FS#67913 - [libldap] Update to version 2.4.52-1 breaks sudo

Attached to Project: Arch Linux
Opened by john01dav (john01dav) - Wednesday, 16 September 2020, 19:12 GMT
Last edited by Antonio Rojas (arojas) - Friday, 18 September 2020, 18:35 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To freswa (frederik)
Architecture x86_64
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


I recently upgraded the following packages on my computer:
- jupyter-notebook-6.1.4-1-any.pkg.tar.zst
- nodejs-14.11.0-1-x86_64.pkg.tar.zst
- python-argon2_cffi-20.1.0-1-x86_64.pkg.tar.zst
- libldap-2.4.52-1-x86_64.pkg.tar.zst

When I did so, sudo broke. Specifically, sudo thinks that my password is always incorrect, even after resetting it via su and then passwd. su still accepts my correct password as it should. I did not try logging out, since I was concerned about not being able to get back in.

When I downgraded all packages to the September 14th date in the archive mirror, the issue solved itself — I didn't even need to restart. Many more packages than those listed above were downgraded, since this is September 16th and there is no September 15th entry on the mirror at the time of downgrade, but I am confident that one of the above packages caused the issue. It's almost certainly libldap, since the rest aren't related to authentication of the type that sudo engages in, although it should be noted that python-argon2_cffi does do password hashing of some sort.

I am marking this bug as critical for 2 reasons:
1) Sudo is a critical system tool, and it is broken
2) In order to have a functional system, I need to stop updates, which is a security risk
Feel free to change it if these reasons are insufficient.

I would also like to note that something similar happened on my laptop a week or two ago — after running the command "sudo pacman -Syu; sudo poweroff -f," the laptop's GDM and TTY rejected my correct password when I logged in the next morning, even after a chroot setup to run passwd and reset it. My laptop uses lmcrypt disk encryption, but my desktop does not.

Steps to reproduce:
1) Upgrade to latest package / packages as of september 16th 2020
2) Watch sudo break, as described above (at least, on my computer — this seems like the kind of thing that would have been caught before publish if it caused problems for everyone, but my setup is fairly standard so I'm not sure what I could be doing that causes this issue for me but not many others)
This task depends upon

Closed by  Antonio Rojas (arojas)
Friday, 18 September 2020, 18:35 GMT
Reason for closing:  Not a bug
Comment by Antonio Rojas (arojas) - Wednesday, 16 September 2020, 19:43 GMT
please downgrade libldap *only* to confirm that it really is the culprit.
Comment by john01dav (john01dav) - Friday, 18 September 2020, 18:33 GMT
I just updated to the latest version of all packages, as of September 18th 2020, and the issue seems to be no longer present due to one of the many packages that changed in the interim. As such, I'm requesting that this be closed, for now. If it comes back (for me or for anyone else), then it can obviously be re-opened.