Package: libpam-ldap
Version: 180-1.1
Severity: important
Tags: patch
The package fails to configure due to missing input sanitization in the
postinst-script. The error occurs if you enter a Base DN containing a hyphen
during debconf. A similar bug has already been reported for the package
libnss-ldap and has been fixed via an NMU (bug#377895).
A patch which inserts libnss-ldap's input sanitization code into lipam-ldap's
postinst script is attached.
Steps to reproduce:
1. Install libpam-ldap
2. Enter some Base DN containing a hyphen, e.g. ou=Phil-Fak,o=HHU,c=DE
dpkg reports:
Setting up libpam-ldap (180-1.1) ...
Search pattern not terminated at -e line 1.
dpkg: error processing libpam-ldap (--configure):
subprocess post-installation script returned error exit status 255
Errors were encountered while processing:
libpam-ldap
E: Sub-process /usr/bin/dpkg returned an error code (1)
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (800, 'stable'), (700, 'unstable')
Architecture: sparc (sparc64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.16-pf1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages libpam-ldap depends on:
ii debconf [debconf-2.0] 1.5.3Debian configuration management sy
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libldap22.1.30-13+b1 OpenLDAP libraries
ii libpam0g0.79-3.2 Pluggable Authentication Modules l
libpam-ldap recommends no packages.
-- debconf information:
* shared/ldapns/base-dn: ou=Phil-Fak,o=HHU,c=de
* shared/ldapns/ldap-server: ldap://ldapserver/
* libpam-ldap/pam_password: exop
* libpam-ldap/binddn:
* libpam-ldap/rootbinddn:
* libpam-ldap/dbrootlogin: false
* libpam-ldap/override: true
* shared/ldapns/ldap_version: 3
* libpam-ldap/dblogin: false
diff -Nru libpam-ldap-180-orig/debian/libpam-ldap.postinst
libpam-ldap-180/debian/libpam-ldap.postinst
--- libpam-ldap-180-orig/debian/libpam-ldap.postinst2006-09-17
12:06:33.0 +0200
+++ libpam-ldap-180/debian/libpam-ldap.postinst 2006-09-17 12:07:10.0
+0200
@@ -21,6 +21,15 @@
parameter=$1
value=$2
commented=0 ; notthere=0
+
+# escape slash and backslash for later regex compat
+# the order is important, first the backslashes
+value=`echo $value | sed -s 's#\\\#\\\#g'`
+# then the slashes
+value=`echo $value | sed -s 's#/#\\\/#g'`
+# escape hyphen in domainnames for later regex compat (ex.
example-city.net)
+value=`echo $value | sed -s 's#-#\\\-#g'`
+
egrep -i -q "^$parameter " $CONFFILE || notthere=1
if [ "$notthere" = "1" ]; then
if ( egrep -i -q "^# *$parameter" $CONFFILE ); then