NetBSD Problem Report #58915
From www@netbsd.org Wed Dec 18 07:07:17 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 69E2D1A9238
for <gnats-bugs@gnats.NetBSD.org>; Wed, 18 Dec 2024 07:07:17 +0000 (UTC)
Message-Id: <20241218070716.393D31A923A@mollari.NetBSD.org>
Date: Wed, 18 Dec 2024 07:07:16 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: openldap libraries leak private symbols
X-Send-Pr-Version: www-1.0
>Number: 58915
>Category: lib
>Synopsis: openldap libraries leak private symbols
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Dec 18 07:10:00 +0000 2024
>Last-Modified: Sun Dec 14 17:55:01 +0000 2025
>Originator: Taylor R Campbell
>Release: current, 10, 9, ...
>Organization:
The NetLDAP Foundaleak
>Environment:
>Description:
Upstream builds liblber, libldap, &c., with a version script, but we don't, so we accidentally export a bunch of internal symbols (and the set of symbols differs depending on build options like USE_KERBEROS).
>How-To-Repeat:
code inspection, build with MKKERBEROS=no, &c.
>Fix:
Yes, please!
>Audit-Trail:
From: "Greg A. Woods" <woods@planix.ca>
To: NetBSD GNATS <gnats-bugs@NetBSD.org>
Cc:
Subject: Re: lib/58915: openldap libraries leak private symbols
Date: Fri, 05 Dec 2025 21:47:02 -0800
--pgp-sign-Multipart_Fri_Dec__5_21:46:54_2025-1
Content-Type: text/plain; charset=US-ASCII
For what it's worth the following changes seem to allow openldap to be
built with MKKERBEROS=no.
They aren't the proper fix for the underlying problem of course.
I took inspiration from similar changes for bind/lib/libdns.
Perhaps the file naming isn't ideal, not following the convention used
in libdns, but these names helped me avoid renaming an existing source
file.
I have a bunch more MKDERBEROS=no fixes, but since this PR mentions the
problem specifically for openldap I thought I might contribute this bit
here for now.
--
Greg A. Woods <gwoods@acm.org>
Kelowna, BC +1 250 762-7675 RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Avoncote Farms <woods@avoncote.ca>
diff --git a/external/bsd/openldap/lib/libldap/Makefile b/external/bsd/openldap/lib/libldap/Makefile
index 21cb8415f4c8..7a96bc5856cc 100644
--- a/external/bsd/openldap/lib/libldap/Makefile
+++ b/external/bsd/openldap/lib/libldap/Makefile
@@ -132,4 +132,16 @@ MLINKS+= ldap_url.3 ldap_is_ldap_url.3 \
MAN+= ldap.conf.5 ldif.5
+EXPSYM_SRCS+= ldap.expsym
+.if ${MKKERBEROS:Uno} != "no"
+EXPSYM_SRCS+= ldap.kerberos.expsym
+.endif
+
+LIB_EXPSYM= ldap.actual.expsym
+ldap.actual.expsym: ${EXPSYM_SRCS}
+ ${_MKTARGET_CREATE}
+ LC_ALL=C sort -m ${.ALLSRC} >${.TARGET}.tmp && \
+ ${MV} ${.TARGET}.tmp ${.TARGET}
+CLEANFILES+= ldap.actual.expsym ldap.actual.expsym.tmp
+
.include <bsd.lib.mk>
diff --git a/external/bsd/openldap/lib/libldap/ldap.expsym b/external/bsd/openldap/lib/libldap/ldap.expsym
index 3b96dc9afcee..c5adf8c3e455 100644
--- a/external/bsd/openldap/lib/libldap/ldap.expsym
+++ b/external/bsd/openldap/lib/libldap/ldap.expsym
@@ -164,10 +164,6 @@ ldap_int_decode_b64_inplace
ldap_int_error_init
ldap_int_flush_request
ldap_int_global_options
-ldap_int_gssapi_close
-ldap_int_gssapi_config
-ldap_int_gssapi_get_option
-ldap_int_gssapi_set_option
ldap_int_hostname
ldap_int_inet4or6
ldap_int_initialize
diff --git a/external/bsd/openldap/lib/libldap/ldap.kerberos.expsym b/external/bsd/openldap/lib/libldap/ldap.kerberos.expsym
new file mode 100644
index 000000000000..bf434bef4d5e
--- /dev/null
+++ b/external/bsd/openldap/lib/libldap/ldap.kerberos.expsym
@@ -0,0 +1,4 @@
+ldap_int_gssapi_close
+ldap_int_gssapi_config
+ldap_int_gssapi_get_option
+ldap_int_gssapi_set_option
diff --git a/external/bsd/openldap/lib/libldap_r/Makefile b/external/bsd/openldap/lib/libldap_r/Makefile
index 91e1f29f0c42..0f1197a99e27 100644
--- a/external/bsd/openldap/lib/libldap_r/Makefile
+++ b/external/bsd/openldap/lib/libldap_r/Makefile
@@ -7,6 +7,7 @@ CWARNFLAGS.clang= -Wno-format-extra-args
LIB= ldap_r
+# xxx nothing actually in there -- just uses libraries/libldap from Makefile.libldap
.PATH: ${LDAP_DISTDIR}/libraries/libldap_r
SRCS+= threads.c rdwr.c rq.c \
@@ -16,4 +17,16 @@ SRCS+= threads.c rdwr.c rq.c \
COPTS+= -pthread
LIBDPLIBS+= pthread ${.CURDIR}/../../../../../lib/libpthread
+EXPSYM_SRCS+= ldap_r.expsym
+.if ${MKKERBEROS:Uno} != "no"
+EXPSYM_SRCS+= ldap_r.kerberos.expsym
+.endif
+
+LIB_EXPSYM= ldap_r.actual.expsym
+ldap.actual.expsym: ${EXPSYM_SRCS}
+ ${_MKTARGET_CREATE}
+ LC_ALL=C sort -m ${.ALLSRC} >${.TARGET}.tmp && \
+ ${MV} ${.TARGET}.tmp ${.TARGET}
+CLEANFILES+= ldap_r.actual.expsym ldap_r.actual.expsym.tmp
+
.include <bsd.lib.mk>
diff --git a/external/bsd/openldap/lib/libldap_r/ldap_r.expsym b/external/bsd/openldap/lib/libldap_r/ldap_r.expsym
index 9f5539d510be..798c62d08d21 100644
--- a/external/bsd/openldap/lib/libldap_r/ldap_r.expsym
+++ b/external/bsd/openldap/lib/libldap_r/ldap_r.expsym
@@ -164,11 +164,6 @@ ldap_int_decode_b64_inplace
ldap_int_error_init
ldap_int_flush_request
ldap_int_global_options
-ldap_int_gssapi_close
-ldap_int_gssapi_config
-ldap_int_gssapi_get_option
-ldap_int_gssapi_mutex
-ldap_int_gssapi_set_option
ldap_int_hostname
ldap_int_hostname_mutex
ldap_int_inet4or6
diff --git a/external/bsd/openldap/lib/libldap_r/ldap_r.kerberos.expsym b/external/bsd/openldap/lib/libldap_r/ldap_r.kerberos.expsym
new file mode 100644
index 000000000000..0ef5137a79ce
--- /dev/null
+++ b/external/bsd/openldap/lib/libldap_r/ldap_r.kerberos.expsym
@@ -0,0 +1,5 @@
+ldap_int_gssapi_close
+ldap_int_gssapi_config
+ldap_int_gssapi_get_option
+ldap_int_gssapi_mutex
+ldap_int_gssapi_set_option
--pgp-sign-Multipart_Fri_Dec__5_21:46:54_2025-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
Content-Description: OpenPGP Digital Signature
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRuK6dmwVAucmRxuh9mfXG3eL/0fwUCaTPDUAAKCRBmfXG3eL/0
f3KrAJ94kLRoVP7Frsv5S8HuAX36fZkpnACdEreZyQe5o7VJXDpkP3JkkA77+L8=
=+cHt
-----END PGP SIGNATURE-----
--pgp-sign-Multipart_Fri_Dec__5_21:46:54_2025-1--
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58915 CVS commit: src/external/bsd/openldap/lib
Date: Sun, 14 Dec 2025 12:51:04 -0500
Module Name: src
Committed By: christos
Date: Sun Dec 14 17:51:04 UTC 2025
Modified Files:
src/external/bsd/openldap/lib/libldap: Makefile
src/external/bsd/openldap/lib/libldap_r: Makefile
Added Files:
src/external/bsd/openldap/lib/libldap: ldap.common.expsym
ldap.kerberos.expsym
src/external/bsd/openldap/lib/libldap_r: ldap_r.common.expsym
ldap_r.kerberos.expsym
Removed Files:
src/external/bsd/openldap/lib/libldap: ldap.expsym
src/external/bsd/openldap/lib/libldap_r: ldap_r.expsym
Log Message:
PR/58915: Greg A. Woods: Fix ldap libraries with MKKERBEROS=no
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/external/bsd/openldap/lib/libldap/Makefile
cvs rdiff -u -r0 -r1.1 \
src/external/bsd/openldap/lib/libldap/ldap.common.expsym \
src/external/bsd/openldap/lib/libldap/ldap.kerberos.expsym
cvs rdiff -u -r1.1 -r0 src/external/bsd/openldap/lib/libldap/ldap.expsym
cvs rdiff -u -r1.7 -r1.8 src/external/bsd/openldap/lib/libldap_r/Makefile
cvs rdiff -u -r0 -r1.1 \
src/external/bsd/openldap/lib/libldap_r/ldap_r.common.expsym \
src/external/bsd/openldap/lib/libldap_r/ldap_r.kerberos.expsym
cvs rdiff -u -r1.2 -r0 src/external/bsd/openldap/lib/libldap_r/ldap_r.expsym
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home