Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gosa + * debian/patches: + + Add 1043_smarty-add-on-function-param-types.patch. Fix missing + password field, caused by PHP error "parameter 2 expected to be a + reference, value given". This happened due to mismatching parameter + types whenever the smarty3 template rendering engine called gosa's + (slightly not-compliant anymore) smartyAddon functions. (Closes: + #918578). The patch also brings some smartyAddon hygiene for + the {render} block and the not-used-anymore {tr} block. -> RC bug, a missing password field on the login page makes gosa unusable. + + Add 1044_crypto-transition-without-mcrypt.patch. Make + gosa-mcrypt-to-openssl-passwords script independent from php-mcrypt, + and thus make it work with Debian buster's php7.3. (Closes: #925138). -> RC bug, now gosa can be upgraded from stretch -> buster and crypto-transition can happen in buster. See also: #927306. + + Update 1026_fix-deprecated-constructor-format.patch. Drop an + unwanted find+replace artefact in class_userFilter. Regression fix of an earlier applied patch. + + Add 1045_dont_use_filter_caching.patch. Disable filter caching via + $_SESSION. The filter caching mechanism stores PHP object in ; since + php7.0 this has lead to all sorts of unexpected results and flawed + rendering of class_management based listings. (Closes: #907815). -> important bug (in fact possibly a security issue). + * debian/control: + + Bump Standards-Version: to 4.3.0. No changes needed. -> some additional formalism unblock gosa/2.7.4+reloaded3-8 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru gosa-2.7.4+reloaded3/debian/changelog gosa-2.7.4+reloaded3/debian/changelog --- gosa-2.7.4+reloaded3/debian/changelog 2018-12-12 16:52:38.000000000 +0100 +++ gosa-2.7.4+reloaded3/debian/changelog 2019-04-19 15:24:14.000000000 +0200 @@ -1,3 +1,27 @@ +gosa (2.7.4+reloaded3-8) unstable; urgency=medium + + * debian/patches: + + Add 1043_smarty-add-on-function-param-types.patch. Fix missing + password field, caused by PHP error "parameter 2 expected to be a + reference, value given". This happened due to mismatching parameter + types whenever the smarty3 template rendering engine called gosa's + (slightly not-compliant anymore) smartyAddon functions. (Closes: + #918578). The patch also brings some smartyAddon hygiene for + the {render} block and the not-used-anymore {tr} block. + + Add 1044_crypto-transition-without-mcrypt.patch. Make + gosa-mcrypt-to-openssl-passwords script independent from php-mcrypt, + and thus make it work with Debian buster's php7.3. (Closes: #925138). + + Update 1026_fix-deprecated-constructor-format.patch. Drop an + unwanted find+replace artefact in class_userFilter. + + Add 1045_dont_use_filter_caching.patch. Disable filter caching via + $_SESSION. The filter caching mechanism stores PHP object in ; since + php7.0 this has lead to all sorts of unexpected results and flawed + rendering of class_management based listings. (Closes: #907815). + * debian/control: + + Bump Standards-Version: to 4.3.0. No changes needed. + + -- Mike Gabriel <sunwea...@debian.org> Fri, 19 Apr 2019 15:24:14 +0200 + gosa (2.7.4+reloaded3-7) unstable; urgency=medium [ Mike Gabriel ] diff -Nru gosa-2.7.4+reloaded3/debian/control gosa-2.7.4+reloaded3/debian/control --- gosa-2.7.4+reloaded3/debian/control 2018-12-12 16:52:38.000000000 +0100 +++ gosa-2.7.4+reloaded3/debian/control 2019-04-19 15:24:14.000000000 +0200 @@ -9,7 +9,7 @@ debhelper (>= 11~), Build-Depends-Indep: po-debconf, -Standards-Version: 4.2.0 +Standards-Version: 4.3.0 Homepage: https://oss.gonicus.de/labs/gosa/ Vcs-Git: https://salsa.debian.org/debian-edu-pkg-team/gosa.git Vcs-Browser: https://salsa.debian.org/debian-edu-pkg-team/gosa diff -Nru gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch --- gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch 2018-12-12 16:52:38.000000000 +0100 +++ gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch 2019-04-19 15:22:28.000000000 +0200 @@ -699,23 +699,6 @@ $this->dn= $dn; --- a/gosa-core/include/class_userFilter.inc +++ b/gosa-core/include/class_userFilter.inc -@@ -16,13 +16,13 @@ - */ - static function userFilteringAvailable() - { -- if(!session::is_set('userFilter::userFilteringAvailable')){ -+ if(!session::is_set('userFilter::__constructingAvailable')){ - global $config; - $ldap = $config->get_ldap_link(); - $ocs = $ldap->get_objectclasses(); -- session::set('userFilter::userFilteringAvailable', isset($ocs['gosaProperties'])); -+ session::set('userFilter::__constructingAvailable', isset($ocs['gosaProperties'])); - } -- return(session::get('userFilter::userFilteringAvailable')); -+ return(session::get('userFilter::__constructingAvailable')); - } - - @@ -32,7 +32,7 @@ { // Initialize this plugin with the users dn to gather user defined filters. diff -Nru gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch --- gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch 1970-01-01 01:00:00.000000000 +0100 +++ gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch 2019-04-19 15:22:28.000000000 +0200 @@ -0,0 +1,91 @@ +Description: Use correct smarty3 API. +Author: Mike Gabriel <mike.gabr...@das-netzwerkteam.de> +Forwarded: https://github.com/gosa-project/gosa-core/pull/25 +Abstract. + For the {render} add-on block, drop the &$smarty reference parameter + entirely. + . + Drop the complete {tr} add-on block. Not registered as a plugin, not + used. + . + For the add-on image and add-on factory functions, switch from + reference &$smarty to value $smarty. + +--- a/gosa-core/include/smartyAddons/block.render.php ++++ b/gosa-core/include/smartyAddons/block.render.php +@@ -1,6 +1,6 @@ + <?php + +-function smarty_block_render($params, $text, &$smarty) ++function smarty_block_render($params, $text) + { + /* Skip closing tag </render> */ + if(empty($text)) { +--- a/gosa-core/include/smartyAddons/block.tr.php ++++ /dev/null +@@ -1,25 +0,0 @@ +-<?php +-function smarty_block_tr($params, $text, &$smarty) +-{ +- $plugin = ""; +- if(!isset($params['domain'])){ +- if(strlen($text) != 0){ +- $trace = debug_backtrace(); +- $base = preg_replace("/\/html/","",getcwd()); +- foreach($trace as $t_entry){ +- if(preg_match("/^".preg_quote($base,'/')."\/plugins\//", $t_entry['file'])){ +- $plugin = preg_replace("/^".preg_quote($base,'/')."\/plugins\/([^\/]*).*$/", "\\1", $t_entry['file']); +- break; +- } +- } +- } +- } +- +- +- if($plugin != ""){ +- return(dgettext($plugin, $text)); +- } +- return(gettext($text)); +-} +- +-?> +--- a/gosa-core/include/smartyAddons/function.factory.php ++++ b/gosa-core/include/smartyAddons/function.factory.php +@@ -1,6 +1,6 @@ + <?php + +-function smarty_function_factory($params, &$smarty) ++function smarty_function_factory($params, $smarty) + { + + // Capture params +--- a/gosa-core/include/smartyAddons/function.image.php ++++ b/gosa-core/include/smartyAddons/function.image.php +@@ -1,6 +1,6 @@ + <?php + +-function smarty_function_image($params, &$smarty) ++function smarty_function_image($params, $smarty) + { + $path = (isset($params['path']))? $params['path'] :""; + $action = (isset($params['action']))? $params['action'] :""; +--- a/gosa-core/include/smartyAddons/function.msgPool.php ++++ b/gosa-core/include/smartyAddons/function.msgPool.php +@@ -1,6 +1,6 @@ + <?php + +-function smarty_function_msgPool($params, &$smarty) ++function smarty_function_msgPool($params, $smarty) + { + if(class_available("msgPool") && isset($params['type'])){ + $parameter = array(); +--- a/gosa-core/include/php_setup.inc ++++ b/gosa-core/include/php_setup.inc +@@ -317,7 +317,6 @@ + if(preg_match("/\.php$/", $file)) require_once("$BASE_DIR/include/smartyAddons/{$file}"); + } + +-#$smarty->registerPlugin("block", "tr", "smarty_block_tr"); + $smarty->registerPlugin("block", "t", "smarty_block_t"); + $smarty->registerPlugin("block", "render", "smarty_block_render"); + $smarty->registerPlugin("function", "msgPool", "smarty_function_msgPool"); diff -Nru gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch --- gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch 1970-01-01 01:00:00.000000000 +0100 +++ gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch 2019-04-19 15:22:28.000000000 +0200 @@ -0,0 +1,17 @@ +Description: No need to let this script depend on php-mcrypt +Author: Dominik George <naturesha...@debian.org> +Forwarded: https://github.com/gosa-project/gosa-core/pull/27 + +--- a/gosa-core/bin/gosa-mcrypt-to-openssl-passwords ++++ b/gosa-core/bin/gosa-mcrypt-to-openssl-passwords +@@ -25,9 +25,7 @@ + } + + function cred_decrypt($input, $password) { +- $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); +- $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM); +- return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv ), "\0\3\4\n"); ++ return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING ), "\0\3\4\n"); + } + + diff -Nru gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch --- gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch 1970-01-01 01:00:00.000000000 +0100 +++ gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch 2019-04-19 15:22:28.000000000 +0200 @@ -0,0 +1,27 @@ +Description: Disable flawed filter caching (which works via storing unserialized objects in $_SESSION) +Author: Mike Gabriel <mike.gabr...@das-netzwerkteam.de> +Forwarded: https://github.com/gosa-project/gosa-core/issues/28 +Abstract: + All required information is in the above upstream bug report. + . + This patch has work-around status. It is no proper solution. + +--- a/gosa-core/include/class_management.inc ++++ b/gosa-core/include/class_management.inc +@@ -131,7 +131,15 @@ + $this->registerAction("cancelFilter","cancelFilter"); + + // To temporay disable the filter caching UNcomment this line. +- #session::global_un_set(get_class($this)."_filter"); ++ ++ /* ++ * As a work-around for flawed object storage in the PHP $_SESSION array ++ * the filter caching has been deactivated since gosa 2.7.4+reloaded3-8. ++ * ++ * See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907815#31 for ++ * details. ++ */ ++ session::global_un_set(get_class($this)."_filter"); + } + + diff -Nru gosa-2.7.4+reloaded3/debian/patches/series gosa-2.7.4+reloaded3/debian/patches/series --- gosa-2.7.4+reloaded3/debian/patches/series 2018-12-12 16:52:38.000000000 +0100 +++ gosa-2.7.4+reloaded3/debian/patches/series 2019-04-19 15:22:28.000000000 +0200 @@ -60,3 +60,6 @@ 1041_ref_param_error_in_My_Parser.patch 1042_add_option_to_disable_autocomplete.patch 0014_latest-gosa-conf.patch +1043_smarty-add-on-function-param-types.patch +1044_crypto-transition-without-mcrypt.patch +1045_dont_use_filter_caching.patch