Package: libnss-db Severity: normal Tags: patch upstream X-Debbugs-Cc: flesu...@alwaysdata.com
Dear Maintainer, libnss-db uses a "stayopen" parameter in db-XXX.c which does not seem used anymore by the glibc (and is always 0, in our tests). This parameter is used to decide if the databases should be kept opened during iterations. For instance, during a "getent passwd", the current libnss-db opens and closes the passwd.db file for each line in passwd, which is quite slow. We believe usage of this parameter has been removed in the glibc: - For instance, glibc/nss/nss_files/files-XXX.c simply ignores it since 2016 in `CONCAT(_nss_files_set,ENTNAME) (int stayopen)`; - nss-pam-ldap does the same in nss/passwd.c with `nss_status_t NSS_NAME(setpwent)(int UNUSED(stayopen))`. History seems to be linked to the mitigation of CVE-2014-8121. The attached patch ignores the stayopen parameter and forces to keep the DB file opened. Kind regards, François Lesueur -- alwaysdata --- libnss-db-2.2.3pre1-orig/src/db-XXX.c 2025-03-10 14:15:07.000000000 +0100 +++ libnss-db-2.2.3pre1/src/db-XXX.c 2025-03-10 14:23:59.457342846 +0100 @@ -72,9 +72,9 @@ status = internal_setent (DBFILE, &db, &dbenv); - /* Remember STAYOPEN flag. */ + /* Ignore STAYOPEN flag. */ if (db != NULL) - keep_db |= stayopen; + keep_db = 1; /* Reset the sequential index. */ entidx = 0; -- System Information: Architecture: amd64 (x86_64) Versions of packages libnss-db depends on: ii libc6 2.36-9+deb12u10 ii libdb5.3 5.3.28+dfsg2-1 ii libselinux1 3.4-1+b6 libnss-db recommends no packages. libnss-db suggests no packages.
