slackware-current/source/n/openldap/openldap.SlackBuild
Patrick J Volkerding 7b9b973e94 Tue Jan 30 22:01:28 UTC 2024
a/lzip-1.24-x86_64-1.txz:  Upgraded.
a/openssl-solibs-3.2.1-x86_64-1.txz:  Upgraded.
ap/alsa-utils-1.2.11-x86_64-1.txz:  Upgraded.
ap/sqlite-3.45.1-x86_64-1.txz:  Upgraded.
d/binutils-2.42-x86_64-1.txz:  Upgraded.
  Shared library .so-version bump.
d/cmake-3.28.2-x86_64-1.txz:  Upgraded.
d/oprofile-1.4.0-x86_64-13.txz:  Rebuilt.
  Recompiled against binutils-2.42.
d/strace-6.7-x86_64-1.txz:  Upgraded.
kde/digikam-8.2.0-x86_64-5.txz:  Rebuilt.
  Recompiled against libpng-1.6.42.
l/alsa-lib-1.2.11-x86_64-1.txz:  Upgraded.
l/libpng-1.6.42-x86_64-1.txz:  Upgraded.
  Fixed the implementation of the macro function png_check_sig().
  This was an API regression, introduced in libpng-1.6.41.
  Reported by Matthieu Darbois.
l/lmdb-0.9.32-x86_64-1.txz:  Upgraded.
l/neon-0.33.0-x86_64-1.txz:  Upgraded.
l/opencv-4.9.0-x86_64-3.txz:  Rebuilt.
  Recompiled against libpng-1.6.42.
l/qt5-5.15.12_20240103_b8fd1448-x86_64-4.txz:  Rebuilt.
  Recompiled against libpng-1.6.42.
l/talloc-2.4.2-x86_64-1.txz:  Upgraded.
l/tdb-1.4.10-x86_64-1.txz:  Upgraded.
l/tevent-0.16.1-x86_64-1.txz:  Upgraded.
n/openldap-2.6.7-x86_64-1.txz:  Upgraded.
n/openssl-3.2.1-x86_64-1.txz:  Upgraded.
  This update fixes possible denial-of-service security issues:
  A file in PKCS12 format can contain certificates and keys and may come from
  an untrusted source. The PKCS12 specification allows certain fields to be
  NULL, but OpenSSL did not correctly check for this case. A fix has been
  applied to prevent a NULL pointer dereference that results in OpenSSL
  crashing. If an application processes PKCS12 files from an untrusted source
  using the OpenSSL APIs then that application will be vulnerable to this
  issue prior to this fix.
  OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
  PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
  and PKCS12_newpass().
  When function EVP_PKEY_public_check() is called on RSA public keys,
  a computation is done to confirm that the RSA modulus, n, is composite.
  For valid RSA keys, n is a product of two or more large primes and this
  computation completes quickly. However, if n is an overly large prime,
  then this computation would take a long time.
  An application that calls EVP_PKEY_public_check() and supplies an RSA key
  obtained from an untrusted source could be vulnerable to a Denial of Service
  attack.
  The function EVP_PKEY_public_check() is not called from other OpenSSL
  functions however it is called from the OpenSSL pkey command line
  application. For that reason that application is also vulnerable if used
  with the "-pubin" and "-check" options on untrusted data.
  To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
  now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
  Fix excessive time spent in DH check / generation with large Q parameter
  value.
  Applications that use the functions DH_generate_key() to generate an
  X9.42 DH key may experience long delays. Likewise, applications that use
  DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
  to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
  Where the key or parameters that are being checked have been obtained from
  an untrusted source this may lead to a Denial of Service.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-0727
    https://www.cve.org/CVERecord?id=CVE-2023-6237
    https://www.cve.org/CVERecord?id=CVE-2023-5678
  (* Security fix *)
xap/MPlayer-20240130-x86_64-1.txz:  Upgraded.
  Fixed build script to exit on errors.
  Patched to build against gettext-0.22.4.
  Thanks to Matteo Bernardini.
xap/xine-lib-1.2.13-x86_64-7.txz:  Rebuilt.
  Recompiled against libpng-1.6.42.
2024-01-30 23:34:34 +01:00

275 lines
7.9 KiB
Bash
Executable file

#!/bin/bash
# Copyright 2008, 2009, 2010, 2018, 2019, 2020, 2022 Patrick J. Volkerding, Sebeka, Minnesota, USA
# Copyright 2015-2017 Giuseppe Di Terlizzi <giuseppe.diterlizzi@gmail.com>
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
cd $(dirname $0) ; CWD=$(pwd)
PKGNAM=openldap
VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
BUILD=${BUILD:-1}
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
case "$(uname -m)" in
i?86) ARCH=i586 ;;
arm*) readelf /usr/bin/file -A | grep -E -q "Tag_CPU.*[4,5]" && ARCH=arm || ARCH=armv7hl ;;
# Unless $ARCH is already set, use uname -m for all other archs:
*) ARCH=$(uname -m) ;;
esac
export ARCH
fi
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
# the name of the created package would be, and then exit. This information
# could be useful to other scripts.
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
exit 0
fi
NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
if [ "$ARCH" = "i586" ]; then
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "i686" ]; then
SLKCFLAGS="-O2 -march=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "s390" ]; then
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
LIBDIRSUFFIX="64"
elif [ "$ARCH" = "armv7hl" ]; then
SLKCFLAGS="-O3 -march=armv7-a -mfpu=vfpv3-d16"
LIBDIRSUFFIX=""
else
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
TMP=${TMP:-/tmp}
PKG=$TMP/package-$PKGNAM
rm -rf $PKG
mkdir -p $TMP $PKG
cd $TMP
rm -rf $PKGNAM-$VERSION
tar xvf $CWD/$PKGNAM-$VERSION.tar.?z || exit 1
cd $PKGNAM-$VERSION || exit 1
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
-exec chmod 755 {} \+ -o \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \+
# Ensure user:group exists before building:
if ! grep -q "^ldap:" /etc/passwd ; then
echo "ldap:x:330:330:OpenLDAP server:/var/lib/openldap:/bin/false" >> /etc/passwd
fi
if ! grep -q "^ldap:" /etc/group ; then
echo "ldap:x:330:" >> /etc/group
fi
if ! grep -q "^ldap:" /etc/shadow ; then
echo "ldap:*:9797:0:::::" >> /etc/shadow
fi
# Change the location of run directory into /var/run/openldap:
sed -i -e 's|%LOCALSTATEDIR%/run/|/var/run/openldap/|' \
servers/slapd/slapd.*
# Change the location of ldapi socket into /var/run/openldap:
sed -i -e 's|\(#define LDAPI_SOCK\).*|\1 "/var/run/openldap/ldapi"|' \
include/ldap_defaults.h
# Change the default OpenLDAP database directory:
sed -i -e 's|openldap-data|lib/openldap|' \
servers/slapd/slapd.* include/ldap_defaults.h servers/slapd/Makefile.in
# Fix man pages:
sed -i "s/openldap\\\-data/lib\/openldap/g" doc/man/man5/slapd-config.5 doc/man/man5/slapd-bdb.5 doc/man/man5/slapd-mdb.5 doc/man/man5/slapd.conf.5
# Configure, build, and install:
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
--prefix=/usr \
--exec-prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/man \
--localstatedir=/var \
--libdir=/usr/lib${LIBDIRSUFFIX} \
\
--enable-debug \
--enable-dynamic \
--enable-syslog \
--enable-proctitle \
--enable-ipv6 \
--enable-local \
\
--enable-slapd \
--enable-dynacl \
--enable-aci \
--enable-cleartext \
--enable-crypt \
--enable-lmpasswd \
--enable-spasswd \
--enable-modules \
--enable-rewrite \
--enable-rlookups \
--enable-slapi \
--disable-slp \
--enable-wrappers \
\
--enable-backends=mod \
--enable-bdb=yes \
--enable-hdb=yes \
--enable-mdb=yes \
--enable-monitor=yes \
--enable-perl=yes \
--enable-argon2 \
--with-argon2=libsodium \
--disable-wt \
\
--enable-overlays=mod \
\
--disable-static \
--enable-shared \
\
--with-cyrus-sasl \
--without-fetch \
--with-threads \
--with-pic \
--with-tls \
\
--build=$ARCH-slackware-linux || exit 1
make depend
make $NUMJOBS || make || exit 1
make install DESTDIR=$PKG || exit 1
# Don't ship .la files:
rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la
# Don't package this directory:
rmdir $PKG/var/run
# Fix permissions on shared libraries:
chmod 755 $PKG/usr/lib${LIBDIRSUFFIX}/*.so.*
# Restrict access to database:
if [ ! -d $PKG/var/lib/openldap ]; then
mkdir -p $PKG/var/lib/openldap
fi
chmod 700 $PKG/var/lib/openldap
# Fix ownership:
chown -R ldap:ldap $PKG/var/lib/openldap
chown -R ldap:ldap $PKG/etc/openldap
# Get rid of .default config files:
rm -f $PKG/etc/openldap/*.default
# Move ldap.conf to ldap.conf.new and add an additional option:
mv $PKG/etc/openldap/ldap.conf $PKG/etc/openldap/ldap.conf.new
cat << EOF >> $PKG/etc/openldap/ldap.conf.new
# In order to avoid problems with self-signed certificates using TLS:
# "TLS certificate verification: Error, self signed certificate"
# See also 'man ldap.conf' or http://www.openldap.org/doc/admin/tls.html
TLS_REQCERT allow
EOF
# Move other config files to .new:
mv $PKG/etc/openldap/slapd.conf $PKG/etc/openldap/slapd.conf.new
mv $PKG/etc/openldap/slapd.ldif $PKG/etc/openldap/slapd.ldif.new
# Create a symlink for slapd in /usr/sbin:
if [ ! -x $PKG/usr/sbin/slapd ]; then
( cd $PKG/usr/sbin ; ln -sf ../libexec/slapd slapd )
fi
# Create OpenLDAP certificates directory:
mkdir -p $PKG/etc/openldap/certs
# Copy rc.openldap:
mkdir -p $PKG/etc/rc.d
cat $CWD/rc.openldap > $PKG/etc/rc.d/rc.openldap.new
# Copy slapd default file:
mkdir -p $PKG/etc/default
cat $CWD/slapd > $PKG/etc/default/slapd.new
# Strip binaries:
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
# Compress manual pages:
find $PKG/usr/man -type f -exec gzip -9 {} \+
for i in $( find $PKG/usr/man -type l ) ; do
ln -s $( readlink $i ).gz $i.gz
rm $i
done
# Add a documentation directory:
mkdir -p $PKG/usr/doc/${PKGNAM}-$VERSION
cp -a \
ANNOUNCEMENT* CHANGES COPYRIGHT* INSTALL* LICENSE* README* \
$PKG/usr/doc/${PKGNAM}-$VERSION
# If there's a CHANGES file, installing at least part of the recent history
# is useful, but don't let it get totally out of control:
if [ -r CHANGES ]; then
DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
cat CHANGES | head -n 1000 > $DOCSDIR/CHANGES
touch -r CHANGES $DOCSDIR/CHANGES
fi
# Include monitor backend README
cp -a \
servers/slapd/back-monitor/README \
$PKG/usr/doc/$PKGNAM-$VERSION/README.back-monitor
# Include Perl backend README
cp -a \
servers/slapd/back-perl/README \
$PKG/usr/doc/$PKGNAM-$VERSION/README.back-perl
# Include Perl backend sample file
cp -a \
servers/slapd/back-perl/SampleLDAP.pm \
$PKG/usr/doc/$PKGNAM-$VERSION
# Include OpenLDAP documentation
cp -a \
doc/guide/admin/*.png \
doc/guide/admin/*.html \
$PKG/usr/doc/$PKGNAM-$VERSION
mkdir -p $PKG/install
zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
cat $CWD/slack-desc > $PKG/install/slack-desc
cd $PKG
/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz