Merge pull request #999 from flatcar/dongsu/openldap-2.5.14

net-nds/openldap: update to 2.5.14

.github/workflows/portage-stable-packages-list

@@ -343,6 +343,7 @@ net-misc/socat
 net-misc/wget
 net-misc/whois
 
+net-nds/openldap
 net-nds/rpcbind
 
 net-vpn/wireguard-tools

changelog/security/2023-07-20-openldap-2.5.14.md

@@ -0,0 +1 @@
+- openldap ([CVE-2023-2953](https://nvd.nist.gov/vuln/detail/CVE-2023-2953))

changelog/updates/2023-07-20-openldap-2.5.14.md

@@ -0,0 +1 @@
+- openldap ([2.5.14](https://lists.openldap.org/hyperkitty/list/[email protected]/thread/TZQHR4SIWUA5BZTKDAKSFDOOGDVU4TU7/) (includes [2.5](https://lists.openldap.org/hyperkitty/list/[email protected]/thread/BH3VDPG6IYYF5L5U6LZGHHKMJY5HFA3L/)))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask

@@ -20,3 +20,8 @@
 # Python 3.12 is in portage-stable (currently testing), so avoid picking it
 # up. Update this to mask later versions when we switch to 3.11.
 >=dev-lang/python-3.12
+
+# Do not update to openldap 2.6.3+, to take 2 different steps of updating
+# openldap, 1) from 2.4 to 2.5, 2) do an Alpha release around 2023-08, and
+# 3) finally update from 2.5 to 2.6.
+>=net-nds/openldap-2.6

sdk_container/src/third_party/portage-stable/net-nds/openldap/Manifest

@@ -1,6 +1,6 @@
-DIST openldap-2.4.57.tgz 5883912 BLAKE2B 439605e1bebcf34968f0a552aaade1b72b7671ae2a94a0b700a84f9f715acd162e7b8dadfdd3ffd5b0a785f9306b5f5033ab956cf0ffd26b66119a7110d0aa57 SHA512 b929bced0f5ba9a90e015a24b8037c8958fbb7282db272bd0cacf43b5f7540ab42159a3c4441148074340228bb5f07f93651c0dbb2affde961be156058f99ce5
-DIST openldap-2.4.58.tgz 5885225 BLAKE2B effb618dba03497796a497cd7f53ec52e389133769321dd242433bed5ec4b1f66cf7353f08a49d5f3465880f6bcfc9afc9c7d2a28e075b66f5fd926b02213541 SHA512 2fa2aa36117692eca44e55559f162c8c796f78469e6c2aee91b06d46f2b755d416979c913a3d89bbf9db14cc84881ecffee69af75b48e1d16b7aa9d2e3873baa
 DIST openldap-2.4.59.tgz 5886272 BLAKE2B a2a8bed1d2af97fd41d651668152fd4740871bc5a8abf4b50390839228af82ac103346b3500ae0f8dd31b708acabb30435b90cd48dfafe510e648df5150d96b8 SHA512 233459ab446da6e107a7fc4ecd5668d6b08c11a11359ee76449550393e8f586a29b59d7ae09a050a1fca4fcf388ea61438ef60831b3ae802d92c048365ae3968
-DIST openldap-2.5.4.tgz 6415235 BLAKE2B 16e466d01dc7642786bb88a101854513f1239f1e817fd05145e89deb54bc1b911a5dc5f42b132747f14bdd2a3355e7c398b8b14937e7093361f4a96bfb7e9197 SHA512 00b57c9179acf3b1bde738e91604f3b09b5f5309106362bb947154d131868f233713eaa75c9af9771bfad731902d67406e8fb429851bad227fc48054cace16a8
-DIST openldap-OPENLDAP_REL_ENG_2_6_1.tar.gz 6211863 BLAKE2B 81f4591db483a214351c2e02631fef2875e17e0890fc621182d2ed61d927c3c029a4f290ee6c0788952495d6f7a76ed15e62557b8d8f2e241d867e19fdf223b7 SHA512 ca61c1dccf3194d8d149ca0c45a4834d6fadf67a3676cf348f5f62ab92c94bc7501216d7da681c3a6f87f646a18d0f3d116c3d3a24d2e5cbebc6c695c986e517
+DIST openldap-OPENLDAP_REL_ENG_2_5_14.tar.bz2 5024359 BLAKE2B ffdffbd47e76545c2dc2d433d290945ab6eebd910031a60249cd8f6eac24f67841098e61c7e57864428e20a183a46d36dac422bba8cf6f3596f97439875af96b SHA512 abd1e8bda0762500db028f283fe2da9480a419072927295d6f3e1448cae130592511f385a87585843cf88217417c90ef57174ca919cfcf163eb41642a72bb4e3
+DIST openldap-OPENLDAP_REL_ENG_2_6_3.tar.gz 6244895 BLAKE2B 97792a1b368de44867b0ce9eef38601c3e64b7d40e4ca206295bee110097697c919040d2220eea6f0581812e09a2cc3e6afb4a243a5072a8a0a95f24f9fb354b SHA512 1c882a0cd0729b5d0f40b58588d0e36ae3b1cae6d569f0576e940c7c63d03c29ed2c9db87695a87594ba99a927ef4cba491bddba3ce049025fd5883463122ba7
+DIST openldap-OPENLDAP_REL_ENG_2_6_4.tar.bz2 5043227 BLAKE2B 9bec77dbace0e52d1607d9ac13a77349e7d0b8876aa81fa635893638d00db58ec6bf8412f11fd266bba0440887be1aa21eb4a876122152f7f6de9fd8f75b6b4c SHA512 bff11bf1ae125bcabbd307f6c4e1c102a8df6f1091f84f5e7053fdbaa89ccd6aa0c86cc8dcce4fb9b6ffd853b5f8d3c933733f5713aeb4d6a9d77ab145293b48
+DIST openldap-OPENLDAP_REL_ENG_2_6_5.tar.bz2 5040569 BLAKE2B d1835e560a81bc3df2eb44964162306057ad28869a1e41da7ab823460b4a33437cd385ec9448a6df9bc580afd04dff5c4680e0b91a2f16960ad2c5f3812410ba SHA512 d259ca5ac8fbdcf9bb477e24c0feaf05678ab660007164a54463a954f1b26c3f9740855d16155fa249adcb2652223fdcfc682bb4005b46a5f36e2d5cae37f158
 DIST rfc2307bis.schema-20140524 12262 BLAKE2B 98031f49e9bde1e4821e637af3382364d8344ed7017649686a088070d96a632dffa6c661552352656b1b159c0fd962965580069a64c7f3d5bb6a3ed75f60fd99 SHA512 83b89a1deeefc8566b97e7e865b9b6d04541099cbdf719e24538a7d27d61b6209e87ab9003a9f140bd9afd018ec569e71721e3a24090e1902c8b6659d2ba103e

sdk_container/src/third_party/portage-stable/net-nds/openldap/files/openldap-2.6.3-clang16.patch

@@ -0,0 +1,185 @@
+From ee4983302d6f052e77ab0332d2a128d169c2eacb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Arsen=20Arsenovi=C4=87?= <[email protected]>
+Date: Tue, 15 Nov 2022 21:45:27 +0100
+Subject: [PATCH] Remove default-int/k&r declarations from the configure macros
+
+Recently, Clang tried to switch to having K&R prototypes and other
+non-strictly-conforming prototypes error out, as a result of C2x changes
+to the standard.  These have been located across many packages, and
+range in severity from mild compile errors to runtime misconfiguration
+as a result of broken configure scripts.
+
+This covers all the instances I could find by grepping around the
+codebase, and gets OpenLDAP building on my system.
+
+Bug: https://bugs.gentoo.org/871288
+Bug: https://bugs.gentoo.org/871372
+--- a/build/openldap.m4
++++ b/build/openldap.m4
+@@ -154,6 +154,7 @@ fi
+ if test $ol_cv_header_stdc = yes; then
+   # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+ AC_RUN_IFELSE([AC_LANG_SOURCE([[#include <ctype.h>
++#include <stdlib.h>
+ #ifndef HAVE_EBCDIC
+ #	define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+ #	define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+@@ -394,9 +395,7 @@ AC_DEFUN([OL_PTHREAD_TEST_FUNCTION],[[
+ AC_DEFUN([OL_PTHREAD_TEST_PROGRAM],
+ [AC_LANG_SOURCE([OL_PTHREAD_TEST_INCLUDES
+
+-int main(argc, argv)
+-	int argc;
+-	char **argv;
++int main(int argc, char **argv)
+ {
+ OL_PTHREAD_TEST_FUNCTION
+ }
+@@ -518,7 +517,7 @@ AC_CACHE_CHECK([for compatible POSIX regex],ol_cv_c_posix_regex,[
+ #include <sys/types.h>
+ #include <regex.h>
+ static char *pattern, *string;
+-main()
++int main(void)
+ {
+ 	int rc;
+ 	regex_t re;
+@@ -545,7 +544,8 @@ AC_DEFUN([OL_C_UPPER_LOWER],
+ [AC_CACHE_CHECK([if toupper() requires islower()],ol_cv_c_upper_lower,[
+ 	AC_RUN_IFELSE([AC_LANG_SOURCE([[
+ #include <ctype.h>
+-main()
++#include <stdlib.h>
++int main(void)
+ {
+ 	if ('C' == toupper('C'))
+ 		exit(0);
+@@ -603,7 +603,7 @@ AC_DEFUN([OL_NONPOSIX_STRERROR_R],
+ 			]])],[ol_cv_nonposix_strerror_r=yes],[ol_cv_nonposix_strerror_r=no])
+ 	else
+ 		AC_RUN_IFELSE([AC_LANG_SOURCE([[
+-			main() {
++			int main(void) {
+ 				char buf[100];
+ 				buf[0] = 0;
+ 				strerror_r( 1, buf, sizeof buf );
+--- a/configure.ac
++++ b/configure.ac
+@@ -1031,7 +1031,11 @@ dnl ----------------------------------------------------------------
+ AC_CHECK_HEADERS( sys/epoll.h )
+ if test "${ac_cv_header_sys_epoll_h}" = yes; then
+ 	AC_MSG_CHECKING(for epoll system call)
+-	AC_RUN_IFELSE([AC_LANG_SOURCE([[int main(int argc, char **argv)
++	AC_RUN_IFELSE([AC_LANG_SOURCE([[#include <stdlib.h>
++#ifdef HAVE_SYS_POLL_H
++#include <sys/epoll.h>
++#endif
++int main(int argc, char **argv)
+ {
+ 	int epfd = epoll_create(256);
+ 	exit (epfd == -1 ? 1 : 0);
+@@ -1493,10 +1497,8 @@ pthread_rwlock_t rwlock;
+ 				dnl save the flags
+ 				AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+ #include <pthread.h>
+-#ifndef NULL
+-#define NULL (void*)0
+-#endif
+-]], [[pthread_detach(NULL);]])],[ol_cv_func_pthread_detach=yes],[ol_cv_func_pthread_detach=no])
++pthread_t thread;
++]], [[pthread_detach(thread);]])],[ol_cv_func_pthread_detach=yes],[ol_cv_func_pthread_detach=no])
+ 			])
+
+ 			if test $ol_cv_func_pthread_detach = no ; then
+@@ -1551,6 +1553,9 @@ dnl			esac
+ 				AC_CACHE_CHECK([if select yields when using pthreads],
+ 					ol_cv_pthread_select_yields,[
+ 				AC_RUN_IFELSE([AC_LANG_SOURCE([[
++#define _XOPEN_SOURCE 500               /* For pthread_setconcurrency() on glibc */
++#include <stdlib.h>
++#include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/time.h>
+ #include <unistd.h>
+@@ -1561,8 +1566,7 @@ dnl			esac
+
+ static int fildes[2];
+
+-static void *task(p)
+-	void *p;
++static void *task(void *p)
+ {
+ 	int i;
+ 	struct timeval tv;
+@@ -1586,9 +1590,7 @@ static void *task(p)
+ 	exit(0); /* if we exit here, the select blocked the whole process */
+ }
+
+-int main(argc, argv)
+-	int argc;
+-	char **argv;
++int main(int argc, char **argv)
+ {
+ 	pthread_t t;
+
+--- a/contrib/ldaptcl/tclAppInit.c
++++ b/contrib/ldaptcl/tclAppInit.c
+@@ -45,9 +45,7 @@ EXTERN int		Tcltest_Init _ANSI_ARGS_((Tcl_Interp *interp));
+  */
+
+ int
+-main(argc, argv)
+-    int argc;			/* Number of command-line arguments. */
+-    char **argv;		/* Values of command-line arguments. */
++main(int argc, char **argv)
+ {
+ #ifdef USE_TCLX
+     TclX_Main(argc, argv, Tcl_AppInit);
+--- a/contrib/ldaptcl/tkAppInit.c
++++ b/contrib/ldaptcl/tkAppInit.c
+@@ -37,16 +37,9 @@ int (*tclDummyMathPtr)() = matherr;
+  * This is the main program for the application.
+  *-----------------------------------------------------------------------------
+  */
+-#ifdef __cplusplus
+ int
+ main (int    argc,
+       char **argv)
+-#else
+-int
+-main (argc, argv)
+-    int    argc;
+-    char **argv;
+-#endif
+ {
+ #ifdef USE_TCLX
+     TkX_Main(argc, argv, Tcl_AppInit);
+@@ -68,14 +61,8 @@ main (argc, argv)
+  * interp->result if an error occurs.
+  *-----------------------------------------------------------------------------
+  */
+-#ifdef __cplusplus
+ int
+ Tcl_AppInit (Tcl_Interp *interp)
+-#else
+-int
+-Tcl_AppInit (interp)
+-    Tcl_Interp *interp;
+-#endif
+ {
+     if (Tcl_Init (interp) == TCL_ERROR) {
+         return TCL_ERROR;
+--- a/servers/slapd/syslog.c
++++ b/servers/slapd/syslog.c
+@@ -209,7 +209,7 @@ openlog(const char *ident, int logstat, int logfac)
+ }
+
+ void
+-closelog()
++closelog(void)
+ {
+ 	(void)close(LogFile);
+ 	LogFile = -1;
+-- 
+2.38.1
+

sdk_container/src/third_party/portage-stable/net-nds/openldap/files/openldap-2.6.3-slapd-conf

@@ -0,0 +1,64 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include		/etc/openldap/schema/core.schema
+
+# Define global ACLs to disable default read access.
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile		/run/openldap/slapd.pid
+argsfile	/run/openldap/slapd.args
+
+# Load dynamic backend modules:
+###INSERTDYNAMICMODULESHERE###
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database	mdb
+suffix		"dc=my-domain,dc=com"
+#         <kbyte> <min>
+checkpoint	32	30 
+rootdn		"cn=Manager,dc=my-domain,dc=com"
+# Cleartext passwords, especially for the rootdn, should
+# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw		secret
+# The database directory MUST exist prior to running slapd AND 
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory	/var/lib/openldap-data
+# Indices to maintain
+index	objectClass	eq