From 76092ac64f36f4ae6c2cb4dd553d48d3bb7b4f60 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 31 2016 11:52:17 +0000
Subject: import openldap-2.4.40-9.el7_2


---

diff --git a/SOURCES/openldap-temporary-ssl-thr-init-race.patch b/SOURCES/openldap-temporary-ssl-thr-init-race.patch
new file mode 100644
index 0000000..9fd896b
--- /dev/null
+++ b/SOURCES/openldap-temporary-ssl-thr-init-race.patch
@@ -0,0 +1,42 @@
+Temporary patch that fixes a thread initialization race condition when
+using secure connection.
+
+This patch is *not* correct, as the problem only happens when using
+NSS. Either the code in tls_m.c is broken, or the nspr library call
+(PR_CallOnce) doesn't work as expected.
+
+Resolves: #1294385
+Backported-From: #1144294
+
+--- a/libraries/libldap/tls2.c    2014-09-19 03:48:49.000000000 +0200
++++ b/libraries/libldap/tls2.c    2015-05-21 09:32:21.034395985 +0200
+@@ -149,6 +149,9 @@ ldap_pvt_tls_destroy( void )
+ 	tls_imp->ti_tls_destroy();
+ }
+ 
++#ifdef LDAP_R_COMPILE
++static pthread_once_t tlsm_initialized = PTHREAD_ONCE_INIT;
++#endif
+ /*
+  * Initialize a particular TLS implementation.
+  * Called once per implementation.
+@@ -158,6 +161,10 @@ tls_init(tls_impl *impl )
+ {
+ 	static int tls_initialized = 0;
+ 
++#ifdef LDAP_R_COMPILE
++	(void)pthread_once(&tlsm_initialized, impl->ti_thr_init);
++#endif
++
+ 	if ( !tls_initialized++ ) {
+ #ifdef LDAP_R_COMPILE
+ 		ldap_pvt_thread_mutex_init( &tls_def_ctx_mutex );
+@@ -166,9 +173,6 @@ tls_init(tls_impl *impl )
+ 
+ 	if ( impl->ti_inited++ ) return 0;
+ 
+-#ifdef LDAP_R_COMPILE
+-	impl->ti_thr_init();
+-#endif
+ 	return impl->ti_tls_init();
+ }
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
index d082ecb..fd4c622 100644
--- a/SPECS/openldap.spec
+++ b/SPECS/openldap.spec
@@ -5,7 +5,7 @@
 
 Name: openldap
 Version: 2.4.40
-Release: 8%{?dist}
+Release: 9%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -61,6 +61,8 @@ Patch27: openldap-nss-ciphersuite-handle-masks-correctly.patch
 Patch28: openldap-nss-ciphers-use-nss-defaults.patch
 # CVE-2015-6908, ITS#8240
 Patch29: openldap-ITS8240-remove-obsolete-assert.patch
+# this is a temporary fix for #1294385, it should be solved properly, backported from #1144294
+Patch30: openldap-temporary-ssl-thr-init-race.patch
 
 # check-password module specific patches
 Patch90: check-password-makefile.patch
@@ -190,6 +192,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
+%patch30 -p1
 
 %patch102 -p1
 
@@ -633,6 +636,9 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Mon Feb 22 2016 Matúš Honěk <mhonek@redhat.com> - 2.4.40-9
+- fix: nslcd segfaults due to incorrect mutex initialization (#1294385)
+
 * Wed Sep 23 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-8
 - NSS does not support string ordering (#1231522)
 - implement and correct order of parsing attributes (#1231522)