Bug 7727

Summary: courier-authlib-devel provides
Product: Mageia Reporter: Oden Eriksson <oe>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, sysadmin-bugs, tmb, wassi
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA1TOO mga2-64-OK mga2-32-OK mga1-32-OK mga1-64-OK
Source RPM: courier-authlib CVE:
Status comment:
Attachments: the fix

Description Oden Eriksson 2012-10-07 11:31:40 CEST 
The courier-authlib-devel package is actually providing the libraries and modules.

I examined the Makefile.am file and this is quite awful done. Common libraries that could be packaged as a "%mklibname foo" package is using -module -avoid-version. The install in the Makefile removes any "libname.so.0" file and makes a softlink like "ln -s libname.so libname.so.0".

So, either we have to do a major overhaul and fix this as it should have been done or we adapt.
Comment 1 Oden Eriksson 2012-10-07 11:33:45 CEST 
Created attachment 2933 [details]
the fix

This patch fixes the problem.
Comment 2 Oden Eriksson 2012-10-07 11:35:15 CEST 
Oh, the problem is that "urpmi maildrop" is pulling in courier-authlib-devel and that's just wrong.
Comment 3 Oden Eriksson 2012-10-11 11:09:01 CEST 
Fixed packages has been submitted to mga1 and mga2 in updates_testing.
Comment 4 Oden Eriksson 2012-10-11 11:12:34 CEST 
Fixed packages has been submitted to cauldron.
Comment 5 Oden Eriksson 2012-10-11 14:13:44 CEST 
Well, this shows what the fix is about:

# rpm -qp --requires /mnt/BIG/mageia/2/x86_64/media/core/release/courier-authlib-devel-0.63.0-12.mga2.x86_64.rpm
courier-authlib = 0.63.0
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
libc.so.6()(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit)
libc.so.6(GLIBC_2.4)(64bit)
libc.so.6(GLIBC_2.7)(64bit)
libcourierauth.so()(64bit)
libcourierauthcommon.so()(64bit)
libcrypt.so.1()(64bit)
libcrypt.so.1(GLIBC_2.2.5)(64bit)
libgdbm.so.4()(64bit)
liblber-2.4.so.2()(64bit)
libldap-2.4.so.2()(64bit)
libmysqlclient.so.18()(64bit)
libpam.so.0()(64bit)
libpq.so.5()(64bit)
libpthread.so.0()(64bit)
libpthread.so.0(GLIBC_2.2.5)(64bit)
rtld(GNU_HASH)
rpmlib(PayloadIsLzma) <= 4.4.6-1

# rpm -qp --requires /mnt/BIG/mageia/2/x86_64/media/core/updates_testing/courier-authlib-devel-0.63.0-13.mga2.x86_64.rpm
courier-authlib = 0.63.0
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
libc.so.6()(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit)
rtld(GNU_HASH)
rpmlib(PayloadIsLzma) <= 4.4.6-1


To bring this even further I guess one could add:

Suggests: courier-authlib-ldap courier-authlib-mysql courier-authlib-pgsql courier-authlib-userdb

In the courier-imap and maildrop packages.
Comment 6 David Walser 2012-10-11 14:18:37 CEST 
If you're building an update for courier-authlib anyway, please include the patch from the 0.65 release announcement.  It was announced as a minor security fix.

http://markmail.org/message/q4jwuljoxo36u6j2
http://freecode.com/projects/courier-authlib/releases/348728

CC: (none) => luigiwalser

Comment 7 Oden Eriksson 2012-10-12 10:37:46 CEST 
Done.
Comment 8 David Walser 2012-10-12 13:38:36 CEST 
Thanks.  Now we just need an Advisory for the update and we can assign this to QA.

Packages built:
courier-authlib-0.63.0-8.mga1
courier-authdaemon-0.63.0-8.mga1
courier-authlib-userdb-0.63.0-8.mga1
courier-authlib-ldap-0.63.0-8.mga1
courier-authlib-mysql-0.63.0-8.mga1
courier-authlib-pgsql-0.63.0-8.mga1
courier-authlib-devel-0.63.0-8.mga1
courier-authlib-0.63.0-14.mga2
courier-authdaemon-0.63.0-14.mga2
courier-authlib-userdb-0.63.0-14.mga2
courier-authlib-ldap-0.63.0-14.mga2
courier-authlib-mysql-0.63.0-14.mga2
courier-authlib-pgsql-0.63.0-14.mga2
courier-authlib-devel-0.63.0-14.mga2

from SRPMS:
courier-authlib-0.63.0-8.mga1.src.rpm
courier-authlib-0.63.0-14.mga2.src.rpm
Comment 9 Oden Eriksson 2012-10-15 15:09:40 CEST 
Proposed advisory:

When using the authpgsql module and if the Postgres server goes down, authpgsql will start leaking memory.

A packaging flaw was discovered that caused the courier-authlib-devel package to be installed when installing for example maildrop.
Comment 10 David Walser 2012-10-15 16:42:22 CEST 
Thanks Oden!  :o)  Assigning to QA.

Advisory:
========================

When using the authpgsql module and if the Postgres server goes down,
authpgsql will start leaking memory.

A packaging flaw was discovered that caused the courier-authlib-devel
package to be installed when installing for example maildrop.

This update fixes both of these issues.

References:
http://markmail.org/message/q4jwuljoxo36u6j2
========================

Updated packages in core/updates_testing:
========================
courier-authlib-0.63.0-8.mga1
courier-authdaemon-0.63.0-8.mga1
courier-authlib-userdb-0.63.0-8.mga1
courier-authlib-ldap-0.63.0-8.mga1
courier-authlib-mysql-0.63.0-8.mga1
courier-authlib-pgsql-0.63.0-8.mga1
courier-authlib-devel-0.63.0-8.mga1
courier-authlib-0.63.0-14.mga2
courier-authdaemon-0.63.0-14.mga2
courier-authlib-userdb-0.63.0-14.mga2
courier-authlib-ldap-0.63.0-14.mga2
courier-authlib-mysql-0.63.0-14.mga2
courier-authlib-pgsql-0.63.0-14.mga2
courier-authlib-devel-0.63.0-14.mga2

from SRPMS:
courier-authlib-0.63.0-8.mga1.src.rpm
courier-authlib-0.63.0-14.mga2.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA1TOO

Comment 11 claire robinson 2012-11-02 10:55:30 CET 
Short of configuring a mailserver I think it's probably sufficient to show the reported bug is fixed.

Before
------
Installs courier-authlib-devel..

# urpmi maildrop
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  courier-authdaemon             0.63.0       12.mga2       x86_64
  courier-authlib                0.63.0       12.mga2       x86_64
  courier-authlib-devel          0.63.0       12.mga2       x86_64
  expect                         5.43.0       20.mga2       x86_64
  lib64expect5.43                5.43.0       20.mga2       x86_64
  maildrop                       2.5.5        3.mga2        x86_64
2.6MB of additional disk space will be used.
820KB of packages will be retrieved.
Proceed with the installation of the 6 packages? (Y/n) n

After
-----
Doesnt install courier-authlib-devel..

# urpmi maildrop
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch
(medium "Core Release")
  maildrop                       2.5.5        3.mga2        x86_64
(medium "Core Updates Testing")
  courier-authdaemon             0.63.0       14.mga2       x86_64
  courier-authlib                0.63.0       14.mga2       x86_64
  expect                         5.43.0       20.1.mga2     x86_64
  lib64expect5.43                5.43.0       20.1.mga2     x86_64
2.4MB of additional disk space will be used.
754KB of packages will be retrieved.
Proceed with the installation of the 5 packages? (Y/n) n

If there are no objections then testing complete mga2 64

Whiteboard: MGA1TOO => MGA1TOO mga2-64-OK

Comment 12 user7 2012-11-03 18:51:35 CET 
Testing complete on mga2, i586.

Using claire's procedure, the results are exactly the same, thus I won't replicate them here.

I did not test for regressions, as I can't set up a mailserver here. If this is considered sufficient testing, the update may be validated.

CC: (none) => wassi
Whiteboard: MGA1TOO mga2-64-OK => MGA1TOO mga2-64-OK mga2-32-OK

Comment 13 claire robinson 2012-11-13 19:21:33 CET 
Testing mga1 32

maildrop is not packaged for mga1

Before
------
# urpmi courier-authdaemon
In order to satisfy the 'libpq.so.5' dependency, one of the following packages is needed:
 1- libpq9.0_5-9.0.10-1.mga1.i586: The shared libraries required for any PostgreSQL clients (to install)
 2- libpq8.4_5-8.4.14-1.mga1.i586: The shared libraries required for any PostgreSQL clients (to install)
What is your choice? (1-2) 1
To satisfy dependencies, the following packages are going to be installed:
   Package                        Version      Release       Arch   
(medium "Core Release")
  courier-authdaemon             0.63.0       6.mga1        i586    
  courier-authlib                0.63.0       6.mga1        i586    
  courier-authlib-devel          0.63.0       6.mga1        i586    
  expect                         5.43.0       19.mga1       i586    
  libexpect5.43                  5.43.0       19.mga1       i586    
(medium "Core Updates")
  libpq9.0_5                     9.0.10       1.mga1        i586    
2.2MB of additional disk space will be used.
701KB of packages will be retrieved.
Proceed with the installation of the 6 packages? (Y/n) n

After
-----
# urpmi courier-authdaemon
To satisfy dependencies, the following packages are going to be installed:
   Package                        Version      Release       Arch   
(medium "Core Release")
  expect                         5.43.0       19.mga1       i586    
  libexpect5.43                  5.43.0       19.mga1       i586    
(medium "Core Updates Testing")
  courier-authdaemon             0.63.0       8.mga1        i586    
  courier-authlib                0.63.0       8.mga1        i586    
1MB of additional disk space will be used.
401KB of packages will be retrieved.
Proceed with the installation of the 4 packages? (Y/n) n

Whiteboard: MGA1TOO mga2-64-OK mga2-32-OK => MGA1TOO mga2-64-OK mga2-32-OK mga1-32-OK

Comment 14 claire robinson 2012-11-13 19:26:15 CET 
Testing complete mga1 64

Validating


Advisory & SRPM's in comment 10

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO mga2-64-OK mga2-32-OK mga1-32-OK => MGA1TOO mga2-64-OK mga2-32-OK mga1-32-OK mga1-64-OK

Comment 15 Thomas Backlund 2012-11-17 17:39:42 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0221

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED