Bug#387891: libpam-ldap: Hyphens ("-") in Base DN are not properly escaped for use in regular expressions

[Peter Bücker]

Package: libpam-ldap
Version: 180-1.1
Severity: important
Tags: patch

The package fails to configure due to missing input sanitization in the 
postinst-script. The error occurs if you enter a Base DN containing a hyphen 
during debconf. A similar bug has already been reported for the package 
libnss-ldap and has been fixed via an NMU (bug#377895).
A patch which inserts libnss-ldap's input sanitization code into lipam-ldap's 
postinst script is attached.


Steps to reproduce:

1. Install libpam-ldap
2. Enter some Base DN containing a hyphen, e.g. ou=Phil-Fak,o=HHU,c=DE


dpkg reports:

Setting up libpam-ldap (180-1.1) ...
Search pattern not terminated at -e line 1.
dpkg: error processing libpam-ldap (--configure):
 subprocess post-installation script returned error exit status 255
Errors were encountered while processing:
 libpam-ldap
E: Sub-process /usr/bin/dpkg returned an error code (1)

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (800, 'stable'), (700, 'unstable')
Architecture: sparc (sparc64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.16-pf1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libpam-ldap depends on:
ii  debconf [debconf-2.0]       1.5.3        Debian configuration management sy
ii  libc6                       2.3.6.ds1-4  GNU C Library: Shared libraries
ii  libldap2                    2.1.30-13+b1 OpenLDAP libraries
ii  libpam0g                    0.79-3.2     Pluggable Authentication Modules l

libpam-ldap recommends no packages.

-- debconf information:
* shared/ldapns/base-dn: ou=Phil-Fak,o=HHU,c=de
* shared/ldapns/ldap-server: ldap://ldapserver/
* libpam-ldap/pam_password: exop
* libpam-ldap/binddn:
* libpam-ldap/rootbinddn:
* libpam-ldap/dbrootlogin: false
* libpam-ldap/override: true
* shared/ldapns/ldap_version: 3
* libpam-ldap/dblogin: false

diff -Nru libpam-ldap-180-orig/debian/libpam-ldap.postinst 
libpam-ldap-180/debian/libpam-ldap.postinst
--- libpam-ldap-180-orig/debian/libpam-ldap.postinst    2006-09-17 
12:06:33.000000000 +0200
+++ libpam-ldap-180/debian/libpam-ldap.postinst 2006-09-17 12:07:10.000000000 
+0200
@@ -21,6 +21,15 @@
        parameter=$1
        value=$2
        commented=0 ; notthere=0
+
+    # escape slash and backslash for later regex compat
+    # the order is important, first the backslashes
+    value=`echo $value | sed -s 's#\\\#\\\\\\\#g'`
+    # then the slashes
+    value=`echo $value | sed -s 's#/#\\\/#g'`
+    # escape hyphen in domainnames for later regex compat (ex. 
example-city.net)
+    value=`echo $value | sed -s 's#-#\\\-#g'`
+
        egrep -i -q "^$parameter " $CONFFILE || notthere=1
        if [ "$notthere" = "1" ]; then
                if ( egrep -i -q "^# *$parameter" $CONFFILE ); then