +1,38 @@ # debian/tests/runner launch pkg-perl-autopkgtest tests for each library -Test-Command: ./debian/tests/runner build-deps -Depends: @, @builddeps@, pkg-perl-autopkgtest, libmouse-perl +Test-Command: ./debian/tests/runner build-deps lemonldap-ng-common +Depends: liblemonldap-ng-common-perl, @builddeps@, pkg-perl-autopkgtest -Test-Command: ./debian/tests/runner runtime-deps -Depends: @, pkg-perl-autopkgtest, libmouse-perl +Test-Command: ./debian/tests/runner build-deps lemonldap-ng-handler +Depends: liblemonldap-ng-handler-perl, @builddeps@, pkg-perl-autopkgtest + +Test-Command: ./debian/tests/runner build-deps lemonldap-ng-portal +Depends: liblemonldap-ng-portal-perl, @builddeps@, pkg-perl-autopkgtest + +Test-Command: ./debian/tests/runner build-deps lemonldap-ng-manager +Depends: liblemonldap-ng-manager-perl, @builddeps@, pkg-perl-autopkgtest + +Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-common +Depends: liblemonldap-ng-common-perl, pkg-perl-autopkgtest, libmouse-perl +Restrictions: superficial, skippable + +# Disable this one: skipped +#Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-handler +#Depends: liblemonldap-ng-handler-perl, pkg-perl-autopkgtest, libmouse-perl +#Restrictions: superficial, skippable + +Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-portal +Depends: liblemonldap-ng-portal-perl, pkg-perl-autopkgtest, libmouse-perl +Restrictions: superficial, skippable + +Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-manager +Depends: liblemonldap-ng-manager-perl, pkg-perl-autopkgtest, libmouse-perl +Restrictions: superficial, skippable # Use pkg-perl-autopkgtest test for runtime-deps-and-recommends # Some portal suggested dependencies are added here Test-Command: /usr/share/pkg-perl-autopkgtest/runner runtime-deps-and-recommends Depends: @, @builddeps@, pkg-perl-autopkgtest, libyaml-perl, liblog-log4perl-perl, libauthen-pam-perl, libauthen-radius-perl, libweb-id-perl +Restrictions: superficial #Test-Command: ./debian/tests/runner heavy-deps #Depends: @, pkg-perl-autopkgtest, pkg-perl-autopkgtest-heavy, libmouse-perl diff --git a/debian/tests/runner b/debian/tests/runner index 553b39e28..e61c8f46d 100755 --- a/debian/tests/runner +++ b/debian/tests/runner @@ -10,8 +10,12 @@ TESTDIR=${BASE}/${TYPE}.d LLSOURCEDIR=`pwd` +LIST=$2 + +test "$LIST" == "" 2>/dev/null && LIST=lemonldap-ng-* + EXITCODE=0 -for LLLIB in lemonldap-ng-*; do +for LLLIB in $LIST; do mkdir -p $LLSOURCEDIR/$LLLIB/debian/tests/pkg-perl for llfile in debian/tests/pkg-perl/${LLLIB}*; do if [ -r $llfile ]; then