Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please unblock package cyrus-sasl2 Kees Cook has brought to my attention that cyrus-sasl2 could close tcp connection prematurely and provided a simple patch that shuts down the socket and wait for client to close it instead of just closing it down. See #777349 for more background information. The patch is small, and I understand what it does :), so I recommend this for inclusion in jessie (or in .point release). unblock cyrus-sasl2/2.1.26.dfsg1-13 - -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing'), (700, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJU/aK0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHdO0QAKKuiXPiy7a/IJ6907w7RYoL bxL9eMfouQp0B6dd8m7IZa/5ty5+cF8j3hi2B5xR25sLPWNo7nSYWYt85Lemaot7 nhk3Vct5WVyUwLO7QL2bdsNc8OPhdDfeEhIwuQ70PEChVXEBCnu9NLTpxPE3a+mB n7jx/miEXh5p2Z2u3+jjjj1i8ZEt5iOyP2regXze7Q+5AGydQO8JOyF7HgNtuPoY 9pBqknugm+6PryI13viM2fee+EGAC+FdJamoF7KTmOGL7JvSuBvRSfjGMcvwavqg 5dHk3AMY4qSuuco1FZsqUkJUBfwpueYLmHpyq9uFDWLULXKxTs8Acapdk5NlTKfY P42kof1ZvLnQhWRD0tTfuyyrIOqmCE8huPwdBFyXpiouqgl7Io2XNqK16AtN98hn 2TXO44H8TmPD/RccKMuSo62rQhufOW6aTc9z+6IkPNgmtc0mexxIExKVhaMxG+u4 uHgdPrAP2Q8mqHYGRf3V/ccpaU+BotX7R4Ud15Qt7pJNIzBbYNWYlSCYHz8Qks3q Sn7on13mNTT5BNC10qlSE7j4rKutJ7MDwzm6l17Fpe59Wx6XL03nhB8lgaCQxLkF cdkz6Xx2dEdQwG70fkD2AbmZX2e0AUipRKmepHp2oL5JmgRAM+HLkjEq2R37nQft CC97oKsRe4QkefBYjLBx =l/Bl -----END PGP SIGNATURE-----
diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/changelog cyrus-sasl2-2.1.26.dfsg1/debian/changelog --- cyrus-sasl2-2.1.26.dfsg1/debian/changelog 2014-10-17 14:41:14.000000000 +0200 +++ cyrus-sasl2-2.1.26.dfsg1/debian/changelog 2015-03-09 14:21:37.000000000 +0100 @@ -1,3 +1,11 @@ +cyrus-sasl2 (2.1.26.dfsg1-13) unstable; urgency=medium + + * Shutdown down the write side of the socket and wait for the client to + close the connection (0 byte read) before closing the server side + (Closes: #777349) (Courtesy of Kees Cook) + + -- Ondřej Surý <[email protected]> Mon, 09 Mar 2015 14:21:23 +0100 + cyrus-sasl2 (2.1.26.dfsg1-12) unstable; urgency=medium * Add patch to fix login to dovecot imapd 2.x (Closes: #715040) diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch --- cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch 1970-01-01 01:00:00.000000000 +0100 +++ cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch 2015-03-09 14:21:37.000000000 +0100 @@ -0,0 +1,34 @@ +Description: it is possible for the client side of the socket to miss data + when the server uses close() immediately after the last write(). To avoid + this, shutdown down the write side of the socket and wait for the client + to close the connection (0 byte read) before closing the server side. +Author: Kees Cook <[email protected]> + +--- cyrus-sasl2.orig/saslauthd/ipc_unix.c ++++ cyrus-sasl2/saslauthd/ipc_unix.c +@@ -217,6 +217,7 @@ void ipc_loop() { + + int rc; + int conn_fd; ++ unsigned char dummy; + + + while(1) { +@@ -261,6 +262,8 @@ void ipc_loop() { + } + + do_request(conn_fd); ++ shutdown(conn_fd, SHUT_WR); ++ while (read(conn_fd, &dummy, 1) > 0) { } + close(conn_fd); + + if(flags & DETACH_TTY) { +@@ -275,6 +278,8 @@ void ipc_loop() { + * Normal prefork mode. + *************************************************************/ + do_request(conn_fd); ++ shutdown(conn_fd, SHUT_WR); ++ while (read(conn_fd, &dummy, 1) > 0) { } + close(conn_fd); + } + diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/patches/series cyrus-sasl2-2.1.26.dfsg1/debian/patches/series --- cyrus-sasl2-2.1.26.dfsg1/debian/patches/series 2014-10-17 14:41:14.000000000 +0200 +++ cyrus-sasl2-2.1.26.dfsg1/debian/patches/series 2015-03-09 14:21:37.000000000 +0100 @@ -30,3 +30,4 @@ 0046_fix_void_return.patch properly-create-libsasl2.pc.patch bug715040.patch +early-hangup.patch
