summaryrefslogtreecommitdiff
path: root/cyrus-sasl
diff options
context:
space:
mode:
authorThomas Penteker <tek@serverop.de>2014-07-16 13:32:37 +0200
committerThomas Penteker <tek@serverop.de>2014-07-16 13:32:57 +0200
commit17116eab12a95b9806d491e254685e6ee1a5ae49 (patch)
tree264b468bcbafc1ae283fad90d2186ed6200ba979 /cyrus-sasl
parent36402e02a73e706bd39ef94ba8a7efe90c75178a (diff)
downloadopt-17116eab12a95b9806d491e254685e6ee1a5ae49.tar.gz
opt-17116eab12a95b9806d491e254685e6ee1a5ae49.tar.xz
[notify] cyrus-sasl: 2.1.25 -> 2.1.26
Fixes CVE-2013-4122, a DoS vulnerability. Details: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4122
Diffstat (limited to 'cyrus-sasl')
-rw-r--r--cyrus-sasl/.footprint64
-rw-r--r--cyrus-sasl/.md5sum4
-rw-r--r--cyrus-sasl/0027_db5_support.patch24
-rw-r--r--cyrus-sasl/Pkgfile65
-rw-r--r--cyrus-sasl/cyrus-sasl-2.1.23-gcc44.patch20
-rw-r--r--cyrus-sasl/fix-CVE-2013-4122.diff92
6 files changed, 165 insertions, 104 deletions
diff --git a/cyrus-sasl/.footprint b/cyrus-sasl/.footprint
index 5315d574f..50f23b5e6 100644
--- a/cyrus-sasl/.footprint
+++ b/cyrus-sasl/.footprint
@@ -13,42 +13,52 @@ drwxr-xr-x root/root usr/include/sasl/
-rw-r--r-- root/root usr/include/sasl/saslutil.h
drwxr-xr-x root/root usr/lib/
-rwxr-xr-x root/root usr/lib/libsasl2.la
-lrwxrwxrwx root/root usr/lib/libsasl2.so -> libsasl2.so.2.0.25
-lrwxrwxrwx root/root usr/lib/libsasl2.so.2 -> libsasl2.so.2.0.25
--rwxr-xr-x root/root usr/lib/libsasl2.so.2.0.25
+lrwxrwxrwx root/root usr/lib/libsasl2.so -> libsasl2.so.3.0.0
+lrwxrwxrwx root/root usr/lib/libsasl2.so.3 -> libsasl2.so.3.0.0
+-rwxr-xr-x root/root usr/lib/libsasl2.so.3.0.0
+drwxr-xr-x root/root usr/lib/pkgconfig/
+-rw-r--r-- root/root usr/lib/pkgconfig/libsasl2.pc
drwxr-xr-x root/root usr/lib/sasl2/
-rwxr-xr-x root/root usr/lib/sasl2/libanonymous.la
-lrwxrwxrwx root/root usr/lib/sasl2/libanonymous.so -> libanonymous.so.2.0.25
-lrwxrwxrwx root/root usr/lib/sasl2/libanonymous.so.2 -> libanonymous.so.2.0.25
--rwxr-xr-x root/root usr/lib/sasl2/libanonymous.so.2.0.25
+lrwxrwxrwx root/root usr/lib/sasl2/libanonymous.so -> libanonymous.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libanonymous.so.3 -> libanonymous.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libanonymous.so.3.0.0
-rwxr-xr-x root/root usr/lib/sasl2/libcrammd5.la
-lrwxrwxrwx root/root usr/lib/sasl2/libcrammd5.so -> libcrammd5.so.2.0.25
-lrwxrwxrwx root/root usr/lib/sasl2/libcrammd5.so.2 -> libcrammd5.so.2.0.25
--rwxr-xr-x root/root usr/lib/sasl2/libcrammd5.so.2.0.25
+lrwxrwxrwx root/root usr/lib/sasl2/libcrammd5.so -> libcrammd5.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libcrammd5.so.3 -> libcrammd5.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libcrammd5.so.3.0.0
-rwxr-xr-x root/root usr/lib/sasl2/libdigestmd5.la
-lrwxrwxrwx root/root usr/lib/sasl2/libdigestmd5.so -> libdigestmd5.so.2.0.25
-lrwxrwxrwx root/root usr/lib/sasl2/libdigestmd5.so.2 -> libdigestmd5.so.2.0.25
--rwxr-xr-x root/root usr/lib/sasl2/libdigestmd5.so.2.0.25
+lrwxrwxrwx root/root usr/lib/sasl2/libdigestmd5.so -> libdigestmd5.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libdigestmd5.so.3 -> libdigestmd5.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libdigestmd5.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libgs2.la
+lrwxrwxrwx root/root usr/lib/sasl2/libgs2.so -> libgs2.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libgs2.so.3 -> libgs2.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libgs2.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libgssapiv2.la
+lrwxrwxrwx root/root usr/lib/sasl2/libgssapiv2.so -> libgssapiv2.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libgssapiv2.so.3 -> libgssapiv2.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libgssapiv2.so.3.0.0
-rwxr-xr-x root/root usr/lib/sasl2/liblogin.la
-lrwxrwxrwx root/root usr/lib/sasl2/liblogin.so -> liblogin.so.2.0.25
-lrwxrwxrwx root/root usr/lib/sasl2/liblogin.so.2 -> liblogin.so.2.0.25
--rwxr-xr-x root/root usr/lib/sasl2/liblogin.so.2.0.25
+lrwxrwxrwx root/root usr/lib/sasl2/liblogin.so -> liblogin.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/liblogin.so.3 -> liblogin.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/liblogin.so.3.0.0
-rwxr-xr-x root/root usr/lib/sasl2/libotp.la
-lrwxrwxrwx root/root usr/lib/sasl2/libotp.so -> libotp.so.2.0.25
-lrwxrwxrwx root/root usr/lib/sasl2/libotp.so.2 -> libotp.so.2.0.25
--rwxr-xr-x root/root usr/lib/sasl2/libotp.so.2.0.25
+lrwxrwxrwx root/root usr/lib/sasl2/libotp.so -> libotp.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libotp.so.3 -> libotp.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libotp.so.3.0.0
-rwxr-xr-x root/root usr/lib/sasl2/libplain.la
-lrwxrwxrwx root/root usr/lib/sasl2/libplain.so -> libplain.so.2.0.25
-lrwxrwxrwx root/root usr/lib/sasl2/libplain.so.2 -> libplain.so.2.0.25
--rwxr-xr-x root/root usr/lib/sasl2/libplain.so.2.0.25
+lrwxrwxrwx root/root usr/lib/sasl2/libplain.so -> libplain.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libplain.so.3 -> libplain.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libplain.so.3.0.0
-rwxr-xr-x root/root usr/lib/sasl2/libsasldb.la
-lrwxrwxrwx root/root usr/lib/sasl2/libsasldb.so -> libsasldb.so.2.0.25
-lrwxrwxrwx root/root usr/lib/sasl2/libsasldb.so.2 -> libsasldb.so.2.0.25
--rwxr-xr-x root/root usr/lib/sasl2/libsasldb.so.2.0.25
+lrwxrwxrwx root/root usr/lib/sasl2/libsasldb.so -> libsasldb.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libsasldb.so.3 -> libsasldb.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libsasldb.so.3.0.0
-rwxr-xr-x root/root usr/lib/sasl2/libscram.la
-lrwxrwxrwx root/root usr/lib/sasl2/libscram.so -> libscram.so.2.0.25
-lrwxrwxrwx root/root usr/lib/sasl2/libscram.so.2 -> libscram.so.2.0.25
--rwxr-xr-x root/root usr/lib/sasl2/libscram.so.2.0.25
+lrwxrwxrwx root/root usr/lib/sasl2/libscram.so -> libscram.so.3.0.0
+lrwxrwxrwx root/root usr/lib/sasl2/libscram.so.3 -> libscram.so.3.0.0
+-rwxr-xr-x root/root usr/lib/sasl2/libscram.so.3.0.0
drwxr-xr-x root/root usr/man/
drwxr-xr-x root/root usr/man/man3/
-rw-r--r-- root/root usr/man/man3/sasl.3.gz
diff --git a/cyrus-sasl/.md5sum b/cyrus-sasl/.md5sum
index 05a4fe63c..b47fd7fbf 100644
--- a/cyrus-sasl/.md5sum
+++ b/cyrus-sasl/.md5sum
@@ -1,3 +1,3 @@
-d86a5aa2e3b5b7c1bad6f8b548b7ea36 0027_db5_support.patch
-341cffe829a4d71f2a6503d669d5a946 cyrus-sasl-2.1.25.tar.gz
+a7f4e5e559a0e37b3ffc438c9456e425 cyrus-sasl-2.1.26.tar.gz
+40a689b74932a7aeb2362ceb887e92d4 fix-CVE-2013-4122.diff
ec81c1d452216c3da110d7b9a6f8fa8f saslauthd
diff --git a/cyrus-sasl/0027_db5_support.patch b/cyrus-sasl/0027_db5_support.patch
deleted file mode 100644
index 522824074..000000000
--- a/cyrus-sasl/0027_db5_support.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Author: Ondřej Surý <ondrej@debian.org>
-Description: Support newer Berkeley DB versions
---- a/sasldb/db_berkeley.c
-+++ b/sasldb/db_berkeley.c
-@@ -101,7 +101,7 @@ static int berkeleydb_open(const sasl_ut
- ret = db_create(mbdb, NULL, 0);
- if (ret == 0 && *mbdb != NULL)
- {
--#if DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1
-+#if (DB_VERSION_MAJOR > 4) || ((DB_VERSION_MAJOR == 4) && (DB_VERSION_MINOR >= 1))
- ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, flags, 0660);
- #else
- ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, flags, 0660);
---- a/utils/dbconverter-2.c
-+++ b/utils/dbconverter-2.c
-@@ -214,7 +214,7 @@ static int berkeleydb_open(const char *p
- ret = db_create(mbdb, NULL, 0);
- if (ret == 0 && *mbdb != NULL)
- {
--#if DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1
-+#if (DB_VERSION_MAJOR > 4) || ((DB_VERSION_MAJOR == 4) && (DB_VERSION_MINOR >= 1))
- ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, DB_CREATE, 0664);
- #else
- ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, DB_CREATE, 0664);
diff --git a/cyrus-sasl/Pkgfile b/cyrus-sasl/Pkgfile
index 9e49cc27c..c3ed1f42a 100644
--- a/cyrus-sasl/Pkgfile
+++ b/cyrus-sasl/Pkgfile
@@ -1,41 +1,44 @@
# Description: Simple Authentication and Security Layer
-# URL: http://asg.web.cmu.edu/sasl/sasl-library.html
+# URL: https://cyrusimap.org/
# Maintainer: Thomas Penteker, tek at serverop dot de
# Packager: Daniel Mueller, daniel at danm dot de
# Depends on: db openssl
name=cyrus-sasl
-version=2.1.25
+version=2.1.26
release=1
-source=(ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/$name-$version.tar.gz saslauthd 0027_db5_support.patch)
+source=(ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-$version.tar.gz
+ saslauthd fix-CVE-2013-4122.diff)
build(){
- cd $name-$version
- patch -p1 -i $SRC/0027_db5_support.patch
-
- ./configure \
- --prefix=/usr \
- --sysconfdir=/etc/sasl \
- --with-plugindir=/usr/lib/sasl2 \
- --with-saslauthd=/var/sasl/saslauthd \
- --with-dbpath=/etc/sasl/sasldb2 \
- --with-dblib=berkeley \
- --with-bdb-incdir=/usr/include \
- --with-bdb-libdir=/usr/lib \
- --with-openssl=/usr \
- --enable-login \
- --enable-cram \
- --enable-digest \
- --enable-shared \
- --mandir=/usr/man
-
- make -j1
- make DESTDIR=$PKG install
-
- mkdir -p \
- $PKG/usr/lib/sasl2 \
- $PKG/var/sasl/saslauthd \
- $PKG/etc/rc.d
-
- install -m 755 $SRC/saslauthd $PKG/etc/rc.d
+
+ cd $name-$version
+
+ patch -i ../fix-CVE-2013-4122.diff -p1
+
+ ./configure \
+ --prefix=/usr \
+ --sysconfdir=/etc/sasl \
+ --with-plugindir=/usr/lib/sasl2 \
+ --with-saslauthd=/var/sasl/saslauthd \
+ --with-dbpath=/etc/sasl/sasldb2 \
+ --with-dblib=berkeley \
+ --with-bdb-incdir=/usr/include \
+ --with-bdb-libdir=/usr/lib \
+ --with-openssl=/usr \
+ --enable-login \
+ --enable-cram \
+ --enable-digest \
+ --enable-shared \
+ --mandir=/usr/man
+
+ make -j1
+ make DESTDIR=$PKG install
+
+ mkdir -p \
+ $PKG/usr/lib/sasl2 \
+ $PKG/var/sasl/saslauthd \
+ $PKG/etc/rc.d
+
+ install -m 755 $SRC/saslauthd $PKG/etc/rc.d
}
diff --git a/cyrus-sasl/cyrus-sasl-2.1.23-gcc44.patch b/cyrus-sasl/cyrus-sasl-2.1.23-gcc44.patch
deleted file mode 100644
index 79ee408a9..000000000
--- a/cyrus-sasl/cyrus-sasl-2.1.23-gcc44.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- plugins/digestmd5.c~ 2008-11-08 18:28:21.000000000 +0000
-+++ plugins/digestmd5.c 2008-11-08 18:28:50.000000000 +0000
-@@ -2715,7 +2715,7 @@
- "DIGEST-MD5", /* mech_name */
- #ifdef WITH_RC4
- 128, /* max_ssf */
--#elif WITH_DES
-+#elif defined(WITH_DES)
- 112,
- #else
- 1,
-@@ -4034,7 +4034,7 @@
- "DIGEST-MD5",
- #ifdef WITH_RC4 /* mech_name */
- 128, /* max ssf */
--#elif WITH_DES
-+#elif defined(WITH_DES)
- 112,
- #else
- 1,
diff --git a/cyrus-sasl/fix-CVE-2013-4122.diff b/cyrus-sasl/fix-CVE-2013-4122.diff
new file mode 100644
index 000000000..87512964f
--- /dev/null
+++ b/cyrus-sasl/fix-CVE-2013-4122.diff
@@ -0,0 +1,92 @@
+diff -r -u cyrus-sasl-2.1.26-orig/pwcheck/pwcheck_getpwnam.c cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c
+--- cyrus-sasl-2.1.26-orig/pwcheck/pwcheck_getpwnam.c 2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c 2014-07-16 13:14:09.989720984 +0200
+@@ -32,6 +32,7 @@
+ char *password;
+ {
+ char* r;
++ char* crpt_passwd;
+ struct passwd *pwd;
+
+ pwd = getpwnam(userid);
+@@ -41,7 +42,7 @@
+ else if (pwd->pw_passwd[0] == '*') {
+ r = "Account disabled";
+ }
+- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
++ else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
+ r = "Incorrect password";
+ }
+ else {
+diff -r -u cyrus-sasl-2.1.26-orig/pwcheck/pwcheck_getspnam.c cyrus-sasl-2.1.26/pwcheck/pwcheck_getspnam.c
+--- cyrus-sasl-2.1.26-orig/pwcheck/pwcheck_getspnam.c 2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getspnam.c 2014-07-16 13:22:36.257720924 +0200
+@@ -32,13 +32,14 @@
+ char *password;
+ {
+ struct spwd *pwd;
++ char *crpt_passwd;
+
+ pwd = getspnam(userid);
+ if (!pwd) {
+ return "Userid not found";
+ }
+
+- if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
++ if (!(crpt_passwd = crypt(password, pwd->sp_pwdp)) || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
+ return "Incorrect password";
+ }
+ else {
+diff -r -u cyrus-sasl-2.1.26-orig/saslauthd/auth_getpwent.c cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c
+--- cyrus-sasl-2.1.26-orig/saslauthd/auth_getpwent.c 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c 2014-07-16 13:16:29.569720968 +0200
+@@ -77,6 +77,7 @@
+ {
+ /* VARIABLES */
+ struct passwd *pw; /* pointer to passwd file entry */
++ char *crpt_passwd; /* encrypted password */
+ int errnum;
+ /* END VARIABLES */
+
+@@ -105,7 +106,7 @@
+ }
+ }
+
+- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
++ if (!(crpt_passwd = crypt(password, pw->pw_passwd)) || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
+ if (flags & VERBOSE) {
+ syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
+ }
+diff -r -u cyrus-sasl-2.1.26-orig/saslauthd/auth_shadow.c cyrus-sasl-2.1.26/saslauthd/auth_shadow.c
+--- cyrus-sasl-2.1.26-orig/saslauthd/auth_shadow.c 2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2014-07-16 13:18:20.208720954 +0200
+@@ -210,8 +210,7 @@
+ RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
+ }
+
+- cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
+- if (strcmp(sp->sp_pwdp, cpw)) {
++ if (!(cpw = crypt(password, sp->sp_pwdp)) || strcmp(sp->sp_pwdp, (const char *)cpw)) {
+ if (flags & VERBOSE) {
+ /*
+ * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
+@@ -221,10 +220,8 @@
+ syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
+ sp->sp_pwdp, cpw);
+ }
+- free(cpw);
+ RETURN("NO Incorrect password");
+ }
+- free(cpw);
+
+ /*
+ * The following fields will be set to -1 if:
+@@ -286,7 +283,7 @@
+ RETURN("NO Invalid username");
+ }
+
+- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
++ if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
+ if (flags & VERBOSE) {
+ syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
+ password, upw->upw_passwd);

Generated by cgit