ports/opt (3.0): [notify] cyrus-sasl: 2.1.25 -> 2.1.26
commit 17116eab12a95b9806d491e254685e6ee1a5ae49 Author: Thomas Penteker <tek@serverop.de> Date: Wed Jul 16 13:32:37 2014 +0200 [notify] cyrus-sasl: 2.1.25 -> 2.1.26 Fixes CVE-2013-4122, a DoS vulnerability. Details: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4122 diff --git a/cyrus-sasl/.footprint b/cyrus-sasl/.footprint index 5315d57..50f23b5 100644 --- a/cyrus-sasl/.footprint +++ b/cyrus-sasl/.footprint @@ -13,42 +13,52 @@ drwxr-xr-x root/root usr/include/sasl/ -rw-r--r-- root/root usr/include/sasl/saslutil.h drwxr-xr-x root/root usr/lib/ -rwxr-xr-x root/root usr/lib/libsasl2.la -lrwxrwxrwx root/root usr/lib/libsasl2.so -> libsasl2.so.2.0.25 -lrwxrwxrwx root/root usr/lib/libsasl2.so.2 -> libsasl2.so.2.0.25 --rwxr-xr-x root/root usr/lib/libsasl2.so.2.0.25 +lrwxrwxrwx root/root usr/lib/libsasl2.so -> libsasl2.so.3.0.0 +lrwxrwxrwx root/root usr/lib/libsasl2.so.3 -> libsasl2.so.3.0.0 +-rwxr-xr-x root/root usr/lib/libsasl2.so.3.0.0 +drwxr-xr-x root/root usr/lib/pkgconfig/ +-rw-r--r-- root/root usr/lib/pkgconfig/libsasl2.pc drwxr-xr-x root/root usr/lib/sasl2/ -rwxr-xr-x root/root usr/lib/sasl2/libanonymous.la -lrwxrwxrwx root/root usr/lib/sasl2/libanonymous.so -> libanonymous.so.2.0.25 -lrwxrwxrwx root/root usr/lib/sasl2/libanonymous.so.2 -> libanonymous.so.2.0.25 --rwxr-xr-x root/root usr/lib/sasl2/libanonymous.so.2.0.25 +lrwxrwxrwx root/root usr/lib/sasl2/libanonymous.so -> libanonymous.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libanonymous.so.3 -> libanonymous.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libanonymous.so.3.0.0 -rwxr-xr-x root/root usr/lib/sasl2/libcrammd5.la -lrwxrwxrwx root/root usr/lib/sasl2/libcrammd5.so -> libcrammd5.so.2.0.25 -lrwxrwxrwx root/root usr/lib/sasl2/libcrammd5.so.2 -> libcrammd5.so.2.0.25 --rwxr-xr-x root/root usr/lib/sasl2/libcrammd5.so.2.0.25 +lrwxrwxrwx root/root usr/lib/sasl2/libcrammd5.so -> libcrammd5.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libcrammd5.so.3 -> libcrammd5.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libcrammd5.so.3.0.0 -rwxr-xr-x root/root usr/lib/sasl2/libdigestmd5.la -lrwxrwxrwx root/root usr/lib/sasl2/libdigestmd5.so -> libdigestmd5.so.2.0.25 -lrwxrwxrwx root/root usr/lib/sasl2/libdigestmd5.so.2 -> libdigestmd5.so.2.0.25 --rwxr-xr-x root/root usr/lib/sasl2/libdigestmd5.so.2.0.25 +lrwxrwxrwx root/root usr/lib/sasl2/libdigestmd5.so -> libdigestmd5.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libdigestmd5.so.3 -> libdigestmd5.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libdigestmd5.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libgs2.la +lrwxrwxrwx root/root usr/lib/sasl2/libgs2.so -> libgs2.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libgs2.so.3 -> libgs2.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libgs2.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libgssapiv2.la +lrwxrwxrwx root/root usr/lib/sasl2/libgssapiv2.so -> libgssapiv2.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libgssapiv2.so.3 -> libgssapiv2.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libgssapiv2.so.3.0.0 -rwxr-xr-x root/root usr/lib/sasl2/liblogin.la -lrwxrwxrwx root/root usr/lib/sasl2/liblogin.so -> liblogin.so.2.0.25 -lrwxrwxrwx root/root usr/lib/sasl2/liblogin.so.2 -> liblogin.so.2.0.25 --rwxr-xr-x root/root usr/lib/sasl2/liblogin.so.2.0.25 +lrwxrwxrwx root/root usr/lib/sasl2/liblogin.so -> liblogin.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/liblogin.so.3 -> liblogin.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/liblogin.so.3.0.0 -rwxr-xr-x root/root usr/lib/sasl2/libotp.la -lrwxrwxrwx root/root usr/lib/sasl2/libotp.so -> libotp.so.2.0.25 -lrwxrwxrwx root/root usr/lib/sasl2/libotp.so.2 -> libotp.so.2.0.25 --rwxr-xr-x root/root usr/lib/sasl2/libotp.so.2.0.25 +lrwxrwxrwx root/root usr/lib/sasl2/libotp.so -> libotp.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libotp.so.3 -> libotp.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libotp.so.3.0.0 -rwxr-xr-x root/root usr/lib/sasl2/libplain.la -lrwxrwxrwx root/root usr/lib/sasl2/libplain.so -> libplain.so.2.0.25 -lrwxrwxrwx root/root usr/lib/sasl2/libplain.so.2 -> libplain.so.2.0.25 --rwxr-xr-x root/root usr/lib/sasl2/libplain.so.2.0.25 +lrwxrwxrwx root/root usr/lib/sasl2/libplain.so -> libplain.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libplain.so.3 -> libplain.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libplain.so.3.0.0 -rwxr-xr-x root/root usr/lib/sasl2/libsasldb.la -lrwxrwxrwx root/root usr/lib/sasl2/libsasldb.so -> libsasldb.so.2.0.25 -lrwxrwxrwx root/root usr/lib/sasl2/libsasldb.so.2 -> libsasldb.so.2.0.25 --rwxr-xr-x root/root usr/lib/sasl2/libsasldb.so.2.0.25 +lrwxrwxrwx root/root usr/lib/sasl2/libsasldb.so -> libsasldb.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libsasldb.so.3 -> libsasldb.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libsasldb.so.3.0.0 -rwxr-xr-x root/root usr/lib/sasl2/libscram.la -lrwxrwxrwx root/root usr/lib/sasl2/libscram.so -> libscram.so.2.0.25 -lrwxrwxrwx root/root usr/lib/sasl2/libscram.so.2 -> libscram.so.2.0.25 --rwxr-xr-x root/root usr/lib/sasl2/libscram.so.2.0.25 +lrwxrwxrwx root/root usr/lib/sasl2/libscram.so -> libscram.so.3.0.0 +lrwxrwxrwx root/root usr/lib/sasl2/libscram.so.3 -> libscram.so.3.0.0 +-rwxr-xr-x root/root usr/lib/sasl2/libscram.so.3.0.0 drwxr-xr-x root/root usr/man/ drwxr-xr-x root/root usr/man/man3/ -rw-r--r-- root/root usr/man/man3/sasl.3.gz diff --git a/cyrus-sasl/.md5sum b/cyrus-sasl/.md5sum index 05a4fe6..b47fd7f 100644 --- a/cyrus-sasl/.md5sum +++ b/cyrus-sasl/.md5sum @@ -1,3 +1,3 @@ -d86a5aa2e3b5b7c1bad6f8b548b7ea36 0027_db5_support.patch -341cffe829a4d71f2a6503d669d5a946 cyrus-sasl-2.1.25.tar.gz +a7f4e5e559a0e37b3ffc438c9456e425 cyrus-sasl-2.1.26.tar.gz +40a689b74932a7aeb2362ceb887e92d4 fix-CVE-2013-4122.diff ec81c1d452216c3da110d7b9a6f8fa8f saslauthd diff --git a/cyrus-sasl/0027_db5_support.patch b/cyrus-sasl/0027_db5_support.patch deleted file mode 100644 index 5228240..0000000 --- a/cyrus-sasl/0027_db5_support.patch +++ /dev/null @@ -1,24 +0,0 @@ -Author: Ondřej Surý <ondrej@debian.org> -Description: Support newer Berkeley DB versions ---- a/sasldb/db_berkeley.c -+++ b/sasldb/db_berkeley.c -@@ -101,7 +101,7 @@ static int berkeleydb_open(const sasl_ut - ret = db_create(mbdb, NULL, 0); - if (ret == 0 && *mbdb != NULL) - { --#if DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1 -+#if (DB_VERSION_MAJOR > 4) || ((DB_VERSION_MAJOR == 4) && (DB_VERSION_MINOR >= 1)) - ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, flags, 0660); - #else - ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, flags, 0660); ---- a/utils/dbconverter-2.c -+++ b/utils/dbconverter-2.c -@@ -214,7 +214,7 @@ static int berkeleydb_open(const char *p - ret = db_create(mbdb, NULL, 0); - if (ret == 0 && *mbdb != NULL) - { --#if DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1 -+#if (DB_VERSION_MAJOR > 4) || ((DB_VERSION_MAJOR == 4) && (DB_VERSION_MINOR >= 1)) - ret = (*mbdb)->open(*mbdb, NULL, path, NULL, DB_HASH, DB_CREATE, 0664); - #else - ret = (*mbdb)->open(*mbdb, path, NULL, DB_HASH, DB_CREATE, 0664); diff --git a/cyrus-sasl/Pkgfile b/cyrus-sasl/Pkgfile index 9e49cc2..c3ed1f4 100644 --- a/cyrus-sasl/Pkgfile +++ b/cyrus-sasl/Pkgfile @@ -1,41 +1,44 @@ # Description: Simple Authentication and Security Layer -# URL: http://asg.web.cmu.edu/sasl/sasl-library.html +# URL: https://cyrusimap.org/ # Maintainer: Thomas Penteker, tek at serverop dot de # Packager: Daniel Mueller, daniel at danm dot de # Depends on: db openssl name=cyrus-sasl -version=2.1.25 +version=2.1.26 release=1 -source=(ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/$name-$version.tar.gz saslauthd 0027_db5_support.patch) +source=(ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-$version.tar.gz + saslauthd fix-CVE-2013-4122.diff) build(){ - cd $name-$version - patch -p1 -i $SRC/0027_db5_support.patch - - ./configure \ - --prefix=/usr \ - --sysconfdir=/etc/sasl \ - --with-plugindir=/usr/lib/sasl2 \ - --with-saslauthd=/var/sasl/saslauthd \ - --with-dbpath=/etc/sasl/sasldb2 \ - --with-dblib=berkeley \ - --with-bdb-incdir=/usr/include \ - --with-bdb-libdir=/usr/lib \ - --with-openssl=/usr \ - --enable-login \ - --enable-cram \ - --enable-digest \ - --enable-shared \ - --mandir=/usr/man - - make -j1 - make DESTDIR=$PKG install - - mkdir -p \ - $PKG/usr/lib/sasl2 \ - $PKG/var/sasl/saslauthd \ - $PKG/etc/rc.d - - install -m 755 $SRC/saslauthd $PKG/etc/rc.d + + cd $name-$version + + patch -i ../fix-CVE-2013-4122.diff -p1 + + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc/sasl \ + --with-plugindir=/usr/lib/sasl2 \ + --with-saslauthd=/var/sasl/saslauthd \ + --with-dbpath=/etc/sasl/sasldb2 \ + --with-dblib=berkeley \ + --with-bdb-incdir=/usr/include \ + --with-bdb-libdir=/usr/lib \ + --with-openssl=/usr \ + --enable-login \ + --enable-cram \ + --enable-digest \ + --enable-shared \ + --mandir=/usr/man + + make -j1 + make DESTDIR=$PKG install + + mkdir -p \ + $PKG/usr/lib/sasl2 \ + $PKG/var/sasl/saslauthd \ + $PKG/etc/rc.d + + install -m 755 $SRC/saslauthd $PKG/etc/rc.d } diff --git a/cyrus-sasl/cyrus-sasl-2.1.23-gcc44.patch b/cyrus-sasl/cyrus-sasl-2.1.23-gcc44.patch deleted file mode 100644 index 79ee408..0000000 --- a/cyrus-sasl/cyrus-sasl-2.1.23-gcc44.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- plugins/digestmd5.c~ 2008-11-08 18:28:21.000000000 +0000 -+++ plugins/digestmd5.c 2008-11-08 18:28:50.000000000 +0000 -@@ -2715,7 +2715,7 @@ - "DIGEST-MD5", /* mech_name */ - #ifdef WITH_RC4 - 128, /* max_ssf */ --#elif WITH_DES -+#elif defined(WITH_DES) - 112, - #else - 1, -@@ -4034,7 +4034,7 @@ - "DIGEST-MD5", - #ifdef WITH_RC4 /* mech_name */ - 128, /* max ssf */ --#elif WITH_DES -+#elif defined(WITH_DES) - 112, - #else - 1, diff --git a/cyrus-sasl/fix-CVE-2013-4122.diff b/cyrus-sasl/fix-CVE-2013-4122.diff new file mode 100644 index 0000000..8751296 --- /dev/null +++ b/cyrus-sasl/fix-CVE-2013-4122.diff @@ -0,0 +1,92 @@ +diff -r -u cyrus-sasl-2.1.26-orig/pwcheck/pwcheck_getpwnam.c cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c +--- cyrus-sasl-2.1.26-orig/pwcheck/pwcheck_getpwnam.c 2012-01-28 00:31:36.000000000 +0100 ++++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c 2014-07-16 13:14:09.989720984 +0200 +@@ -32,6 +32,7 @@ + char *password; + { + char* r; ++ char* crpt_passwd; + struct passwd *pwd; + + pwd = getpwnam(userid); +@@ -41,7 +42,7 @@ + else if (pwd->pw_passwd[0] == '*') { + r = "Account disabled"; + } +- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) { ++ else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) { + r = "Incorrect password"; + } + else { +diff -r -u cyrus-sasl-2.1.26-orig/pwcheck/pwcheck_getspnam.c cyrus-sasl-2.1.26/pwcheck/pwcheck_getspnam.c +--- cyrus-sasl-2.1.26-orig/pwcheck/pwcheck_getspnam.c 2012-01-28 00:31:36.000000000 +0100 ++++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getspnam.c 2014-07-16 13:22:36.257720924 +0200 +@@ -32,13 +32,14 @@ + char *password; + { + struct spwd *pwd; ++ char *crpt_passwd; + + pwd = getspnam(userid); + if (!pwd) { + return "Userid not found"; + } + +- if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) { ++ if (!(crpt_passwd = crypt(password, pwd->sp_pwdp)) || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) { + return "Incorrect password"; + } + else { +diff -r -u cyrus-sasl-2.1.26-orig/saslauthd/auth_getpwent.c cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c +--- cyrus-sasl-2.1.26-orig/saslauthd/auth_getpwent.c 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c 2014-07-16 13:16:29.569720968 +0200 +@@ -77,6 +77,7 @@ + { + /* VARIABLES */ + struct passwd *pw; /* pointer to passwd file entry */ ++ char *crpt_passwd; /* encrypted password */ + int errnum; + /* END VARIABLES */ + +@@ -105,7 +106,7 @@ + } + } + +- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) { ++ if (!(crpt_passwd = crypt(password, pw->pw_passwd)) || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) { + if (flags & VERBOSE) { + syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login); + } +diff -r -u cyrus-sasl-2.1.26-orig/saslauthd/auth_shadow.c cyrus-sasl-2.1.26/saslauthd/auth_shadow.c +--- cyrus-sasl-2.1.26-orig/saslauthd/auth_shadow.c 2012-10-12 16:05:48.000000000 +0200 ++++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c 2014-07-16 13:18:20.208720954 +0200 +@@ -210,8 +210,7 @@ + RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)"); + } + +- cpw = strdup((const char *)crypt(password, sp->sp_pwdp)); +- if (strcmp(sp->sp_pwdp, cpw)) { ++ if (!(cpw = crypt(password, sp->sp_pwdp)) || strcmp(sp->sp_pwdp, (const char *)cpw)) { + if (flags & VERBOSE) { + /* + * This _should_ reveal the SHADOW_PW_LOCKED prefix to an +@@ -221,10 +220,8 @@ + syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'", + sp->sp_pwdp, cpw); + } +- free(cpw); + RETURN("NO Incorrect password"); + } +- free(cpw); + + /* + * The following fields will be set to -1 if: +@@ -286,7 +283,7 @@ + RETURN("NO Invalid username"); + } + +- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) { ++ if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) { + if (flags & VERBOSE) { + syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s", + password, upw->upw_passwd);
participants (1)
-
crux@crux.nu