commit abad4c4c8c8212319c667eb4825d0c063e8e5d9f Author: Danny Rawlins <monster.romster@gmail.com> Date: Wed May 27 22:07:01 2020 +1000 [notify] cyrus-sasl: fix source security fix CVE-2019-19906 diff --git a/cyrus-sasl/.signature b/cyrus-sasl/.signature index 2e65f592e..69f5d6656 100644 --- a/cyrus-sasl/.signature +++ b/cyrus-sasl/.signature @@ -1,6 +1,7 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/Qlm/syxT8yAkV0NPeVWH/0PFZQPdT7AaFcugj5He7WIqe48UokpwBIEJtcxHNCDGIf9PcrQVT5qjrhkyapNqQg= -SHA256 (Pkgfile) = cef4a501f59ccd97778a607a83e2220b5ca7ba758ff3d8aeb1923b046bf3f970 +RWSE3ohX2g5d/Vhbibws7KK6930LuQcksptQS49VKZPhYVeF/L45qmLvv/AzMOJOD334q0O14XwZRlo0fg4GAHiPo20KZ1WQjwA= +SHA256 (Pkgfile) = f559af8ea4758a3a9f70c33dc34f92b2f197ceb5e9b92f473c9a921acfe7d6c0 SHA256 (.footprint) = e4e77c95f7485a0b84ae04ce6db392db6aa362e706da3a52ca28f95b97ca6abd SHA256 (cyrus-sasl-2.1.27.tar.gz) = 26866b1549b00ffd020f188a43c258017fa1c382b3ddadd8201536f72efb05d5 SHA256 (saslauthd) = 2a96dca868261d5275087ed8e1eef59946f47c6d35797368710c3037f46e61bd +SHA256 (cyrus-sasl-2.1.27-CVE-2019-19906.patch) = 7744ae3fd2a9f62a7fa7ba58604dc78d982cfe8f9b740a94dcfd9672ce00bfa8 diff --git a/cyrus-sasl/Pkgfile b/cyrus-sasl/Pkgfile index 7999cdae8..b2d9a8586 100644 --- a/cyrus-sasl/Pkgfile +++ b/cyrus-sasl/Pkgfile @@ -1,16 +1,20 @@ # Description: Simple Authentication and Security Layer # URL: https://www.cyrusimap.org/sasl/ # Maintainer: Thomas Penteker, tek at serverop dot de -# Depends on: db openssl +# Depends on: db openssl linux-pam name=cyrus-sasl version=2.1.27 -release=1 -source=(https://www.cyrusimap.org/releases/$name-$version.tar.gz saslauthd) +release=2 +source=(https://github.com/cyrusimap/$name/releases/download/$name-$version/$name-$v... + saslauthd + cyrus-sasl-2.1.27-CVE-2019-19906.patch) -build(){ +build() { cd $name-$version + patch -p1 -i $SRC/cyrus-sasl-2.1.27-CVE-2019-19906.patch + ./configure \ --prefix=/usr \ --sysconfdir=/etc/sasl \ @@ -26,13 +30,12 @@ build(){ --enable-digest \ --enable-shared - make + make CFLAGS="$CFLAGS -fPIC" make DESTDIR=$PKG install - mkdir -p \ + install -d \ $PKG/usr/lib/sasl2 \ $PKG/var/sasl/saslauthd \ - $PKG/etc/rc.d - install -m 755 $SRC/saslauthd $PKG/etc/rc.d + install -Dm 755 $SRC/saslauthd $PKG/etc/rc.d/saslauthd } diff --git a/cyrus-sasl/cyrus-sasl-2.1.27-CVE-2019-19906.patch b/cyrus-sasl/cyrus-sasl-2.1.27-CVE-2019-19906.patch new file mode 100644 index 000000000..82b9e1fb6 --- /dev/null +++ b/cyrus-sasl/cyrus-sasl-2.1.27-CVE-2019-19906.patch @@ -0,0 +1,20 @@ +Description: CVE-2019-19906: Off-by-one in _sasl_add_string function +Origin: vendor +Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587 +Bug-Debian: https://bugs.debian.org/947043 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906 +Author: Stephan Zeisberg <stephan@srlabs.de> +Reviewed-by: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2019-12-19 + +--- a/lib/common.c ++++ b/lib/common.c +@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t + + if (add==NULL) add = "(null)"; + +- addlen=strlen(add); /* only compute once */ ++ addlen=strlen(add)+1; /* only compute once */ + if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK) + return SASL_NOMEM; +