Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package atheme-services There is a security issue that was fixed in the upstream 7.2.8 package (#855588), which introduced a new security issue, which was fixed in the 7.2.9 package. 7.2.8, unfortunately, includes unrelated changes, most notably: * email templates: Fix leading whitespace * atheme.conf.example: better highlight the pbkdf2v2 crypto module * pbkdf2v2: make digest and rounds configurable at runtime * memoserv: let user know (on identify and /away) when their inbox is full * memoserv: unregister hooks when unloading Those are small convenience fixes, some of those that will make the program cryptographically stronger for the lifetime of stretch. Others are pure bugfixes... I think it is worth shipping the latest upstream at this point, since those changes are small. They also factor in two patches that I had to include in the 7.2.7-1 upload to fix builds with OpenSSL 1.1, so it actually reduces our difference with upstream. Attached is the debdiff against 7.2.7-1 (stretch/sid). unblock atheme-services/7.2.9 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing'), (1, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
diff -Nru atheme-services-7.2.7/configure atheme-services-7.2.9/configure --- atheme-services-7.2.7/configure 2016-10-08 12:58:57.000000000 -0400 +++ atheme-services-7.2.9/configure 2017-02-12 10:02:49.000000000 -0500 @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for atheme 7.2.7. +# Generated by GNU Autoconf 2.69 for atheme 7.2.9. # -# Report bugs to <https://github.com/atheme/atheme/issues>. +# Report bugs to <https://github.com/atheme/atheme/issues/>. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -267,7 +267,7 @@ $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoc...@gnu.org and -$0: https://github.com/atheme/atheme/issues about your +$0: https://github.com/atheme/atheme/issues/ about your $0: system, including any error possibly output before this $0: message. Then install a modern shell, or manually run $0: the script under such a shell if you do have one." @@ -580,9 +580,9 @@ # Identity of this package. PACKAGE_NAME='atheme' PACKAGE_TARNAME='atheme' -PACKAGE_VERSION='7.2.7' -PACKAGE_STRING='atheme 7.2.7' -PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues' +PACKAGE_VERSION='7.2.9' +PACKAGE_STRING='atheme 7.2.9' +PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues/' PACKAGE_URL='' ac_default_prefix=~/atheme @@ -1341,7 +1341,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures atheme 7.2.7 to adapt to many kinds of systems. +\`configure' configures atheme 7.2.9 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1406,7 +1406,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of atheme 7.2.7:";; + short | recursive ) echo "Configuration of atheme 7.2.9:";; esac cat <<\_ACEOF @@ -1466,7 +1466,7 @@ Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to <https://github.com/atheme/atheme/issues>. +Report bugs to <https://github.com/atheme/atheme/issues/>. _ACEOF ac_status=$? fi @@ -1529,7 +1529,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -atheme configure 7.2.7 +atheme configure 7.2.9 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1688,9 +1688,9 @@ $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -( $as_echo "## ------------------------------------------------------ ## -## Report this to https://github.com/atheme/atheme/issues ## -## ------------------------------------------------------ ##" +( $as_echo "## ------------------------------------------------------- ## +## Report this to https://github.com/atheme/atheme/issues/ ## +## ------------------------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac @@ -2038,7 +2038,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by atheme $as_me 7.2.7, which was +It was created by atheme $as_me 7.2.9, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4831,7 +4831,7 @@ PACKAGE=atheme -VERSION=7.2.7 +VERSION=7.2.9 @@ -10462,7 +10462,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by atheme $as_me 7.2.7, which was +This file was extended by atheme $as_me 7.2.9, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -10522,13 +10522,13 @@ Configuration commands: $config_commands -Report bugs to <https://github.com/atheme/atheme/issues>." +Report bugs to <https://github.com/atheme/atheme/issues/>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -atheme config.status 7.2.7 +atheme config.status 7.2.9 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru atheme-services-7.2.7/configure.ac atheme-services-7.2.9/configure.ac --- atheme-services-7.2.7/configure.ac 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/configure.ac 2017-02-12 09:58:54.000000000 -0500 @@ -7,7 +7,7 @@ AC_PREREQ(2.59) -AC_INIT(atheme, 7.2.7, [https://github.com/atheme/atheme/issues]) +AC_INIT(atheme, 7.2.9, [https://github.com/atheme/atheme/issues/]) AC_CONFIG_AUX_DIR(autoconf) diff -Nru atheme-services-7.2.7/debian/changelog atheme-services-7.2.9/debian/changelog --- atheme-services-7.2.7/debian/changelog 2016-11-16 09:59:17.000000000 -0500 +++ atheme-services-7.2.9/debian/changelog 2017-02-07 21:01:27.000000000 -0500 @@ -1,3 +1,23 @@ +atheme-services (7.2.9-1) unstable; urgency=medium + + * new upstream release (7.2.8) fixing security issue "saslserv/main: free + sasl_sourceinfo_t after use" see: + https://github.com/atheme/atheme/pull/539 + * new upstream release (7.2.9) fixing security issue introduced in + 7.2.8: "Fix use after free during impersonation" (Closes: #855588) + * remove two OpenSSL 1.1 patches merged upstream + + [ Jos Ahrens ] + * email templates: Fix leading whitespace + + [ Aaron Jones ] + * atheme.conf.example: better highlight the pbkdf2v2 crypto module + * pbkdf2v2: make digest and rounds configurable at runtime + * memoserv: let user know (on identify and /away) when their inbox is full + * memoserv: unregister hooks when unloading + + -- Antoine Beaupré <anar...@debian.org> Tue, 07 Feb 2017 21:01:27 -0500 + atheme-services (7.2.7-1) unstable; urgency=medium * new upstream release diff -Nru atheme-services-7.2.7/debian/patches/openssl-1.1.0-5480943.patch atheme-services-7.2.9/debian/patches/openssl-1.1.0-5480943.patch --- atheme-services-7.2.7/debian/patches/openssl-1.1.0-5480943.patch 2016-11-16 09:59:17.000000000 -0500 +++ atheme-services-7.2.9/debian/patches/openssl-1.1.0-5480943.patch 1969-12-31 19:00:00.000000000 -0500 @@ -1,82 +0,0 @@ -From 54809431abc683e43f58306e622db4ba65efcbeb Mon Sep 17 00:00:00 2001 -From: Aaron Jones <aaronmdjo...@gmail.com> -Date: Wed, 16 Nov 2016 08:21:32 +0000 -Subject: [PATCH] pbkdf2: remove obsolete compatibility function - -All modern supported versions of OpenSSL provide this function - -Fixes #528 ---- - modules/crypto/pbkdf2.c | 59 ------------------------------------------------- - 1 file changed, 59 deletions(-) - -diff --git a/modules/crypto/pbkdf2.c b/modules/crypto/pbkdf2.c -index 2c39bf2..82df9e6 100644 ---- a/modules/crypto/pbkdf2.c -+++ b/modules/crypto/pbkdf2.c -@@ -31,65 +31,6 @@ DECLARE_MODULE_V1("crypto/pbkdf2", false, _modinit, _moddeinit, PACKAGE_VERSION, - #define ROUNDS (128000) - #define SALTLEN (16) - --/* This is an implementation of PKCS#5 v2.0 password based encryption key -- * derivation function PBKDF2. -- * SHA1 version verified against test vectors posted by Peter Gutmann -- * <pgut...@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-...@rsa.com> mailing list. -- */ --int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, -- const unsigned char *salt, int saltlen, int iter, -- const EVP_MD *digest, -- int keylen, unsigned char *out) --{ -- unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; -- int cplen, j, k, tkeylen, mdlen; -- unsigned long i = 1; -- HMAC_CTX hctx; -- -- mdlen = EVP_MD_size(digest); -- -- HMAC_CTX_init(&hctx); -- p = out; -- tkeylen = keylen; -- if(!pass) -- passlen = 0; -- else if(passlen == -1) -- passlen = strlen(pass); -- while(tkeylen) -- { -- if(tkeylen > mdlen) -- cplen = mdlen; -- else -- cplen = tkeylen; -- /* We are unlikely to ever use more than 256 blocks (5120 bits!) -- * but just in case... -- */ -- itmp[0] = (unsigned char)((i >> 24) & 0xff); -- itmp[1] = (unsigned char)((i >> 16) & 0xff); -- itmp[2] = (unsigned char)((i >> 8) & 0xff); -- itmp[3] = (unsigned char)(i & 0xff); -- HMAC_Init_ex(&hctx, pass, passlen, digest, NULL); -- HMAC_Update(&hctx, salt, saltlen); -- HMAC_Update(&hctx, itmp, 4); -- HMAC_Final(&hctx, digtmp, NULL); -- memcpy(p, digtmp, cplen); -- for(j = 1; j < iter; j++) -- { -- HMAC(digest, pass, passlen, -- digtmp, mdlen, digtmp, NULL); -- for(k = 0; k < cplen; k++) -- p[k] ^= digtmp[k]; -- } -- tkeylen-= cplen; -- i++; -- p+= cplen; -- } -- HMAC_CTX_cleanup(&hctx); -- return 1; --} -- --/*******************************************************************************************/ -- - static const char *pbkdf2_salt(void) - { - static char buf[SALTLEN + 1]; diff -Nru atheme-services-7.2.7/debian/patches/openssl-1.1.0-b04f18e.patch atheme-services-7.2.9/debian/patches/openssl-1.1.0-b04f18e.patch --- atheme-services-7.2.7/debian/patches/openssl-1.1.0-b04f18e.patch 2016-11-16 09:59:17.000000000 -0500 +++ atheme-services-7.2.9/debian/patches/openssl-1.1.0-b04f18e.patch 1969-12-31 19:00:00.000000000 -0500 @@ -1,80 +0,0 @@ -From b04f18e7d7410797d9c043b0944d715a522465c6 Mon Sep 17 00:00:00 2001 -From: Aaron Jones <aaronmdjo...@gmail.com> -Date: Wed, 16 Nov 2016 14:31:16 +0000 -Subject: [PATCH] pbkdf2v2: remove obsolete compatibility function - -All modern supported versions of OpenSSL provide this function - -c.f. issue #528 ---- - modules/crypto/pbkdf2v2.c | 57 ----------------------------------------------- - 1 file changed, 57 deletions(-) - -diff --git a/modules/crypto/pbkdf2v2.c b/modules/crypto/pbkdf2v2.c -index 940281d..289e841 100644 ---- a/modules/crypto/pbkdf2v2.c -+++ b/modules/crypto/pbkdf2v2.c -@@ -50,63 +50,6 @@ DECLARE_MODULE_V1("crypto/pbkdf2v2", false, _modinit, _moddeinit, - static const char salt_chars[62] = - "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789"; - --/* -- * This equivalent implementation provided incase the user doesn't -- * have a new enough OpenSSL library installed on their machine -- */ --int PKCS5_PBKDF2_HMAC(const char *pass, int pl, -- const unsigned char *salt, int sl, -- int iter, const EVP_MD *PRF, -- int dkLen, unsigned char *out) --{ -- if (! pass) -- pl = 0; -- -- if (pass && pl < 0) -- pl = strlen(pass); -- -- int tkLen = dkLen; -- int mdLen = EVP_MD_size(PRF); -- unsigned char *p = out; -- unsigned long i = 1; -- -- HMAC_CTX hctx; -- HMAC_CTX_init(&hctx); -- -- while (tkLen) { -- -- unsigned char itmp[4]; -- itmp[0] = (unsigned char) ((i >> 24) & 0xFF); -- itmp[1] = (unsigned char) ((i >> 16) & 0xFF); -- itmp[2] = (unsigned char) ((i >> 8) & 0xFF); -- itmp[3] = (unsigned char) ((i >> 0) & 0xFF); -- i++; -- -- unsigned char digtmp[EVP_MAX_MD_SIZE]; -- HMAC_Init_ex(&hctx, pass, pl, PRF, NULL); -- HMAC_Update(&hctx, salt, sl); -- HMAC_Update(&hctx, itmp, 4); -- HMAC_Final(&hctx, digtmp, NULL); -- -- int cpLen = (tkLen > mdLen) ? mdLen : tkLen; -- memcpy(p, digtmp, cpLen); -- -- int j, k; -- for (j = 1; j < iter; j++) { -- HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL); -- for (k = 0; k < cpLen; k++) -- p[k] ^= digtmp[k]; -- } -- -- tkLen -= cpLen; -- p += cpLen; -- } -- -- HMAC_CTX_cleanup(&hctx); -- -- return 1; --} -- - static const char *pbkdf2v2_make_salt(void) - { - char salt[PBKDF2_SALTLEN + 1]; diff -Nru atheme-services-7.2.7/debian/patches/series atheme-services-7.2.9/debian/patches/series --- atheme-services-7.2.7/debian/patches/series 2016-11-16 09:59:17.000000000 -0500 +++ atheme-services-7.2.9/debian/patches/series 2017-02-07 21:01:27.000000000 -0500 @@ -1,4 +1,2 @@ -openssl-1.1.0-b04f18e.patch ecdsakeygen-rename.patch dbverify-path-769145.patch -openssl-1.1.0-5480943.patch diff -Nru atheme-services-7.2.7/dist/atheme.conf.example atheme-services-7.2.9/dist/atheme.conf.example --- atheme-services-7.2.7/dist/atheme.conf.example 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/dist/atheme.conf.example 2017-02-12 09:58:54.000000000 -0500 @@ -107,8 +107,8 @@ * * The following crypto modules are available: * - * PBKDF2 cryptography (new) modules/crypto/pbkdf2v2 - * PBKDF2 cryptography (old) modules/crypto/pbkdf2 + * PBKDF2 cryptography (new, recommended) modules/crypto/pbkdf2v2 + * PBKDF2 cryptography (old, compatibility) modules/crypto/pbkdf2 * POSIX-style crypt(3) modules/crypto/posix * IRCServices (also Anope etc) compatibility modules/crypto/ircservices * Raw MD5 (Anope compatibility) modules/crypto/rawmd5 @@ -126,6 +126,7 @@ * * The rawsha1 and pbkdf2/pbkdf2v2 modules require OpenSSL. */ +#loadmodule "modules/crypto/pbkdf2v2"; loadmodule "modules/crypto/posix"; /* Authentication module. @@ -803,6 +804,27 @@ * SERVICES RUNTIME CONFIGURATION SECTION. * ******************************************************************************/ +/* + * If you are using the crypto/pbkdf2v2 module, you may wish to edit this block + * + * It is recommended to either leave the values at the defaults, or experiment + * with them so that it takes approximately 1 second for users to identify. + */ +pbkdf2v2 { + + /* digest + * Valid values are "SHA256" and "SHA512" + * The default is "SHA512" + */ + #digest = "SHA512"; + + /* rounds + * Valid values are 10000 to 5000000 (inclusive) + * The default is 64000 + */ + #rounds = 64000; +}; + /* The serverinfo{} block defines how we appear on the IRC network. */ serverinfo { /* name diff -Nru atheme-services-7.2.7/email/default/register atheme-services-7.2.9/email/default/register --- atheme-services-7.2.7/email/default/register 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/email/default/register 2017-02-12 09:58:54.000000000 -0500 @@ -9,7 +9,7 @@ In order to complete your account registration, you must type the following command on IRC: - /msg &nicksvs& VERIFY REGISTER &accountname& ¶m& +/msg &nicksvs& VERIFY REGISTER &accountname& ¶m& Thank you for registering your account on the &netname& IRC network! diff -Nru atheme-services-7.2.7/email/default/setemail atheme-services-7.2.9/email/default/setemail --- atheme-services-7.2.7/email/default/setemail 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/email/default/setemail 2017-02-12 09:58:54.000000000 -0500 @@ -9,7 +9,7 @@ In order to complete the e-mail address change, you must verify your new e-mail address by issuing the following command on IRC: - /msg &nicksvs& VERIFY EMAILCHG &accountname& ¶m& +/msg &nicksvs& VERIFY EMAILCHG &accountname& ¶m& Thank you for updating your e-mail address on file with the &netname& IRC network! diff -Nru atheme-services-7.2.7/email/default/setpass atheme-services-7.2.9/email/default/setpass --- atheme-services-7.2.7/email/default/setpass 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/email/default/setpass 2017-02-12 09:58:54.000000000 -0500 @@ -14,7 +14,7 @@ In order to set a new password, you must send the following command on IRC, where <password> is the new password you wish to set. - /msg &nicksvs& SETPASS &accountname& ¶m& <password> +/msg &nicksvs& SETPASS &accountname& ¶m& <password> -- If this message is unsolicited, please contact &replyto& diff -Nru atheme-services-7.2.7/include/serno.h atheme-services-7.2.9/include/serno.h --- atheme-services-7.2.7/include/serno.h 2016-10-08 12:58:57.000000000 -0400 +++ atheme-services-7.2.9/include/serno.h 2017-02-12 10:02:49.000000000 -0500 @@ -1,2 +1,2 @@ /* Generated automatically by makepackage. Any changes made here will be lost. */ -#define SERNO "ddc1fd73ee114b0f6d7a714db22c51c23c719b6e" +#define SERNO "4db7745cc39e835c6bd00ad9fac6a8c9b71fabaa" diff -Nru atheme-services-7.2.7/include/sysconf.h.in~ atheme-services-7.2.9/include/sysconf.h.in~ --- atheme-services-7.2.7/include/sysconf.h.in~ 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/include/sysconf.h.in~ 1969-12-31 19:00:00.000000000 -0500 @@ -1,290 +0,0 @@ -/* include/sysconf.h.in. Generated from configure.ac by autoheader. */ - -/* Define if building universal (internal helper macro) */ -#undef AC_APPLE_UNIVERSAL_BUILD - -/* Define to 1 if translation of program messages to the user's native - language is requested. */ -#undef ENABLE_NLS - -/* Define to 1 if you have the `arc4random' function. */ -#undef HAVE_ARC4RANDOM - -/* Define to 1 if you have the `arc4random_buf' function. */ -#undef HAVE_ARC4RANDOM_BUF - -/* Define to 1 if you have the `arc4random_uniform' function. */ -#undef HAVE_ARC4RANDOM_UNIFORM - -/* Define to 1 if you have the `asprintf' function. */ -#undef HAVE_ASPRINTF - -/* Define if crypt() is available */ -#undef HAVE_CRYPT - -/* Define if the GNU dcgettext() function is already present or preinstalled. - */ -#undef HAVE_DCGETTEXT - -/* Define to 1 if you have the `execve' function. */ -#undef HAVE_EXECVE - -/* Define to 1 if you have the `explicit_bzero' function. */ -#undef HAVE_EXPLICIT_BZERO - -/* Define to 1 if you have the `fork' function. */ -#undef HAVE_FORK - -/* Define to 1 if you have the `getpid' function. */ -#undef HAVE_GETPID - -/* Define to 1 if you have the `getrlimit' function. */ -#undef HAVE_GETRLIMIT - -/* Define if the GNU gettext() function is already present or preinstalled. */ -#undef HAVE_GETTEXT - -/* Define to 1 if you have the `gettimeofday' function. */ -#undef HAVE_GETTIMEOFDAY - -/* Define if you have the iconv() function. */ -#undef HAVE_ICONV - -/* Define to 1 if you have the `inet_ntop' function. */ -#undef HAVE_INET_NTOP - -/* Define to 1 if you have the `inet_pton' function. */ -#undef HAVE_INET_PTON - -/* Define to 1 if the system has the type `intmax_t'. */ -#undef HAVE_INTMAX_T - -/* Define to 1 if you have the <inttypes.h> header file. */ -#undef HAVE_INTTYPES_H - -/* Define to 1 if you have the `nsl' library (-lnsl). */ -#undef HAVE_LIBNSL - -/* Define to 1 if libqrencode is available */ -#undef HAVE_LIBQRENCODE - -/* Define to 1 if you have the `socket' library (-lsocket). */ -#undef HAVE_LIBSOCKET - -/* Define to 1 if you have the <link.h> header file. */ -#undef HAVE_LINK_H - -/* Define to 1 if you have the `localeconv' function. */ -#undef HAVE_LOCALECONV - -/* Define to 1 if you have the <locale.h> header file. */ -#undef HAVE_LOCALE_H - -/* Define to 1 if the system has the type `long double'. */ -#undef HAVE_LONG_DOUBLE - -/* Define to 1 if the system has the type 'long long int'. */ -#undef HAVE_LONG_LONG_INT - -/* Define to 1 if you have the <memory.h> header file. */ -#undef HAVE_MEMORY_H - -/* Define to 1 if you have the `memset_s' function. */ -#undef HAVE_MEMSET_S - -/* Define to 1 if openssl is available */ -#undef HAVE_OPENSSL - -/* Define to 1 if you have the <openssl/ec.h> header file. */ -#undef HAVE_OPENSSL_EC_H - -/* Define to 1 if you have the <openssl/err.h> header file. */ -#undef HAVE_OPENSSL_ERR_H - -/* Define to 1 if you have the <openssl/ssl.h> header file. */ -#undef HAVE_OPENSSL_SSL_H - -/* Define if you want to use PCRE */ -#undef HAVE_PCRE - -/* Define to 1 if the system has the type `ptrdiff_t'. */ -#undef HAVE_PTRDIFF_T - -/* Define to 1 if you have a C99 compliant `snprintf' function. */ -#undef HAVE_SNPRINTF - -/* Define to 1 if you have the <stdarg.h> header file. */ -#undef HAVE_STDARG_H - -/* Define to 1 if you have the <stddef.h> header file. */ -#undef HAVE_STDDEF_H - -/* Define to 1 if you have the <stdint.h> header file. */ -#undef HAVE_STDINT_H - -/* Define to 1 if you have the <stdlib.h> header file. */ -#undef HAVE_STDLIB_H - -/* Define to 1 if you have the `strcasestr' function. */ -#undef HAVE_STRCASESTR - -/* Define to 1 if you have the <strings.h> header file. */ -#undef HAVE_STRINGS_H - -/* Define to 1 if you have the <string.h> header file. */ -#undef HAVE_STRING_H - -/* Define to 1 if you have the `strtok_r' function. */ -#undef HAVE_STRTOK_R - -/* Define to 1 if `decimal_point' is a member of `struct lconv'. */ -#undef HAVE_STRUCT_LCONV_DECIMAL_POINT - -/* Define to 1 if `thousands_sep' is a member of `struct lconv'. */ -#undef HAVE_STRUCT_LCONV_THOUSANDS_SEP - -/* Define to 1 if you have the <sys/stat.h> header file. */ -#undef HAVE_SYS_STAT_H - -/* Define to 1 if you have the <sys/types.h> header file. */ -#undef HAVE_SYS_TYPES_H - -/* Define to 1 if the system has the type `uintmax_t'. */ -#undef HAVE_UINTMAX_T - -/* Define to 1 if the system has the type `uintptr_t'. */ -#undef HAVE_UINTPTR_T - -/* Define to 1 if you have the `umask' function. */ -#undef HAVE_UMASK - -/* Define to 1 if you have the <unistd.h> header file. */ -#undef HAVE_UNISTD_H - -/* Define to 1 if the system has the type 'unsigned long long int'. */ -#undef HAVE_UNSIGNED_LONG_LONG_INT - -/* Define to 1 if you have the <varargs.h> header file. */ -#undef HAVE_VARARGS_H - -/* Define to 1 if you have the `vasprintf' function. */ -#undef HAVE_VASPRINTF - -/* Define to 1 if you have the `va_copy' function or macro. */ -#undef HAVE_VA_COPY - -/* Define to 1 if you have a C99 compliant `vsnprintf' function. */ -#undef HAVE_VSNPRINTF - -/* Define to 1 if you have the `__va_copy' function or macro. */ -#undef HAVE___VA_COPY - -/* Uncomment to enable reproducible builds. */ -#undef REPRODUCIBLE_BUILDS - -/* Uncomment to enable large network support. */ -#undef LARGE_NETWORK - -/* Name of package */ -#undef PACKAGE - -/* Define to the address where bug reports for this package should be sent. */ -#undef PACKAGE_BUGREPORT - -/* Define to the full name of this package. */ -#undef PACKAGE_NAME - -/* Define to the full name and version of this package. */ -#undef PACKAGE_STRING - -/* Define to the one symbol short name of this package. */ -#undef PACKAGE_TARNAME - -/* Define to the home page for this package. */ -#undef PACKAGE_URL - -/* Define to the version of this package. */ -#undef PACKAGE_VERSION - -/* Define to 1 if you have the ANSI C header files. */ -#undef STDC_HEADERS - -/* Enable extensions on AIX 3, Interix. */ -#ifndef _ALL_SOURCE -# undef _ALL_SOURCE -#endif -/* Enable GNU extensions on systems that have them. */ -#ifndef _GNU_SOURCE -# undef _GNU_SOURCE -#endif -/* Enable threading extensions on Solaris. */ -#ifndef _POSIX_PTHREAD_SEMANTICS -# undef _POSIX_PTHREAD_SEMANTICS -#endif -/* Enable extensions on HP NonStop. */ -#ifndef _TANDEM_SOURCE -# undef _TANDEM_SOURCE -#endif -/* Enable general extensions on Solaris. */ -#ifndef __EXTENSIONS__ -# undef __EXTENSIONS__ -#endif - - -/* Vendor and URL for modules's "vendor" field */ -#undef VENDOR_STRING - -/* Version number of package */ -#undef VERSION - -/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most - significant byte first (like Motorola and SPARC, unlike Intel). */ -#if defined AC_APPLE_UNIVERSAL_BUILD -# if defined __BIG_ENDIAN__ -# define WORDS_BIGENDIAN 1 -# endif -#else -# ifndef WORDS_BIGENDIAN -# undef WORDS_BIGENDIAN -# endif -#endif - -/* Define to 1 if on MINIX. */ -#undef _MINIX - -/* Define to 2 if the system does not provide POSIX.1 features except with - this defined. */ -#undef _POSIX_1_SOURCE - -/* Define to 1 if you need to in order for `stat' and other things to work. */ -#undef _POSIX_SOURCE - -/* Define to rpl_asprintf if the replacement function should be used. */ -#undef asprintf - -/* Define to empty if `const' does not conform to ANSI C. */ -#undef const - -/* Define to the widest signed integer type if <stdint.h> and <inttypes.h> do - not define. */ -#undef intmax_t - -/* Define to `unsigned int' if <sys/types.h> does not define. */ -#undef size_t - -/* Define to rpl_snprintf if the replacement function should be used. */ -#undef snprintf - -/* Define to the widest unsigned integer type if <stdint.h> and <inttypes.h> - do not define. */ -#undef uintmax_t - -/* Define to the type of an unsigned integer type wide enough to hold a - pointer, if such a type exists, and if the system does not define it. */ -#undef uintptr_t - -/* Define to rpl_vasprintf if the replacement function should be used. */ -#undef vasprintf - -/* Define to rpl_vsnprintf if the replacement function should be used. */ -#undef vsnprintf diff -Nru atheme-services-7.2.7/modules/crypto/pbkdf2.c atheme-services-7.2.9/modules/crypto/pbkdf2.c --- atheme-services-7.2.7/modules/crypto/pbkdf2.c 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/modules/crypto/pbkdf2.c 2017-02-12 09:58:54.000000000 -0500 @@ -31,65 +31,6 @@ #define ROUNDS (128000) #define SALTLEN (16) -/* This is an implementation of PKCS#5 v2.0 password based encryption key - * derivation function PBKDF2. - * SHA1 version verified against test vectors posted by Peter Gutmann - * <pgut...@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-...@rsa.com> mailing list. - */ -int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, - const unsigned char *salt, int saltlen, int iter, - const EVP_MD *digest, - int keylen, unsigned char *out) -{ - unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; - int cplen, j, k, tkeylen, mdlen; - unsigned long i = 1; - HMAC_CTX hctx; - - mdlen = EVP_MD_size(digest); - - HMAC_CTX_init(&hctx); - p = out; - tkeylen = keylen; - if(!pass) - passlen = 0; - else if(passlen == -1) - passlen = strlen(pass); - while(tkeylen) - { - if(tkeylen > mdlen) - cplen = mdlen; - else - cplen = tkeylen; - /* We are unlikely to ever use more than 256 blocks (5120 bits!) - * but just in case... - */ - itmp[0] = (unsigned char)((i >> 24) & 0xff); - itmp[1] = (unsigned char)((i >> 16) & 0xff); - itmp[2] = (unsigned char)((i >> 8) & 0xff); - itmp[3] = (unsigned char)(i & 0xff); - HMAC_Init_ex(&hctx, pass, passlen, digest, NULL); - HMAC_Update(&hctx, salt, saltlen); - HMAC_Update(&hctx, itmp, 4); - HMAC_Final(&hctx, digtmp, NULL); - memcpy(p, digtmp, cplen); - for(j = 1; j < iter; j++) - { - HMAC(digest, pass, passlen, - digtmp, mdlen, digtmp, NULL); - for(k = 0; k < cplen; k++) - p[k] ^= digtmp[k]; - } - tkeylen-= cplen; - i++; - p+= cplen; - } - HMAC_CTX_cleanup(&hctx); - return 1; -} - -/*******************************************************************************************/ - static const char *pbkdf2_salt(void) { static char buf[SALTLEN + 1]; diff -Nru atheme-services-7.2.7/modules/crypto/pbkdf2v2.c atheme-services-7.2.9/modules/crypto/pbkdf2v2.c --- atheme-services-7.2.7/modules/crypto/pbkdf2v2.c 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/modules/crypto/pbkdf2v2.c 2017-02-12 09:58:54.000000000 -0500 @@ -28,13 +28,6 @@ #include <openssl/evp.h> /* - * You can change the 2 values below without invalidating old hashes - */ - -#define PBKDF2_PRF_DEF 6 -#define PBKDF2_ITER_DEF 64000 - -/* * Do not change anything below this line unless you know what you are doing, * AND how it will (possibly) break backward-, forward-, or cross-compatibility * @@ -47,65 +40,15 @@ #define PBKDF2_F_SALT "$z$%u$%u$%s$" #define PBKDF2_F_PRINT "$z$%u$%u$%s$%s" +#define PBKDF2_C_MIN 10000 +#define PBKDF2_C_MAX 5000000 +#define PBKDF2_C_DEF 64000 + static const char salt_chars[62] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789"; -/* - * This equivalent implementation provided incase the user doesn't - * have a new enough OpenSSL library installed on their machine - */ -int PKCS5_PBKDF2_HMAC(const char *pass, int pl, - const unsigned char *salt, int sl, - int iter, const EVP_MD *PRF, - int dkLen, unsigned char *out) -{ - if (! pass) - pl = 0; - - if (pass && pl < 0) - pl = strlen(pass); - - int tkLen = dkLen; - int mdLen = EVP_MD_size(PRF); - unsigned char *p = out; - unsigned long i = 1; - - HMAC_CTX hctx; - HMAC_CTX_init(&hctx); - - while (tkLen) { - - unsigned char itmp[4]; - itmp[0] = (unsigned char) ((i >> 24) & 0xFF); - itmp[1] = (unsigned char) ((i >> 16) & 0xFF); - itmp[2] = (unsigned char) ((i >> 8) & 0xFF); - itmp[3] = (unsigned char) ((i >> 0) & 0xFF); - i++; - - unsigned char digtmp[EVP_MAX_MD_SIZE]; - HMAC_Init_ex(&hctx, pass, pl, PRF, NULL); - HMAC_Update(&hctx, salt, sl); - HMAC_Update(&hctx, itmp, 4); - HMAC_Final(&hctx, digtmp, NULL); - - int cpLen = (tkLen > mdLen) ? mdLen : tkLen; - memcpy(p, digtmp, cpLen); - - int j, k; - for (j = 1; j < iter; j++) { - HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL); - for (k = 0; k < cpLen; k++) - p[k] ^= digtmp[k]; - } - - tkLen -= cpLen; - p += cpLen; - } - - HMAC_CTX_cleanup(&hctx); - - return 1; -} +static unsigned int pbkdf2v2_digest = 6; /* SHA512 */ +static unsigned int pbkdf2v2_rounds = PBKDF2_C_DEF; static const char *pbkdf2v2_make_salt(void) { @@ -119,7 +62,7 @@ salt[i] = salt_chars[arc4random() % sizeof salt_chars]; (void) snprintf(result, sizeof result, PBKDF2_F_SALT, - PBKDF2_PRF_DEF, PBKDF2_ITER_DEF, salt); + pbkdf2v2_digest, pbkdf2v2_rounds, salt); return result; } @@ -189,30 +132,59 @@ if (sscanf(user_pass_string, PBKDF2_F_SCAN, &prf, &iter, salt) < 3) return 0; - if (prf != PBKDF2_PRF_DEF) + if (prf != pbkdf2v2_digest) return 1; - if (iter != PBKDF2_ITER_DEF) + if (iter != pbkdf2v2_rounds) return 1; return 0; } -static crypt_impl_t pbkdf2_crypt_impl = { +static int c_ci_pbkdf2v2_digest(mowgli_config_file_entry_t *ce) +{ + if (ce->vardata == NULL) + { + conf_report_warning(ce, "no parameter for configuration option"); + return 0; + } + + if (!strcasecmp(ce->vardata, "SHA256")) + pbkdf2v2_digest = 5; + else if (!strcasecmp(ce->vardata, "SHA512")) + pbkdf2v2_digest = 6; + else + conf_report_warning(ce, "invalid parameter for configuration option"); + + return 0; +} + +static crypt_impl_t pbkdf2v2_crypt_impl = { .id = "pbkdf2v2", .crypt = &pbkdf2v2_crypt, .salt = &pbkdf2v2_make_salt, .needs_param_upgrade = &pbkdf2v2_needs_param_upgrade, }; +static mowgli_list_t conf_pbkdf2v2_table; + void _modinit(module_t* m) { - crypt_register(&pbkdf2_crypt_impl); + crypt_register(&pbkdf2v2_crypt_impl); + + add_subblock_top_conf("PBKDF2V2", &conf_pbkdf2v2_table); + add_conf_item("DIGEST", &conf_pbkdf2v2_table, c_ci_pbkdf2v2_digest); + add_uint_conf_item("ROUNDS", &conf_pbkdf2v2_table, 0, &pbkdf2v2_rounds, + PBKDF2_C_MIN, PBKDF2_C_MAX, PBKDF2_C_DEF); } void _moddeinit(module_unload_intent_t intent) { - crypt_unregister(&pbkdf2_crypt_impl); + del_conf_item("DIGEST", &conf_pbkdf2v2_table); + del_conf_item("ROUNDS", &conf_pbkdf2v2_table); + del_top_conf("PBKDF2V2"); + + crypt_unregister(&pbkdf2v2_crypt_impl); } -#endif +#endif /* HAVE_OPENSSL */ diff -Nru atheme-services-7.2.7/modules/memoserv/main.c atheme-services-7.2.9/modules/memoserv/main.c --- atheme-services-7.2.7/modules/memoserv/main.c 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/modules/memoserv/main.c 2017-02-12 09:58:54.000000000 -0500 @@ -38,6 +38,9 @@ void _moddeinit(module_unload_intent_t intent) { + hook_del_user_identify(on_user_identify); + hook_del_user_away(on_user_away); + if (memosvs != NULL) service_delete(memosvs); } @@ -54,6 +57,11 @@ notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"), ircd->uses_rcommand ? "" : "msg ", memosvs->disp); } + if (mu->memos.count >= maxmemos) + { + notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please " + "delete memos you no longer need.")); + } } static void on_user_away(user_t *u) @@ -80,6 +88,11 @@ notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"), ircd->uses_rcommand ? "" : "msg ", memosvs->disp); } + if (mu->memos.count >= maxmemos) + { + notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please " + "delete memos you no longer need.")); + } } /* vim:cinoptions=>s,e0,n0,f0,{0,}0,^0,=s,ps,t0,c3,+s,(2s,us,)20,*30,gs,hs diff -Nru atheme-services-7.2.7/modules/saslserv/main.c atheme-services-7.2.9/modules/saslserv/main.c --- atheme-services-7.2.7/modules/saslserv/main.c 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/modules/saslserv/main.c 2017-02-12 09:58:54.000000000 -0500 @@ -609,6 +609,7 @@ req.mu = source_mu; req.allowed = true; hook_call_user_can_login(&req); + object_unref(req.si); if (!req.allowed) { sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(source_mu)->name); @@ -645,9 +646,11 @@ sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "allowed IMPERSONATE by \2%s\2 to \2%s\2", entity(source_mu)->name, entity(target_mu)->name); + req.si = sasl_sourceinfo_create(p); req.mu = target_mu; req.allowed = true; hook_call_user_can_login(&req); + object_unref(req.si); if (!req.allowed) { sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(target_mu)->name); diff -Nru atheme-services-7.2.7/NEWS.md atheme-services-7.2.9/NEWS.md --- atheme-services-7.2.7/NEWS.md 2016-10-08 10:58:00.000000000 -0400 +++ atheme-services-7.2.9/NEWS.md 2017-02-12 09:58:54.000000000 -0500 @@ -1,3 +1,18 @@ +Atheme Services 7.2.9 Release Notes +=================================== + +This is a security release fixing use after free that could potentially be abused +by an attacker already having the privilege to use SASL impersonation to cause a +denial of service. Users of 7.2.8 should update to version 7.2.9; older releases +are not affected. + +Atheme Services 7.2.8 Release Notes +=================================== + +This is a security release fixing a memory leak that could potentially be abused +by attackers to cause a denial of service. Users of Atheme 7.2.7 should update to +version 7.2.8; older releases are not affected. + Atheme Services 7.2.7 Release Notes ===================================
