1 |
commit: ec41e92e4aec19aa605f5d410ba06cc86e7b48f0 |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Dec 23 21:34:38 2019 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Dec 23 21:34:54 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec41e92e |
7 |
|
8 |
dev-libs/cyrus-sasl: fix CVE-2019-19906 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/703628 |
11 |
Package-Manager: Portage-2.3.82, Repoman-2.3.20 |
12 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
13 |
|
14 |
dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild | 259 +++++++++++++++++++++ |
15 |
.../files/cyrus-sasl-2.1.27-CVE-2019-19906.patch | 20 ++ |
16 |
2 files changed, 279 insertions(+) |
17 |
|
18 |
diff --git a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild |
19 |
new file mode 100644 |
20 |
index 00000000000..25c41df746a |
21 |
--- /dev/null |
22 |
+++ b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild |
23 |
@@ -0,0 +1,259 @@ |
24 |
+# Copyright 1999-2019 Gentoo Authors |
25 |
+# Distributed under the terms of the GNU General Public License v2 |
26 |
+ |
27 |
+EAPI=6 |
28 |
+ |
29 |
+inherit flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd eapi7-ver |
30 |
+ |
31 |
+SASLAUTHD_CONF_VER="2.1.26" |
32 |
+ |
33 |
+DESCRIPTION="The Cyrus SASL (Simple Authentication and Security Layer)" |
34 |
+HOMEPAGE="https://www.cyrusimap.org/sasl/" |
35 |
+#SRC_URI="ftp://ftp.cyrusimap.org/cyrus-sasl/${P}.tar.gz" |
36 |
+SRC_URI="https://github.com/cyrusimap/${PN}/releases/download/${P}/${P}.tar.gz" |
37 |
+ |
38 |
+LICENSE="BSD-with-attribution" |
39 |
+SLOT="2" |
40 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
41 |
+IUSE="authdaemond berkdb gdbm kerberos ldapdb libressl openldap mysql pam postgres sample selinux sqlite srp ssl static-libs urandom" |
42 |
+ |
43 |
+CDEPEND=" |
44 |
+ net-mail/mailbase |
45 |
+ authdaemond? ( || ( net-mail/courier-imap mail-mta/courier ) ) |
46 |
+ berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) |
47 |
+ gdbm? ( >=sys-libs/gdbm-1.10-r1:=[${MULTILIB_USEDEP}] ) |
48 |
+ kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) |
49 |
+ openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) |
50 |
+ mysql? ( dev-db/mysql-connector-c:0=[${MULTILIB_USEDEP}] ) |
51 |
+ pam? ( >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] ) |
52 |
+ postgres? ( dev-db/postgresql:* ) |
53 |
+ sqlite? ( >=dev-db/sqlite-3.8.2:3[${MULTILIB_USEDEP}] ) |
54 |
+ ssl? ( |
55 |
+ !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) |
56 |
+ libressl? ( dev-libs/libressl:=[${MULTILIB_USEDEP}] ) |
57 |
+ ) |
58 |
+ java? ( >=virtual/jdk-1.6:= )" |
59 |
+ |
60 |
+REQUIRED_USE="ldapdb? ( openldap )" |
61 |
+ |
62 |
+RDEPEND=" |
63 |
+ ${CDEPEND} |
64 |
+ selinux? ( sec-policy/selinux-sasl )" |
65 |
+ |
66 |
+DEPEND="${CDEPEND}" |
67 |
+ |
68 |
+MULTILIB_WRAPPED_HEADERS=( |
69 |
+ /usr/include/sasl/md5global.h |
70 |
+) |
71 |
+ |
72 |
+PATCHES=( |
73 |
+ "${FILESDIR}/${PN}-2.1.27-avoid_pic_overwrite.patch" |
74 |
+ "${FILESDIR}/${PN}-2.1.27-autotools_fixes.patch" |
75 |
+ "${FILESDIR}/${PN}-2.1.27-as_needed.patch" |
76 |
+ "${FILESDIR}/${PN}-2.1.25-auxprop.patch" |
77 |
+ "${FILESDIR}/${PN}-2.1.27-gss_c_nt_hostbased_service.patch" |
78 |
+ "${FILESDIR}/${PN}-2.1.26-missing-size_t.patch" |
79 |
+ "${FILESDIR}/${PN}-2.1.27-doc_build_fix.patch" |
80 |
+ "${FILESDIR}/${PN}-2.1.27-memmem.patch" |
81 |
+ "${FILESDIR}/${PN}-2.1.27-CVE-2019-19906.patch" |
82 |
+) |
83 |
+ |
84 |
+pkg_setup() { |
85 |
+ java-pkg-opt-2_pkg_setup |
86 |
+} |
87 |
+ |
88 |
+src_prepare() { |
89 |
+ default |
90 |
+ |
91 |
+ # Get rid of the -R switch (runpath_switch for Sun) |
92 |
+ # >=gcc-4.6 errors out with unknown option |
93 |
+ sed -i -e '/LIB_SQLITE.*-R/s/ -R[^"]*//' \ |
94 |
+ configure.ac || die |
95 |
+ |
96 |
+ # Use plugindir for sasldir |
97 |
+ sed -i '/^sasldir =/s:=.*:= $(plugindir):' \ |
98 |
+ "${S}"/plugins/Makefile.{am,in} || die "sed failed" |
99 |
+ |
100 |
+ # #486740 #468556 |
101 |
+ sed -i -e 's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:g' \ |
102 |
+ -e 's:AC_CONFIG_MACRO_DIR:AC_CONFIG_MACRO_DIRS:g' \ |
103 |
+ configure.ac || die |
104 |
+ |
105 |
+ eautoreconf |
106 |
+} |
107 |
+ |
108 |
+src_configure() { |
109 |
+ append-flags -fno-strict-aliasing |
110 |
+ if [[ ${CHOST} == *-solaris* ]] ; then |
111 |
+ # getpassphrase is defined in /usr/include/stdlib.h |
112 |
+ append-cppflags -DHAVE_GETPASSPHRASE |
113 |
+ else |
114 |
+ # this horrendously breaks things on Solaris |
115 |
+ append-cppflags -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED -D_BSD_SOURCE -DLDAP_DEPRECATED |
116 |
+ fi |
117 |
+ |
118 |
+ multilib-minimal_src_configure |
119 |
+} |
120 |
+ |
121 |
+multilib_src_configure() { |
122 |
+ # Java support. |
123 |
+ multilib_is_native_abi && use java && export JAVAC="${JAVAC} ${JAVACFLAGS}" |
124 |
+ |
125 |
+ local myeconfargs=( |
126 |
+ --enable-login |
127 |
+ --enable-ntlm |
128 |
+ --enable-auth-sasldb |
129 |
+ --disable-cmulocal |
130 |
+ --disable-krb4 |
131 |
+ --disable-macos-framework |
132 |
+ --enable-otp |
133 |
+ --without-sqlite |
134 |
+ --with-saslauthd="${EPREFIX}"/run/saslauthd |
135 |
+ --with-pwcheck="${EPREFIX}"/run/saslauthd |
136 |
+ --with-configdir="${EPREFIX}"/etc/sasl2 |
137 |
+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2 |
138 |
+ --with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2 |
139 |
+ --with-sphinx-build=no |
140 |
+ $(use_with ssl openssl) |
141 |
+ $(use_with pam) |
142 |
+ $(use_with openldap ldap) |
143 |
+ $(use_enable ldapdb) |
144 |
+ $(multilib_native_use_enable sample) |
145 |
+ $(use_enable kerberos gssapi) |
146 |
+ $(multilib_native_use_enable java) |
147 |
+ $(multilib_native_use_with mysql mysql "${EPREFIX}"/usr) |
148 |
+ $(multilib_native_use_with postgres pgsql "${EPREFIX}"/usr/$(get_libdir)/postgresql) |
149 |
+ $(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir)) |
150 |
+ $(use_enable srp) |
151 |
+ $(use_enable static-libs static) |
152 |
+ |
153 |
+ # Add authdaemond support (bug #56523). |
154 |
+ $(usex authdaemond --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket '') |
155 |
+ |
156 |
+ # Fix for bug #59634. |
157 |
+ $(usex ssl '' --without-des) |
158 |
+ |
159 |
+ # Use /dev/urandom instead of /dev/random (bug #46038). |
160 |
+ $(usex urandom --with-devrandom=/dev/urandom '') |
161 |
+ ) |
162 |
+ |
163 |
+ if use sqlite || { multilib_is_native_abi && { use mysql || use postgres; }; } ; then |
164 |
+ myeconfargs+=( --enable-sql ) |
165 |
+ else |
166 |
+ myeconfargs+=( --disable-sql ) |
167 |
+ fi |
168 |
+ |
169 |
+ # Default to GDBM if both 'gdbm' and 'berkdb' are present. |
170 |
+ if use gdbm ; then |
171 |
+ einfo "Building with GNU DB as database backend for your SASLdb" |
172 |
+ myeconfargs+=( --with-dblib=gdbm ) |
173 |
+ elif use berkdb ; then |
174 |
+ einfo "Building with BerkeleyDB as database backend for your SASLdb" |
175 |
+ myeconfargs+=( |
176 |
+ --with-dblib=berkeley |
177 |
+ --with-bdb-incdir="$(db_includedir)" |
178 |
+ ) |
179 |
+ else |
180 |
+ einfo "Building without SASLdb support" |
181 |
+ myeconfargs+=( --with-dblib=none ) |
182 |
+ fi |
183 |
+ |
184 |
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" |
185 |
+} |
186 |
+ |
187 |
+multilib_src_compile() { |
188 |
+ emake |
189 |
+ |
190 |
+ # Default location for java classes breaks OpenOffice (bug #60769). |
191 |
+ # Thanks to axxo@g.o for the solution. |
192 |
+ if multilib_is_native_abi && use java ; then |
193 |
+ jar -cvf ${PN}.jar -C java $(find java -name "*.class") |
194 |
+ fi |
195 |
+} |
196 |
+ |
197 |
+multilib_src_install() { |
198 |
+ default |
199 |
+ |
200 |
+ if multilib_is_native_abi; then |
201 |
+ if use sample ; then |
202 |
+ docinto sample |
203 |
+ dodoc "${S}"/sample/*.c |
204 |
+ exeinto /usr/share/doc/${P}/sample |
205 |
+ doexe sample/client sample/server |
206 |
+ fi |
207 |
+ |
208 |
+ # Default location for java classes breaks OpenOffice (bug #60769). |
209 |
+ if use java; then |
210 |
+ java-pkg_dojar ${PN}.jar |
211 |
+ java-pkg_regso "${ED}/usr/$(get_libdir)/libjavasasl$(get_libname)" |
212 |
+ # hackish, don't wanna dig through makefile |
213 |
+ rm -rf "${ED}/usr/$(get_libdir)/java" || die |
214 |
+ docinto "java" |
215 |
+ dodoc "${S}/java/README" "${FILESDIR}/java.README.gentoo" "${S}"/java/doc/* |
216 |
+ dodir "/usr/share/doc/${PF}/java/Test" |
217 |
+ insinto "/usr/share/doc/${PF}/java/Test" |
218 |
+ doins "${S}"/java/Test/*.java |
219 |
+ fi |
220 |
+ |
221 |
+ dosbin saslauthd/testsaslauthd |
222 |
+ fi |
223 |
+} |
224 |
+ |
225 |
+multilib_src_install_all() { |
226 |
+ doman man/* |
227 |
+ |
228 |
+ keepdir /etc/sasl2 |
229 |
+ |
230 |
+ # Reset docinto to default value (#674296) |
231 |
+ docinto |
232 |
+ dodoc AUTHORS ChangeLog doc/legacy/TODO |
233 |
+ newdoc pwcheck/README README.pwcheck |
234 |
+ |
235 |
+ newdoc docsrc/sasl/release-notes/$(ver_cut 1-2)/index.rst release-notes |
236 |
+ edos2unix ${ED%/}/usr/share/doc/${PF}/release-notes |
237 |
+ |
238 |
+ docinto html |
239 |
+ dodoc doc/html/*.html |
240 |
+ |
241 |
+ newpamd "${FILESDIR}/saslauthd.pam-include" saslauthd |
242 |
+ |
243 |
+ newinitd "${FILESDIR}/pwcheck.rc6" pwcheck |
244 |
+ systemd_dounit "${FILESDIR}/pwcheck.service" |
245 |
+ |
246 |
+ newinitd "${FILESDIR}/saslauthd2.rc7" saslauthd |
247 |
+ newconfd "${FILESDIR}/saslauthd-${SASLAUTHD_CONF_VER}.conf" saslauthd |
248 |
+ systemd_dounit "${FILESDIR}/saslauthd.service" |
249 |
+ systemd_dotmpfilesd "${FILESDIR}/${PN}.conf" |
250 |
+ |
251 |
+ # The get_modname bit is important: do not remove the .la files on |
252 |
+ # platforms where the lib isn't called .so for cyrus searches the .la to |
253 |
+ # figure out what the name is supposed to be instead |
254 |
+ if ! use static-libs && [[ $(get_modname) == .so ]] ; then |
255 |
+ find "${ED}" -name "*.la" -delete || die |
256 |
+ fi |
257 |
+} |
258 |
+ |
259 |
+pkg_postinst () { |
260 |
+ # Generate an empty sasldb2 with correct permissions. |
261 |
+ if ( use berkdb || use gdbm ) && [[ ! -f "${EROOT}/etc/sasl2/sasldb2" ]] ; then |
262 |
+ einfo "Generating an empty sasldb2 with correct permissions ..." |
263 |
+ echo "p" | "${EROOT}/usr/sbin/saslpasswd2" -f "${EROOT}/etc/sasl2/sasldb2" -p login \ |
264 |
+ || die "Failed to generate sasldb2" |
265 |
+ "${EROOT}/usr/sbin/saslpasswd2" -f "${EROOT}/etc/sasl2/sasldb2" -d login \ |
266 |
+ || die "Failed to delete temp user" |
267 |
+ chown root:mail "${EROOT}/etc/sasl2/sasldb2" \ |
268 |
+ || die "Failed to chown ${EROOT}/etc/sasl2/sasldb2" |
269 |
+ chmod 0640 "${EROOT}/etc/sasl2/sasldb2" \ |
270 |
+ || die "Failed to chmod ${EROOT}/etc/sasl2/sasldb2" |
271 |
+ fi |
272 |
+ |
273 |
+ if use authdaemond ; then |
274 |
+ elog "You need to add a user running a service using Courier's" |
275 |
+ elog "authdaemon to the 'mail' group. For example, do:" |
276 |
+ elog " gpasswd -a postfix mail" |
277 |
+ elog "to add the 'postfix' user to the 'mail' group." |
278 |
+ fi |
279 |
+ |
280 |
+ elog "pwcheck and saslauthd home directories have moved to:" |
281 |
+ elog " /run/saslauthd, using tmpfiles.d" |
282 |
+} |
283 |
|
284 |
diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch |
285 |
new file mode 100644 |
286 |
index 00000000000..82b9e1fb6db |
287 |
--- /dev/null |
288 |
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch |
289 |
@@ -0,0 +1,20 @@ |
290 |
+Description: CVE-2019-19906: Off-by-one in _sasl_add_string function |
291 |
+Origin: vendor |
292 |
+Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587 |
293 |
+Bug-Debian: https://bugs.debian.org/947043 |
294 |
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906 |
295 |
+Author: Stephan Zeisberg <stephan@××××××.de> |
296 |
+Reviewed-by: Salvatore Bonaccorso <carnil@××××××.org> |
297 |
+Last-Update: 2019-12-19 |
298 |
+ |
299 |
+--- a/lib/common.c |
300 |
++++ b/lib/common.c |
301 |
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t |
302 |
+ |
303 |
+ if (add==NULL) add = "(null)"; |
304 |
+ |
305 |
+- addlen=strlen(add); /* only compute once */ |
306 |
++ addlen=strlen(add)+1; /* only compute once */ |
307 |
+ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK) |
308 |
+ return SASL_NOMEM; |
309 |
+ |