[notify] cyrus-sasl: fix source security fix CVE-2019-19906

2020-05-27 22:07:01 +10:00 · 2020-05-27 22:07:01 +10:00 · abad4c4c8c
commit abad4c4c8c
parent ffd741fe3a
3 changed files with 34 additions and 10 deletions
--- a/cyrus-sasl/.signature
+++ b/cyrus-sasl/.signature
@ -1,6 +1,7 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/Qlm/syxT8yAkV0NPeVWH/0PFZQPdT7AaFcugj5He7WIqe48UokpwBIEJtcxHNCDGIf9PcrQVT5qjrhkyapNqQg=
-SHA256 (Pkgfile) = cef4a501f59ccd97778a607a83e2220b5ca7ba758ff3d8aeb1923b046bf3f970
+RWSE3ohX2g5d/Vhbibws7KK6930LuQcksptQS49VKZPhYVeF/L45qmLvv/AzMOJOD334q0O14XwZRlo0fg4GAHiPo20KZ1WQjwA=
+SHA256 (Pkgfile) = f559af8ea4758a3a9f70c33dc34f92b2f197ceb5e9b92f473c9a921acfe7d6c0
 SHA256 (.footprint) = e4e77c95f7485a0b84ae04ce6db392db6aa362e706da3a52ca28f95b97ca6abd
 SHA256 (cyrus-sasl-2.1.27.tar.gz) = 26866b1549b00ffd020f188a43c258017fa1c382b3ddadd8201536f72efb05d5
 SHA256 (saslauthd) = 2a96dca868261d5275087ed8e1eef59946f47c6d35797368710c3037f46e61bd
+SHA256 (cyrus-sasl-2.1.27-CVE-2019-19906.patch) = 7744ae3fd2a9f62a7fa7ba58604dc78d982cfe8f9b740a94dcfd9672ce00bfa8
--- a/cyrus-sasl/Pkgfile
+++ b/cyrus-sasl/Pkgfile
@ -1,16 +1,20 @@
 # Description: Simple Authentication and Security Layer
 # URL:         https://www.cyrusimap.org/sasl/
 # Maintainer:  Thomas Penteker, tek at serverop dot de
-# Depends on:  db openssl
+# Depends on:  db openssl linux-pam

 name=cyrus-sasl
 version=2.1.27
-release=1
-source=(https://www.cyrusimap.org/releases/$name-$version.tar.gz saslauthd)
+release=2
+source=(https://github.com/cyrusimap/$name/releases/download/$name-$version/$name-$version.tar.gz
+  saslauthd
+  cyrus-sasl-2.1.27-CVE-2019-19906.patch)

-build(){
+build() {
  cd $name-$version

+  patch -p1 -i $SRC/cyrus-sasl-2.1.27-CVE-2019-19906.patch
+
  ./configure \
      --prefix=/usr \
      --sysconfdir=/etc/sasl \
@ -26,13 +30,12 @@ build(){
      --enable-digest \
      --enable-shared

-  make
+  make CFLAGS="$CFLAGS -fPIC"
  make DESTDIR=$PKG install

-  mkdir -p \
+  install -d \
      $PKG/usr/lib/sasl2 \
      $PKG/var/sasl/saslauthd \
-      $PKG/etc/rc.d

-  install -m 755 $SRC/saslauthd $PKG/etc/rc.d
+  install -Dm 755 $SRC/saslauthd $PKG/etc/rc.d/saslauthd
 }
--- a/cyrus-sasl/cyrus-sasl-2.1.27-CVE-2019-19906.patch
+++ b/cyrus-sasl/cyrus-sasl-2.1.27-CVE-2019-19906.patch
@ -0,0 +1,20 @@
+Description: CVE-2019-19906: Off-by-one in _sasl_add_string function
+Origin: vendor
+Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587
+Bug-Debian: https://bugs.debian.org/947043
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906
+Author: Stephan Zeisberg <stephan@srlabs.de>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2019-12-19
+
+--- a/lib/common.c
+++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t
+ 
+   if (add==NULL) add = "(null)";
+ 
+-  addlen=strlen(add); /* only compute once */
+  addlen=strlen(add)+1; /* only compute once */
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+     return SASL_NOMEM;
+