Date: Sunday, February 3, 2019 @ 15:26:46 Author: jgc Revision: 345181
Update to 2.1.27 Fix FS#59173 Fix FS#59873 Refresh patches from debian, remove obsolete patches Added: cyrus-sasl/trunk/0003-Update-saslauthd.conf-location-in-documentation.patch cyrus-sasl/trunk/0006-Enable-autoconf-maintainer-mode.patch cyrus-sasl/trunk/0010-Update-required-libraries-when-ld-as-needed-is-used.patch cyrus-sasl/trunk/0013-Don-t-use-la-files-for-opening-plugins.patch cyrus-sasl/trunk/0020-Restore-LIBS-after-checking-gss_inquire_sec_context_.patch cyrus-sasl/trunk/0022-Fix-keytab-option-for-MIT-Kerberos.patch cyrus-sasl/trunk/0032-Add-with_pgsql-include-postgresql-to-include-path.patch cyrus-sasl/trunk/gdbm-errno.patch Modified: cyrus-sasl/trunk/PKGBUILD Deleted: cyrus-sasl/trunk/0010_maintainer_mode.patch cyrus-sasl/trunk/0011_saslauthd_ac_prog_libtool.patch cyrus-sasl/trunk/0025_ld_as_needed.patch cyrus-sasl/trunk/0026_drop_krb5support_dependency.patch cyrus-sasl/trunk/0030-dont_use_la_files_for_opening_plugins.patch cyrus-sasl/trunk/CVE-2013-4122.patch cyrus-sasl/trunk/cyrus-sasl-2.1.22-as-needed.patch cyrus-sasl/trunk/cyrus-sasl-2.1.22-qa.patch cyrus-sasl/trunk/cyrus-sasl-2.1.26-size_t.patch cyrus-sasl/trunk/cyrus-sasl-2.1.27-openssl-1.1.0.patch cyrus-sasl/trunk/cyrus-sasl-gssapi.patch cyrus-sasl/trunk/cyrus-sasl-sql.patch cyrus-sasl/trunk/fix-pkgconfig.patch -----------------------------------------------------------------+ 0003-Update-saslauthd.conf-location-in-documentation.patch | 41 0006-Enable-autoconf-maintainer-mode.patch | 22 0010-Update-required-libraries-when-ld-as-needed-is-used.patch | 37 0010_maintainer_mode.patch | 19 0011_saslauthd_ac_prog_libtool.patch | 15 0013-Don-t-use-la-files-for-opening-plugins.patch | 153 +++ 0020-Restore-LIBS-after-checking-gss_inquire_sec_context_.patch | 26 0022-Fix-keytab-option-for-MIT-Kerberos.patch | 66 + 0025_ld_as_needed.patch | 27 0026_drop_krb5support_dependency.patch | 14 0030-dont_use_la_files_for_opening_plugins.patch | 134 --- 0032-Add-with_pgsql-include-postgresql-to-include-path.patch | 23 CVE-2013-4122.patch | 116 -- PKGBUILD | 93 -- cyrus-sasl-2.1.22-as-needed.patch | 11 cyrus-sasl-2.1.22-qa.patch | 22 cyrus-sasl-2.1.26-size_t.patch | 11 cyrus-sasl-2.1.27-openssl-1.1.0.patch | 435 ---------- cyrus-sasl-gssapi.patch | 16 cyrus-sasl-sql.patch | 39 fix-pkgconfig.patch | 27 gdbm-errno.patch | 29 22 files changed, 432 insertions(+), 944 deletions(-) Added: 0003-Update-saslauthd.conf-location-in-documentation.patch =================================================================== --- 0003-Update-saslauthd.conf-location-in-documentation.patch (rev 0) +++ 0003-Update-saslauthd.conf-location-in-documentation.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -0,0 +1,41 @@ +From: Debian Cyrus SASL Team + <pkg-cyrus-sasl2-debian-de...@lists.alioth.debian.org> +Date: Thu, 24 Mar 2016 11:35:03 +0100 +Subject: Update saslauthd.conf location in documentation + +date format (cosmetic). +--- + saslauthd/saslauthd.mdoc | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc +index 0c2209e..17c9284 100644 +--- a/saslauthd/saslauthd.mdoc ++++ b/saslauthd/saslauthd.mdoc +@@ -10,7 +10,7 @@ + .\" manpage in saslauthd.8 whenever you change this source + .\" version. Only the pre-formatted manpage is installed. + .\" +-.Dd 12 12 2005 ++.Dd December 12 2005 + .Dt SASLAUTHD 8 + .Os "CMU-SASL" + .Sh NAME +@@ -245,7 +245,7 @@ instead. + .Em (All platforms that support OpenLDAP 2.0 or higher) + .Pp + Authenticate against an ldap server. The ldap configuration parameters are +-read from /usr/local/etc/saslauthd.conf. The location of this file can be ++read from /etc/saslauthd.conf. The location of this file can be + changed with the -O parameter. See the LDAP_SASLAUTHD file included with the + distribution for the list of available parameters. + .It Li sia +@@ -278,7 +278,7 @@ was never intended to be used in this manner, anyway.) + .Bl -tag -width "/var/run/saslauthd/mux" + .It Pa /var/run/saslauthd/mux + The default communications socket. +-.It Pa /usr/local/etc/saslauthd.conf ++.It Pa /etc/saslauthd.conf + The default configuration file for ldap support. + .El + .Sh SEE ALSO Added: 0006-Enable-autoconf-maintainer-mode.patch =================================================================== --- 0006-Enable-autoconf-maintainer-mode.patch (rev 0) +++ 0006-Enable-autoconf-maintainer-mode.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -0,0 +1,22 @@ +From: Debian Cyrus SASL Team + <pkg-cyrus-sasl2-debian-de...@lists.alioth.debian.org> +Date: Thu, 24 Mar 2016 11:35:03 +0100 +Subject: Enable autoconf maintainer mode + +--- + configure.ac | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 388f5d0..b3db52c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -69,6 +69,8 @@ AC_CANONICAL_TARGET + + AM_INIT_AUTOMAKE([1.11 tar-ustar dist-bzip2 foreign -Wno-portability subdir-objects]) + ++AM_MAINTAINER_MODE ++ + DIRS="" + + AC_ARG_ENABLE(cmulocal, Added: 0010-Update-required-libraries-when-ld-as-needed-is-used.patch =================================================================== --- 0010-Update-required-libraries-when-ld-as-needed-is-used.patch (rev 0) +++ 0010-Update-required-libraries-when-ld-as-needed-is-used.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -0,0 +1,37 @@ +From: Debian Cyrus SASL Team + <pkg-cyrus-sasl2-debian-de...@lists.alioth.debian.org> +Date: Thu, 24 Mar 2016 11:35:04 +0100 +Subject: Update required libraries when ld --as-needed is used + +it. +--- + saslauthd/Makefile.am | 2 +- + sasldb/Makefile.am | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/saslauthd/Makefile.am b/saslauthd/Makefile.am +index 864b29b..4cf3a3d 100644 +--- a/saslauthd/Makefile.am ++++ b/saslauthd/Makefile.am +@@ -25,7 +25,7 @@ EXTRA_saslauthd_sources = getaddrinfo.c getnameinfo.c + saslauthd_DEPENDENCIES = saslauthd-main.o $(LTLIBOBJS_FULL) + saslauthd_LDADD = @SASL_KRB_LIB@ \ + @GSSAPIBASE_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \ +- @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS) ++ @LIB_SOCKET@ ../sasldb/libsasldb.la @LIB_PAM@ @LDAP_LIBS@ $(LTLIBOBJS_FULL) $(CRYPTO_COMPAT_OBJS) $(LIBSASLDB_OBJS) + + testsaslauthd_SOURCES = testsaslauthd.c utils.c + testsaslauthd_LDADD = @LIB_SOCKET@ +diff --git a/sasldb/Makefile.am b/sasldb/Makefile.am +index 497ee25..a27645f 100644 +--- a/sasldb/Makefile.am ++++ b/sasldb/Makefile.am +@@ -54,6 +54,6 @@ noinst_LTLIBRARIES = libsasldb.la + + libsasldb_la_SOURCES = allockey.c sasldb.h + EXTRA_libsasldb_la_SOURCES = $(extra_common_sources) +-libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) +-libsasldb_la_LIBADD = $(SASL_DB_BACKEND) ++libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) $(SASL_DB_LIB) ++libsasldb_la_LIBADD = $(SASL_DB_BACKEND) $(SASL_DB_LIB) + libsasldb_la_LDFLAGS = -no-undefined Deleted: 0010_maintainer_mode.patch =================================================================== --- 0010_maintainer_mode.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ 0010_maintainer_mode.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,19 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 0010_maintainer_mode.dpatch by <fa...@debian.org> -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Enable maintainer mode to avoid auto* problems. - -@DPATCH@ -diff -urNad trunk~/configure.in trunk/configure.in ---- trunk~/configure.in 2006-05-29 22:52:46.000000000 +0300 -+++ trunk/configure.in 2006-11-01 23:24:55.000000000 +0200 -@@ -62,6 +62,8 @@ - AM_INIT_AUTOMAKE(cyrus-sasl, 2.1.22) - CMU_INIT_AUTOMAKE - -+AM_MAINTAINER_MODE -+ - # and include our config dir scripts - ACLOCAL="$ACLOCAL -I \$(top_srcdir)/config" - Deleted: 0011_saslauthd_ac_prog_libtool.patch =================================================================== --- 0011_saslauthd_ac_prog_libtool.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ 0011_saslauthd_ac_prog_libtool.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,15 +0,0 @@ -0011_saslauthd_ac_prog_libtool.dpatch by <fa...@debian.org> - -Enable libtool use. - -diff -urNad trunk~/saslauthd/configure.in trunk/saslauthd/configure.in ---- trunk~/saslauthd/configure.in 2006-05-29 22:52:42.000000000 +0300 -+++ trunk/saslauthd/configure.in 2006-11-01 23:41:51.000000000 +0200 -@@ -25,6 +25,7 @@ - AC_PROG_MAKE_SET - AC_PROG_LN_S - AC_PROG_INSTALL -+AC_PROG_LIBTOOL - - dnl Checks for build foo - CMU_C___ATTRIBUTE__ Added: 0013-Don-t-use-la-files-for-opening-plugins.patch =================================================================== --- 0013-Don-t-use-la-files-for-opening-plugins.patch (rev 0) +++ 0013-Don-t-use-la-files-for-opening-plugins.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -0,0 +1,153 @@ +From: Debian Cyrus SASL Team + <pkg-cyrus-sasl2-debian-de...@lists.alioth.debian.org> +Date: Thu, 24 Mar 2016 11:35:04 +0100 +Subject: Don't use la files for opening plugins + +--- + lib/dlopen.c | 121 ++++------------------------------------------------------- + 1 file changed, 7 insertions(+), 114 deletions(-) + +diff --git a/lib/dlopen.c b/lib/dlopen.c +index 8284cd8..ef90b11 100644 +--- a/lib/dlopen.c ++++ b/lib/dlopen.c +@@ -246,113 +246,6 @@ static int _sasl_plugin_load(char *plugin, void *library, + return result; + } + +-/* this returns the file to actually open. +- * out should be a buffer of size PATH_MAX +- * and may be the same as in. */ +- +-/* We'll use a static buffer for speed unless someone complains */ +-#define MAX_LINE 2048 +- +-static int _parse_la(const char *prefix, const char *in, char *out) +-{ +- FILE *file; +- size_t length; +- char line[MAX_LINE]; +- char *ntmp = NULL; +- +- if(!in || !out || !prefix || out == in) return SASL_BADPARAM; +- +- /* Set this so we can detect failure */ +- *out = '\0'; +- +- length = strlen(in); +- +- if (strcmp(in + (length - strlen(LA_SUFFIX)), LA_SUFFIX)) { +- if(!strcmp(in + (length - strlen(SO_SUFFIX)),SO_SUFFIX)) { +- /* check for a .la file */ +- if (strlen(prefix) + strlen(in) + strlen(LA_SUFFIX) + 1 >= MAX_LINE) +- return SASL_BADPARAM; +- strcpy(line, prefix); +- strcat(line, in); +- length = strlen(line); +- *(line + (length - strlen(SO_SUFFIX))) = '\0'; +- strcat(line, LA_SUFFIX); +- file = fopen(line, "r"); +- if(file) { +- /* We'll get it on the .la open */ +- fclose(file); +- return SASL_FAIL; +- } +- } +- if (strlen(prefix) + strlen(in) + 1 >= PATH_MAX) +- return SASL_BADPARAM; +- strcpy(out, prefix); +- strcat(out, in); +- return SASL_OK; +- } +- +- if (strlen(prefix) + strlen(in) + 1 >= MAX_LINE) +- return SASL_BADPARAM; +- strcpy(line, prefix); +- strcat(line, in); +- +- file = fopen(line, "r"); +- if(!file) { +- _sasl_log(NULL, SASL_LOG_WARN, +- "unable to open LA file: %s", line); +- return SASL_FAIL; +- } +- +- while(!feof(file)) { +- if(!fgets(line, MAX_LINE, file)) break; +- if(line[strlen(line) - 1] != '\n') { +- _sasl_log(NULL, SASL_LOG_WARN, +- "LA file has too long of a line: %s", in); +- fclose(file); +- return SASL_BUFOVER; +- } +- if(line[0] == '\n' || line[0] == '#') continue; +- if(!strncmp(line, "dlname=", sizeof("dlname=") - 1)) { +- /* We found the line with the name in it */ +- char *end; +- char *start; +- size_t len; +- end = strrchr(line, '\''); +- if(!end) continue; +- start = &line[sizeof("dlname=")-1]; +- len = strlen(start); +- if(len > 3 && start[0] == '\'') { +- ntmp=&start[1]; +- *end='\0'; +- /* Do we have dlname="" ? */ +- if(ntmp == end) { +- _sasl_log(NULL, SASL_LOG_DEBUG, +- "dlname is empty in .la file: %s", in); +- fclose(file); +- return SASL_FAIL; +- } +- strcpy(out, prefix); +- strcat(out, ntmp); +- } +- break; +- } +- } +- if(ferror(file) || feof(file)) { +- _sasl_log(NULL, SASL_LOG_WARN, +- "Error reading .la: %s\n", in); +- fclose(file); +- return SASL_FAIL; +- } +- fclose(file); +- +- if(!(*out)) { +- _sasl_log(NULL, SASL_LOG_WARN, +- "Could not find a dlname line in .la file: %s", in); +- return SASL_FAIL; +- } +- +- return SASL_OK; +-} + #endif /* DO_DLOPEN */ + + /* loads a plugin library */ +@@ -506,18 +399,18 @@ int _sasl_load_plugins(const add_plugin_list_t *entrypoints, + if (length + pos>=PATH_MAX) continue; /* too big */ + + if (strcmp(dir->d_name + (length - strlen(SO_SUFFIX)), +- SO_SUFFIX) +- && strcmp(dir->d_name + (length - strlen(LA_SUFFIX)), +- LA_SUFFIX)) ++ SO_SUFFIX)) + continue; + ++ /* We only use .so files for loading plugins */ ++ + memcpy(name,dir->d_name,length); + name[length]='\0'; + +- result = _parse_la(prefix, name, tmp); +- if(result != SASL_OK) +- continue; +- ++ /* Create full name with path */ ++ strncpy(tmp, prefix, PATH_MAX); ++ strncat(tmp, name, PATH_MAX); ++ + /* skip "lib" and cut off suffix -- + this only need be approximate */ + strcpy(plugname, name + 3); Added: 0020-Restore-LIBS-after-checking-gss_inquire_sec_context_.patch =================================================================== --- 0020-Restore-LIBS-after-checking-gss_inquire_sec_context_.patch (rev 0) +++ 0020-Restore-LIBS-after-checking-gss_inquire_sec_context_.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -0,0 +1,26 @@ +From 31b68a9438c24fc9e3e52f626462bf514de31757 Mon Sep 17 00:00:00 2001 +From: Ryan Tandy <r...@nardis.ca> +Date: Mon, 24 Dec 2018 15:07:02 -0800 +Subject: [PATCH] Restore LIBS after checking gss_inquire_sec_context_by_oid + +Fixes: 4b0306dcd76031460246b2dabcb7db766d6b04d8 +--- + m4/sasl2.m4 | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/m4/sasl2.m4 b/m4/sasl2.m4 +index 56e0504a..17f5d081 100644 +--- a/m4/sasl2.m4 ++++ b/m4/sasl2.m4 +@@ -311,9 +311,10 @@ if test "$gssapi" != no; then + [AC_DEFINE(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF,, + [Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF])]) + fi ++ LIBS="$cmu_save_LIBS" ++ + cmu_save_LIBS="$LIBS" + LIBS="$LIBS $GSSAPIBASE_LIBS" +- + AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries]) + AC_TRY_RUN([ + #ifdef HAVE_GSSAPI_H Added: 0022-Fix-keytab-option-for-MIT-Kerberos.patch =================================================================== --- 0022-Fix-keytab-option-for-MIT-Kerberos.patch (rev 0) +++ 0022-Fix-keytab-option-for-MIT-Kerberos.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -0,0 +1,66 @@ +From: Debian Cyrus SASL Team + <pkg-cyrus-sasl2-debian-de...@lists.alioth.debian.org> +Date: Thu, 24 Mar 2016 11:35:05 +0100 +Subject: Fix keytab option for MIT Kerberos + +--- + m4/sasl2.m4 | 1 + + plugins/gssapi.c | 11 ++++++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/m4/sasl2.m4 b/m4/sasl2.m4 +index 56e0504..a90f7b4 100644 +--- a/m4/sasl2.m4 ++++ b/m4/sasl2.m4 +@@ -282,6 +282,7 @@ if test "$gssapi" != no; then + ]) + fi + fi ++ AC_CHECK_FUNCS(krb5_gss_register_acceptor_identity) + AC_CHECK_FUNCS(gss_decapsulate_token) + AC_CHECK_FUNCS(gss_encapsulate_token) + AC_CHECK_FUNCS(gss_oid_equal) +diff --git a/plugins/gssapi.c b/plugins/gssapi.c +index ff663da..7c69ac2 100644 +--- a/plugins/gssapi.c ++++ b/plugins/gssapi.c +@@ -1545,7 +1545,7 @@ static sasl_server_plug_t gssapi_server_plugins[] = + }; + + int gssapiv2_server_plug_init( +-#ifndef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY ++#if !defined(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY) && !defined(HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY) + const sasl_utils_t *utils __attribute__((unused)), + #else + const sasl_utils_t *utils, +@@ -1555,7 +1555,7 @@ int gssapiv2_server_plug_init( + sasl_server_plug_t **pluglist, + int *plugcount) + { +-#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY ++#if defined(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY) || defined(HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY) + const char *keytab = NULL; + char keytab_path[1024]; + unsigned int rl; +@@ -1565,7 +1565,7 @@ int gssapiv2_server_plug_init( + return SASL_BADVERS; + } + +-#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY ++#if defined(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY) || defined(HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY) + /* unfortunately, we don't check for readability of keytab if it's + the standard one, since we don't know where it is */ + +@@ -1587,7 +1587,12 @@ int gssapiv2_server_plug_init( + + strncpy(keytab_path, keytab, 1024); + ++#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY + gsskrb5_register_acceptor_identity(keytab_path); ++#endif ++#ifdef HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY ++ krb5_gss_register_acceptor_identity(keytab_path); ++#endif + } + #endif + Deleted: 0025_ld_as_needed.patch =================================================================== --- 0025_ld_as_needed.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ 0025_ld_as_needed.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,27 +0,0 @@ -Author: Matthias Klose <d...@ubuntu.com> -Desription: Fix FTBFS, add $(SASL_DB_LIB) as dependency to libsasldb, and use -it. ---- a/saslauthd/Makefile.am -+++ b/saslauthd/Makefile.am -@@ -16,7 +16,7 @@ EXTRA_saslauthd_sources = getaddrinfo.c - saslauthd_DEPENDENCIES = saslauthd-main.o @LTLIBOBJS@ - saslauthd_LDADD = @SASL_KRB_LIB@ \ - @GSSAPIBASE_LIBS@ @GSSAPI_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \ -- @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ @LTLIBOBJS@ -+ @LIB_SOCKET@ ../sasldb/libsasldb.la @LIB_PAM@ @LDAP_LIBS@ @LTLIBOBJS@ - - testsaslauthd_SOURCES = testsaslauthd.c utils.c - testsaslauthd_LDADD = @LIB_SOCKET@ ---- a/sasldb/Makefile.am -+++ b/sasldb/Makefile.am -@@ -55,8 +55,8 @@ noinst_LIBRARIES = libsasldb.a - - libsasldb_la_SOURCES = allockey.c sasldb.h - EXTRA_libsasldb_la_SOURCES = $(extra_common_sources) --libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) --libsasldb_la_LIBADD = $(SASL_DB_BACKEND) -+libsasldb_la_DEPENDENCIES = $(SASL_DB_BACKEND) $(SASL_DB_LIB) -+libsasldb_la_LIBADD = $(SASL_DB_BACKEND) $(SASL_DB_LIB) - - # Prevent make dist stupidity - libsasldb_a_SOURCES = Deleted: 0026_drop_krb5support_dependency.patch =================================================================== --- 0026_drop_krb5support_dependency.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ 0026_drop_krb5support_dependency.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,14 +0,0 @@ -Author: Roberto C. Sanchez <robe...@connexer.com> -Description: Drop gratuitous dependency on krb5support ---- a/cmulocal/sasl2.m4 -+++ b/cmulocal/sasl2.m4 -@@ -112,9 +112,6 @@ if test "$gssapi" != no; then - fi - - if test "$gss_impl" = "auto" -o "$gss_impl" = "mit"; then -- # check for libkrb5support first -- AC_CHECK_LIB(krb5support,krb5int_getspecific,K5SUP=-lkrb5support K5SUPSTATIC=$gssapi_dir/libkrb5support.a,,${LIB_SOCKET}) -- - gss_failed=0 - AC_CHECK_LIB(gssapi_krb5,gss_unwrap,gss_impl="mit",gss_failed=1, - ${GSSAPIBASE_LIBS} -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ${K5SUP} ${LIB_SOCKET}) Deleted: 0030-dont_use_la_files_for_opening_plugins.patch =================================================================== --- 0030-dont_use_la_files_for_opening_plugins.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ 0030-dont_use_la_files_for_opening_plugins.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,134 +0,0 @@ ---- a/lib/dlopen.c -+++ b/lib/dlopen.c -@@ -247,105 +247,6 @@ static int _sasl_plugin_load(char *plugi - return result; - } - --/* this returns the file to actually open. -- * out should be a buffer of size PATH_MAX -- * and may be the same as in. */ -- --/* We'll use a static buffer for speed unless someone complains */ --#define MAX_LINE 2048 -- --static int _parse_la(const char *prefix, const char *in, char *out) --{ -- FILE *file; -- size_t length; -- char line[MAX_LINE]; -- char *ntmp = NULL; -- -- if(!in || !out || !prefix || out == in) return SASL_BADPARAM; -- -- /* Set this so we can detect failure */ -- *out = '\0'; -- -- length = strlen(in); -- -- if (strcmp(in + (length - strlen(LA_SUFFIX)), LA_SUFFIX)) { -- if(!strcmp(in + (length - strlen(SO_SUFFIX)),SO_SUFFIX)) { -- /* check for a .la file */ -- strcpy(line, prefix); -- strcat(line, in); -- length = strlen(line); -- *(line + (length - strlen(SO_SUFFIX))) = '\0'; -- strcat(line, LA_SUFFIX); -- file = fopen(line, "r"); -- if(file) { -- /* We'll get it on the .la open */ -- fclose(file); -- return SASL_FAIL; -- } -- } -- strcpy(out, prefix); -- strcat(out, in); -- return SASL_OK; -- } -- -- strcpy(line, prefix); -- strcat(line, in); -- -- file = fopen(line, "r"); -- if(!file) { -- _sasl_log(NULL, SASL_LOG_WARN, -- "unable to open LA file: %s", line); -- return SASL_FAIL; -- } -- -- while(!feof(file)) { -- if(!fgets(line, MAX_LINE, file)) break; -- if(line[strlen(line) - 1] != '\n') { -- _sasl_log(NULL, SASL_LOG_WARN, -- "LA file has too long of a line: %s", in); -- return SASL_BUFOVER; -- } -- if(line[0] == '\n' || line[0] == '#') continue; -- if(!strncmp(line, "dlname=", sizeof("dlname=") - 1)) { -- /* We found the line with the name in it */ -- char *end; -- char *start; -- size_t len; -- end = strrchr(line, '\''); -- if(!end) continue; -- start = &line[sizeof("dlname=")-1]; -- len = strlen(start); -- if(len > 3 && start[0] == '\'') { -- ntmp=&start[1]; -- *end='\0'; -- /* Do we have dlname="" ? */ -- if(ntmp == end) { -- _sasl_log(NULL, SASL_LOG_DEBUG, -- "dlname is empty in .la file: %s", in); -- return SASL_FAIL; -- } -- strcpy(out, prefix); -- strcat(out, ntmp); -- } -- break; -- } -- } -- if(ferror(file) || feof(file)) { -- _sasl_log(NULL, SASL_LOG_WARN, -- "Error reading .la: %s\n", in); -- fclose(file); -- return SASL_FAIL; -- } -- fclose(file); -- -- if(!(*out)) { -- _sasl_log(NULL, SASL_LOG_WARN, -- "Could not find a dlname line in .la file: %s", in); -- return SASL_FAIL; -- } -- -- return SASL_OK; --} - #endif /* DO_DLOPEN */ - - /* loads a plugin library */ -@@ -499,18 +400,18 @@ int _sasl_load_plugins(const add_plugin_ - if (length + pos>=PATH_MAX) continue; /* too big */ - - if (strcmp(dir->d_name + (length - strlen(SO_SUFFIX)), -- SO_SUFFIX) -- && strcmp(dir->d_name + (length - strlen(LA_SUFFIX)), -- LA_SUFFIX)) -+ SO_SUFFIX)) - continue; - -+ /* We only use .so files for loading plugins */ -+ - memcpy(name,dir->d_name,length); - name[length]='\0'; - -- result = _parse_la(prefix, name, tmp); -- if(result != SASL_OK) -- continue; -- -+ /* Create full name with path */ -+ strncpy(tmp, prefix, PATH_MAX); -+ strncat(tmp, name, PATH_MAX); -+ - /* skip "lib" and cut off suffix -- - this only need be approximate */ - strcpy(plugname, name + 3); Added: 0032-Add-with_pgsql-include-postgresql-to-include-path.patch =================================================================== --- 0032-Add-with_pgsql-include-postgresql-to-include-path.patch (rev 0) +++ 0032-Add-with_pgsql-include-postgresql-to-include-path.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -0,0 +1,23 @@ +From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ond...@sury.org> +Date: Tue, 25 Oct 2016 12:33:27 +0200 +Subject: Add ${with_pgsql}include/postgresql/ to include path + +--- + configure.ac | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fe7f0eb..1882f31 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -894,7 +894,9 @@ case "$with_pgsql" in + LIB_PGSQL_DIR=$LIB_PGSQL + LIB_PGSQL="$LIB_PGSQL -lpq" + +- if test -d ${with_pgsql}/include/pgsql; then ++ if test -d ${with_pgsql}/include/postgresql/; then ++ CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include/postgresql" ++ elif test -d ${with_pgsql}/include/pgsql; then + CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include/pgsql" + elif test -d ${with_pgsql}/pgsql/include; then + CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include" Deleted: CVE-2013-4122.patch =================================================================== --- CVE-2013-4122.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ CVE-2013-4122.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,116 +0,0 @@ -From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001 -From: mancha <manc...@hush.com> -Date: Thu, 11 Jul 2013 09:08:07 +0000 -Subject: Handle NULL returns from glibc 2.17+ crypt() - -Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL -(w/ NULL return) if the salt violates specifications. Additionally, -on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords -passed to crypt() fail with EPERM (w/ NULL return). - -When using glibc's crypt(), check return value to avoid a possible -NULL pointer dereference. - -Patch by manc...@hush.com. ---- -diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c -index 4b34222..400289c 100644 ---- a/pwcheck/pwcheck_getpwnam.c -+++ b/pwcheck/pwcheck_getpwnam.c -@@ -32,6 +32,7 @@ char *userid; - char *password; - { - char* r; -+ char* crpt_passwd; - struct passwd *pwd; - - pwd = getpwnam(userid); -@@ -41,7 +42,7 @@ char *password; - else if (pwd->pw_passwd[0] == '*') { - r = "Account disabled"; - } -- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) { -+ else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) { - r = "Incorrect password"; - } - else { -diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c -index 2b11286..6d607bb 100644 ---- a/pwcheck/pwcheck_getspnam.c -+++ b/pwcheck/pwcheck_getspnam.c -@@ -32,13 +32,15 @@ char *userid; - char *password; - { - struct spwd *pwd; -+ char *crpt_passwd; - - pwd = getspnam(userid); - if (!pwd) { - return "Userid not found"; - } - -- if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) { -+ crpt_passwd = crypt(password, pwd->sp_pwdp); -+ if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) { - return "Incorrect password"; - } - else { -diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c -index fc8029d..d4ebe54 100644 ---- a/saslauthd/auth_getpwent.c -+++ b/saslauthd/auth_getpwent.c -@@ -77,6 +77,7 @@ auth_getpwent ( - { - /* VARIABLES */ - struct passwd *pw; /* pointer to passwd file entry */ -+ char *crpt_passwd; /* encrypted password */ - int errnum; - /* END VARIABLES */ - -@@ -105,7 +106,8 @@ auth_getpwent ( - } - } - -- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) { -+ crpt_passwd = crypt(password, pw->pw_passwd); -+ if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) { - if (flags & VERBOSE) { - syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login); - } -diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c -index 677131b..1988afd 100644 ---- a/saslauthd/auth_shadow.c -+++ b/saslauthd/auth_shadow.c -@@ -210,8 +210,8 @@ auth_shadow ( - RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)"); - } - -- cpw = strdup((const char *)crypt(password, sp->sp_pwdp)); -- if (strcmp(sp->sp_pwdp, cpw)) { -+ cpw = crypt(password, sp->sp_pwdp); -+ if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) { - if (flags & VERBOSE) { - /* - * This _should_ reveal the SHADOW_PW_LOCKED prefix to an -@@ -221,10 +221,8 @@ auth_shadow ( - syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'", - sp->sp_pwdp, cpw); - } -- free(cpw); - RETURN("NO Incorrect password"); - } -- free(cpw); - - /* - * The following fields will be set to -1 if: -@@ -286,7 +284,7 @@ auth_shadow ( - RETURN("NO Invalid username"); - } - -- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) { -+ if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) { - if (flags & VERBOSE) { - syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s", - password, upw->upw_passwd); --- -cgit v0.9.2 Modified: PKGBUILD =================================================================== --- PKGBUILD 2019-02-03 14:59:06 UTC (rev 345180) +++ PKGBUILD 2019-02-03 15:26:46 UTC (rev 345181) @@ -6,8 +6,8 @@ pkgbase=('cyrus-sasl') pkgname=('cyrus-sasl' 'cyrus-sasl-gssapi' 'cyrus-sasl-ldap' 'cyrus-sasl-sql') #pkgname=libsasl -pkgver=2.1.26 -pkgrel=13 +pkgver=2.1.27 +pkgrel=1 pkgdesc="Cyrus Simple Authentication Service Layer (SASL) library" arch=('x86_64') url="https://www.cyrusimap.org/sasl/" @@ -15,54 +15,41 @@ options=('!makeflags') makedepends=('postgresql-libs' 'mariadb-libs' 'libldap' 'krb5' 'openssl' 'sqlite') source=(https://www.cyrusimap.org/releases/cyrus-sasl-${pkgver}.tar.gz - cyrus-sasl-2.1.22-qa.patch - cyrus-sasl-2.1.26-size_t.patch - 0010_maintainer_mode.patch - 0011_saslauthd_ac_prog_libtool.patch - 0025_ld_as_needed.patch - 0026_drop_krb5support_dependency.patch - 0030-dont_use_la_files_for_opening_plugins.patch + 0003-Update-saslauthd.conf-location-in-documentation.patch + 0006-Enable-autoconf-maintainer-mode.patch + 0010-Update-required-libraries-when-ld-as-needed-is-used.patch + 0013-Don-t-use-la-files-for-opening-plugins.patch + 0020-Restore-LIBS-after-checking-gss_inquire_sec_context_.patch + 0022-Fix-keytab-option-for-MIT-Kerberos.patch + 0032-Add-with_pgsql-include-postgresql-to-include-path.patch + gdbm-errno.patch saslauthd.service saslauthd.conf.d - tmpfiles.conf - CVE-2013-4122.patch - cyrus-sasl-sql.patch - cyrus-sasl-gssapi.patch - cyrus-sasl-2.1.27-openssl-1.1.0.patch - fix-pkgconfig.patch) -md5sums=('a7f4e5e559a0e37b3ffc438c9456e425' - '79b8a5e8689989e2afd4b7bda595a7b1' - 'f45aa8c42b32e0569ab3d14a83485b37' - 'f45d8b60e8f74dd7f7c2ec1665fa602a' - '9d93880514cb5ff5da969f1ceb64a661' - '62bf892fe4d1df41ff748e91a1afaf67' - 'b7848957357e7c02d6490102be496bf9' - '8e7106f32e495e9ade69014fd1b3352a' - '3499dcd610ad1ad58e0faffde2aa7a23' - '49219af5641150edec288a3fdb65e7c1' - '45bb0192d2f188066240b9a66ee6365f' - 'c5f0ec88c584a75c14d7f402eaeed7ef' - '82c0f66fdc5c1145eb48ea9116c27931' - '0363b1a0337474a57b1f75f72fe88fa3' - 'c8a385bbca9bd79910c6bda3dd02845c' - '409727695f9f28a3c43e340232462ff6') + tmpfiles.conf) +sha256sums=('26866b1549b00ffd020f188a43c258017fa1c382b3ddadd8201536f72efb05d5' + '9919c81196701d11a3a77e2573a541489ad9ab42a4c50eb7d19edfb37713c604' + '7bd2b2af36c061e92f69944a18e2c122aea0d2b21773f5ea47bb6209f13d0812' + '8e22cb6ac58208f191b1eb19aac602c1bf49708f2a3b2e3de5f5b2c1e2467906' + 'bbee401c01dc6942710e0c1285091fcd98588bf636b52f24ed0e3b04039b748b' + 'a953c79c585d579f25135de0fe807d6da1fddccbd5b66a9606fb6390c12c7e31' + '1a0ae7bd722d57feb6fab12c05eb1922982c68bd9be1c165d405954012e6634f' + '3c375f8755fdbd98a21c4ee195bebbd2a146901fee327e4dd6cfde7a4dcba7c3' + '03a57cbcec85602fb8e39b7c8a3ff1a22d2c20a28e771b8b326a570d733bf432' + '5c6453050a5f594ca1d53baf3a6188d8f3cdc7a28467ad7c844ad51f663dae9a' + 'fa57b4f374ae633633091b1c8b44e1e0be814e4fddbfa75f16eb3dd1f16b8640' + '16ca1a4185847b0c6c70ef6c7c314cb466f698d3ed02185a5f50e8179822f024') prepare() { cd cyrus-sasl-$pkgver - patch -Np1 -i ../cyrus-sasl-2.1.22-qa.patch - patch -Np1 -i ../cyrus-sasl-2.1.26-size_t.patch - patch -Np1 -i ../0010_maintainer_mode.patch - patch -Np1 -i ../0011_saslauthd_ac_prog_libtool.patch - patch -Np1 -i ../0025_ld_as_needed.patch - patch -Np1 -i ../0026_drop_krb5support_dependency.patch - patch -Np1 -i ../0030-dont_use_la_files_for_opening_plugins.patch - patch -Np1 -i ../CVE-2013-4122.patch - patch -Np0 -i ../cyrus-sasl-sql.patch - patch -Np1 -i ../cyrus-sasl-gssapi.patch - patch -Np1 -i ../cyrus-sasl-2.1.27-openssl-1.1.0.patch - patch -Np1 -i ../fix-pkgconfig.patch - - sed -e 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' -e 's/libmysqlclient.a/libmysqlclient.so/' -i configure.in + patch -Np1 -i ../0003-Update-saslauthd.conf-location-in-documentation.patch + patch -Np1 -i ../0006-Enable-autoconf-maintainer-mode.patch + patch -Np1 -i ../0010-Update-required-libraries-when-ld-as-needed-is-used.patch + patch -Np1 -i ../0013-Don-t-use-la-files-for-opening-plugins.patch + patch -Np1 -i ../0020-Restore-LIBS-after-checking-gss_inquire_sec_context_.patch + patch -Np1 -i ../0022-Fix-keytab-option-for-MIT-Kerberos.patch + patch -Np1 -i ../0032-Add-with_pgsql-include-postgresql-to-include-path.patch + patch -Np1 -i ../gdbm-errno.patch + cp -a saslauthd/saslauthd.mdoc saslauthd/saslauthd.8 } build() { @@ -73,22 +60,11 @@ rm -f config/ltconfig config/ltmain.sh config/libtool.m4 rm -fr autom4te.cache libtoolize -c - aclocal -I config -I cmulocal + aclocal -I config automake -a -c autoheader autoconf - pushd saslauthd - rm -f config/config.guess config/config.sub - rm -f config/ltconfig config/ltmain.sh config/libtool.m4 - rm -fr autom4te.cache - libtoolize -c - aclocal -I config -I ../cmulocal -I ../config - automake -a -c - autoheader - autoconf - popd - ./configure --prefix=/usr \ --sbin=/usr/bin \ --mandir=/usr/share/man \ @@ -123,6 +99,7 @@ --with-configdir=/etc/sasl2:/etc/sasl:/usr/lib/sasl2 \ --sysconfdir=/etc \ --with-devrandom=/dev/urandom + sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool make } @@ -147,7 +124,7 @@ } package_cyrus-sasl() { - depends=("libsasl=${pkgver}" 'krb5') + depends=("libsasl=${pkgver}" 'krb5' 'pam') pkgdesc="Cyrus saslauthd SASL authentication daemon" backup=('etc/conf.d/saslauthd') Deleted: cyrus-sasl-2.1.22-as-needed.patch =================================================================== --- cyrus-sasl-2.1.22-as-needed.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ cyrus-sasl-2.1.22-as-needed.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,11 +0,0 @@ ---- saslauthd/configure.in.orig 2006-05-23 15:53:17.000000000 -0700 -+++ saslauthd/configure.in 2006-05-23 15:53:33.000000000 -0700 -@@ -77,7 +77,7 @@ - AC_DEFINE(AUTH_SASLDB,[],[Include SASLdb Support]) - SASL_DB_PATH_CHECK() - SASL_DB_CHECK() -- SASL_DB_LIB="$SASL_DB_LIB ../sasldb/.libs/libsasldb.al" -+ SASL_DB_LIB="../sasldb/.libs/libsasldb.a $SASL_DB_LIB" - fi - - AC_ARG_ENABLE(httpform, [ --enable-httpform enable HTTP form authentication [[no]] ], Deleted: cyrus-sasl-2.1.22-qa.patch =================================================================== --- cyrus-sasl-2.1.22-qa.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ cyrus-sasl-2.1.22-qa.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,22 +0,0 @@ -fix missing prototype warnings - ---- cyrus-sasl-2.1.22/lib/auxprop.c -+++ cyrus-sasl-2.1.22/lib/auxprop.c -@@ -43,6 +43,7 @@ - */ - - #include <config.h> -+#include <stdio.h> - #include <sasl.h> - #include <prop.h> - #include <ctype.h> ---- cyrus-sasl-2.1.22/pwcheck/pwcheck_getspnam.c -+++ cyrus-sasl-2.1.22/pwcheck/pwcheck_getspnam.c -@@ -24,6 +24,7 @@ OF OR IN CONNECTION WITH THE USE OR PERF - ******************************************************************/ - - #include <shadow.h> -+#include <string.h> - - extern char *crypt(); - Deleted: cyrus-sasl-2.1.26-size_t.patch =================================================================== --- cyrus-sasl-2.1.26-size_t.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ cyrus-sasl-2.1.26-size_t.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,11 +0,0 @@ ---- cyrus-sasl-2.1.26/include/sasl.h 2012-10-12 09:05:48.000000000 -0500 -+++ cyrus-sasl-2.1.26/include/sasl.h 2013-01-31 13:21:04.007739327 -0600 -@@ -223,6 +223,8 @@ extern "C" { - * they must be called before all other SASL functions: - */ - -+#include <sys/types.h> -+ - /* memory allocation functions which may optionally be replaced: - */ - typedef void *sasl_malloc_t(size_t); Deleted: cyrus-sasl-2.1.27-openssl-1.1.0.patch =================================================================== --- cyrus-sasl-2.1.27-openssl-1.1.0.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ cyrus-sasl-2.1.27-openssl-1.1.0.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,435 +0,0 @@ -diff -up cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 cyrus-sasl-2.1.26/plugins/ntlm.c ---- cyrus-sasl-2.1.26/plugins/ntlm.c.openssl110 2012-01-28 00:31:36.000000000 +0100 -+++ cyrus-sasl-2.1.26/plugins/ntlm.c 2016-11-07 16:15:57.498259304 +0100 -@@ -417,6 +417,29 @@ static unsigned char *P24(unsigned char - return P24; - } - -+static HMAC_CTX *_plug_HMAC_CTX_new(const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_new()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ return HMAC_CTX_new(); -+#else -+ return utils->malloc(sizeof(HMAC_CTX)); -+#endif -+} -+ -+static void _plug_HMAC_CTX_free(HMAC_CTX *ctx, const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_HMAC_CTX_free()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ HMAC_CTX_free(ctx); -+#else -+ HMAC_cleanup(ctx); -+ utils->free(ctx); -+#endif -+} -+ - static unsigned char *V2(unsigned char *V2, sasl_secret_t *passwd, - const char *authid, const char *target, - const unsigned char *challenge, -@@ -424,7 +447,7 @@ static unsigned char *V2(unsigned char * - const sasl_utils_t *utils, - char **buf, unsigned *buflen, int *result) - { -- HMAC_CTX ctx; -+ HMAC_CTX *ctx = NULL; - unsigned char hash[EVP_MAX_MD_SIZE]; - char *upper; - unsigned int len; -@@ -435,6 +458,10 @@ static unsigned char *V2(unsigned char * - SETERROR(utils, "cannot allocate NTLMv2 hash"); - *result = SASL_NOMEM; - } -+ else if ((ctx = _plug_HMAC_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate HMAC CTX"); -+ *result = SASL_NOMEM; -+ } - else { - /* NTLMv2hash = HMAC-MD5(NTLMhash, unicode(ucase(authid + domain))) */ - P16_nt(hash, passwd, utils, buf, buflen, result); -@@ -449,17 +476,18 @@ static unsigned char *V2(unsigned char * - HMAC(EVP_md5(), hash, MD4_DIGEST_LENGTH, *buf, 2 * len, hash, &len); - - /* V2 = HMAC-MD5(NTLMv2hash, challenge + blob) + blob */ -- HMAC_Init(&ctx, hash, len, EVP_md5()); -- HMAC_Update(&ctx, challenge, NTLM_NONCE_LENGTH); -- HMAC_Update(&ctx, blob, bloblen); -- HMAC_Final(&ctx, V2, &len); -- HMAC_cleanup(&ctx); -+ HMAC_Init_ex(ctx, hash, len, EVP_md5(), NULL); -+ HMAC_Update(ctx, challenge, NTLM_NONCE_LENGTH); -+ HMAC_Update(ctx, blob, bloblen); -+ HMAC_Final(ctx, V2, &len); - - /* the blob is concatenated outside of this function */ - - *result = SASL_OK; - } - -+ if (ctx) _plug_HMAC_CTX_free(ctx, utils); -+ - return V2; - } - -diff -up cyrus-sasl-2.1.26/plugins/otp.c.openssl110 cyrus-sasl-2.1.26/plugins/otp.c ---- cyrus-sasl-2.1.26/plugins/otp.c.openssl110 2012-10-12 16:05:48.000000000 +0200 -+++ cyrus-sasl-2.1.26/plugins/otp.c 2016-11-07 16:13:54.374327601 +0100 -@@ -96,6 +96,28 @@ static algorithm_option_t algorithm_opti - {NULL, 0, NULL} - }; - -+static EVP_MD_CTX *_plug_EVP_MD_CTX_new(const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_new()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ return EVP_MD_CTX_new(); -+#else -+ return utils->malloc(sizeof(EVP_MD_CTX)); -+#endif -+} -+ -+static void _plug_EVP_MD_CTX_free(EVP_MD_CTX *ctx, const sasl_utils_t *utils) -+{ -+ utils->log(NULL, SASL_LOG_DEBUG, "_plug_EVP_MD_CTX_free()"); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ EVP_MD_CTX_free(ctx); -+#else -+ utils->free(ctx); -+#endif -+} -+ - /* Convert the binary data into ASCII hex */ - void bin2hex(unsigned char *bin, int binlen, char *hex) - { -@@ -116,17 +138,16 @@ void bin2hex(unsigned char *bin, int bin - * swabbing bytes if necessary. - */ - static void otp_hash(const EVP_MD *md, char *in, size_t inlen, -- unsigned char *out, int swab) -+ unsigned char *out, int swab, EVP_MD_CTX *mdctx) - { -- EVP_MD_CTX mdctx; -- char hash[EVP_MAX_MD_SIZE]; -+ unsigned char hash[EVP_MAX_MD_SIZE]; - unsigned int i; - int j; - unsigned hashlen; - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, in, inlen); -- EVP_DigestFinal(&mdctx, hash, &hashlen); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, in, inlen); -+ EVP_DigestFinal(mdctx, hash, &hashlen); - - /* Fold the result into 64 bits */ - for (i = OTP_HASH_SIZE; i < hashlen; i++) { -@@ -149,7 +170,9 @@ static int generate_otp(const sasl_utils - char *secret, char *otp) - { - const EVP_MD *md; -- char *key; -+ EVP_MD_CTX *mdctx = NULL; -+ char *key = NULL; -+ int r = SASL_OK; - - if (!(md = EVP_get_digestbyname(alg->evp_name))) { - utils->seterror(utils->conn, 0, -@@ -157,23 +180,32 @@ static int generate_otp(const sasl_utils - return SASL_FAIL; - } - -+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate MD CTX"); -+ r = SASL_NOMEM; -+ goto done; -+ } -+ - if ((key = utils->malloc(strlen(seed) + strlen(secret) + 1)) == NULL) { - SETERROR(utils, "cannot allocate OTP key"); -- return SASL_NOMEM; -+ r = SASL_NOMEM; -+ goto done; - } - - /* initial step */ - strcpy(key, seed); - strcat(key, secret); -- otp_hash(md, key, strlen(key), otp, alg->swab); -+ otp_hash(md, key, strlen(key), otp, alg->swab, mdctx); - - /* computation step */ - while (seq-- > 0) -- otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab); -- -- utils->free(key); -+ otp_hash(md, otp, OTP_HASH_SIZE, otp, alg->swab, mdctx); -+ -+ done: -+ if (key) utils->free(key); -+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); - -- return SASL_OK; -+ return r; - } - - static int parse_challenge(const sasl_utils_t *utils, -@@ -693,7 +725,8 @@ static int strptrcasecmp(const void *arg - - /* Convert the 6 words into binary data */ - static int word2bin(const sasl_utils_t *utils, -- char *words, unsigned char *bin, const EVP_MD *md) -+ char *words, unsigned char *bin, const EVP_MD *md, -+ EVP_MD_CTX *mdctx) - { - int i, j; - char *c, *word, buf[OTP_RESPONSE_MAX+1]; -@@ -752,13 +785,12 @@ static int word2bin(const sasl_utils_t * - - /* alternate dictionary */ - if (alt_dict) { -- EVP_MD_CTX mdctx; -- char hash[EVP_MAX_MD_SIZE]; -- int hashlen; -+ unsigned char hash[EVP_MAX_MD_SIZE]; -+ unsigned hashlen; - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, word, strlen(word)); -- EVP_DigestFinal(&mdctx, hash, &hashlen); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, word, strlen(word)); -+ EVP_DigestFinal(mdctx, hash, &hashlen); - - /* use lowest 11 bits */ - x = ((hash[hashlen-2] & 0x7) << 8) | hash[hashlen-1]; -@@ -802,6 +834,7 @@ static int verify_response(server_contex - char *response) - { - const EVP_MD *md; -+ EVP_MD_CTX *mdctx = NULL; - char *c; - int do_init = 0; - unsigned char cur_otp[OTP_HASH_SIZE], prev_otp[OTP_HASH_SIZE]; -@@ -815,6 +848,11 @@ static int verify_response(server_contex - return SASL_FAIL; - } - -+ if ((mdctx = _plug_EVP_MD_CTX_new(utils)) == NULL) { -+ SETERROR(utils, "cannot allocate MD CTX"); -+ return SASL_NOMEM; -+ } -+ - /* eat leading whitespace */ - c = response; - while (isspace((int) *c)) c++; -@@ -824,7 +862,7 @@ static int verify_response(server_contex - r = hex2bin(c+strlen(OTP_HEX_TYPE), cur_otp, OTP_HASH_SIZE); - } - else if (!strncasecmp(c, OTP_WORD_TYPE, strlen(OTP_WORD_TYPE))) { -- r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md); -+ r = word2bin(utils, c+strlen(OTP_WORD_TYPE), cur_otp, md, mdctx); - } - else if (!strncasecmp(c, OTP_INIT_HEX_TYPE, - strlen(OTP_INIT_HEX_TYPE))) { -@@ -834,7 +872,7 @@ static int verify_response(server_contex - else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, - strlen(OTP_INIT_WORD_TYPE))) { - do_init = 1; -- r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md); -+ r = word2bin(utils, c+strlen(OTP_INIT_WORD_TYPE), cur_otp, md, mdctx); - } - else { - SETERROR(utils, "unknown OTP extended response type"); -@@ -843,14 +881,15 @@ static int verify_response(server_contex - } - else { - /* standard response, try word first, and then hex */ -- r = word2bin(utils, c, cur_otp, md); -+ r = word2bin(utils, c, cur_otp, md, mdctx); - if (r != SASL_OK) - r = hex2bin(c, cur_otp, OTP_HASH_SIZE); - } - - if (r == SASL_OK) { - /* do one more hash (previous otp) and compare to stored otp */ -- otp_hash(md, cur_otp, OTP_HASH_SIZE, prev_otp, text->alg->swab); -+ otp_hash(md, (char *) cur_otp, OTP_HASH_SIZE, -+ prev_otp, text->alg->swab, mdctx); - - if (!memcmp(prev_otp, text->otp, OTP_HASH_SIZE)) { - /* update the secret with this seq/otp */ -@@ -879,23 +918,28 @@ static int verify_response(server_contex - *new_resp++ = '\0'; - } - -- if (!(new_chal && new_resp)) -- return SASL_BADAUTH; -+ if (!(new_chal && new_resp)) { -+ r = SASL_BADAUTH; -+ goto done; -+ } - - if ((r = parse_challenge(utils, new_chal, &alg, &seq, seed, 1)) - != SASL_OK) { -- return r; -+ goto done; - } - -- if (seq < 1 || !strcasecmp(seed, text->seed)) -- return SASL_BADAUTH; -+ if (seq < 1 || !strcasecmp(seed, text->seed)) { -+ r = SASL_BADAUTH; -+ goto done; -+ } - - /* find the MDA */ - if (!(md = EVP_get_digestbyname(alg->evp_name))) { - utils->seterror(utils->conn, 0, - "OTP algorithm %s is not available", - alg->evp_name); -- return SASL_BADAUTH; -+ r = SASL_BADAUTH; -+ goto done; - } - - if (!strncasecmp(c, OTP_INIT_HEX_TYPE, strlen(OTP_INIT_HEX_TYPE))) { -@@ -903,7 +947,7 @@ static int verify_response(server_contex - } - else if (!strncasecmp(c, OTP_INIT_WORD_TYPE, - strlen(OTP_INIT_WORD_TYPE))) { -- r = word2bin(utils, new_resp, new_otp, md); -+ r = word2bin(utils, new_resp, new_otp, md, mdctx); - } - - if (r == SASL_OK) { -@@ -914,7 +958,10 @@ static int verify_response(server_contex - memcpy(text->otp, new_otp, OTP_HASH_SIZE); - } - } -- -+ -+ done: -+ if (mdctx) _plug_EVP_MD_CTX_free(mdctx, utils); -+ - return r; - } - -diff -up cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 cyrus-sasl-2.1.26/saslauthd/lak.c ---- cyrus-sasl-2.1.26/saslauthd/lak.c.openssl110 2016-11-07 16:13:54.347327616 +0100 -+++ cyrus-sasl-2.1.26/saslauthd/lak.c 2016-11-07 16:18:42.283167898 +0100 -@@ -61,6 +61,35 @@ - #include <sasl.h> - #include "lak.h" - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+static EVP_MD_CTX *EVP_MD_CTX_new(void) -+{ -+ return EVP_MD_CTX_create(); -+} -+static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) -+{ -+ if (ctx == NULL) -+ return; -+ -+ EVP_MD_CTX_destroy(ctx); -+} -+ -+static EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) -+{ -+ EVP_ENCODE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); -+ -+ if (ctx != NULL) { -+ memset(ctx, 0, sizeof(*ctx)); -+ } -+ return ctx; -+} -+static void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) -+{ -+ OPENSSL_free(ctx); -+ return; -+} -+#endif -+ - typedef struct lak_auth_method { - int method; - int (*check) (LAK *lak, const char *user, const char *service, const char *realm, const char *password) ; -@@ -1720,20 +1749,28 @@ static int lak_base64_decode( - - int rc, i, tlen = 0; - char *text; -- EVP_ENCODE_CTX EVP_ctx; -+ EVP_ENCODE_CTX *enc_ctx = EVP_ENCODE_CTX_new(); - -- text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); - if (text == NULL) - return LAK_NOMEM; - -- EVP_DecodeInit(&EVP_ctx); -- rc = EVP_DecodeUpdate(&EVP_ctx, text, &i, (char *)src, strlen(src)); -+ text = (char *)malloc(((strlen(src)+3)/4 * 3) + 1); -+ if (text == NULL) { -+ EVP_ENCODE_CTX_free(enc_ctx); -+ return LAK_NOMEM; -+ } -+ -+ EVP_DecodeInit(enc_ctx); -+ rc = EVP_DecodeUpdate(enc_ctx, (unsigned char *) text, &i, (const unsigned char *)src, strlen(src)); - if (rc < 0) { -+ EVP_ENCODE_CTX_free(enc_ctx); - free(text); - return LAK_FAIL; - } - tlen += i; -- EVP_DecodeFinal(&EVP_ctx, text, &i); -+ EVP_DecodeFinal(enc_ctx, (unsigned char *) text, &i); -+ -+ EVP_ENCODE_CTX_free(enc_ctx); - - *ret = text; - if (rlen != NULL) -@@ -1749,7 +1786,7 @@ static int lak_check_hashed( - { - int rc, clen; - LAK_HASH_ROCK *hrock = (LAK_HASH_ROCK *) rock; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx; - const EVP_MD *md; - unsigned char digest[EVP_MAX_MD_SIZE]; - char *cred; -@@ -1758,17 +1795,24 @@ static int lak_check_hashed( - if (!md) - return LAK_FAIL; - -+ mdctx = EVP_MD_CTX_new(); -+ if (!mdctx) -+ return LAK_NOMEM; -+ - rc = lak_base64_decode(hash, &cred, &clen); -- if (rc != LAK_OK) -+ if (rc != LAK_OK) { -+ EVP_MD_CTX_free(mdctx); - return rc; -+ } - -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, passwd, strlen(passwd)); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, passwd, strlen(passwd)); - if (hrock->salted) { -- EVP_DigestUpdate(&mdctx, &cred[EVP_MD_size(md)], -+ EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)], - clen - EVP_MD_size(md)); - } -- EVP_DigestFinal(&mdctx, digest, NULL); -+ EVP_DigestFinal(mdctx, digest, NULL); -+ EVP_MD_CTX_free(mdctx); - - rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md)); - free(cred); Deleted: cyrus-sasl-gssapi.patch =================================================================== --- cyrus-sasl-gssapi.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ cyrus-sasl-gssapi.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,16 +0,0 @@ -diff -aur cyrus-sasl-2.1.26.orig/plugins/gssapi.c cyrus-sasl-2.1.26/plugins/gssapi.c ---- cyrus-sasl-2.1.26.orig/plugins/gssapi.c 2016-06-10 13:55:25.985676293 -0700 -+++ cyrus-sasl-2.1.26/plugins/gssapi.c 2016-06-10 13:58:00.687337430 -0700 -@@ -1583,10 +1583,10 @@ - } - - /* Setup req_flags properly */ -- req_flags = GSS_C_INTEG_FLAG; -+ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; - if (params->props.max_ssf > params->external_ssf) { - /* We are requesting a security layer */ -- req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; -+ req_flags |= GSS_C_INTEG_FLAG; - /* Any SSF bigger than 1 is confidentiality. */ - /* Let's check if the client of the API requires confidentiality, - and it wasn't already provided by an external layer */ Deleted: cyrus-sasl-sql.patch =================================================================== --- cyrus-sasl-sql.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ cyrus-sasl-sql.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,39 +0,0 @@ ---- configure.in 2012-10-12 16:05:48.000000000 +0200 -+++ configure.in 2013-05-11 18:48:59.021848013 +0200 -@@ -861,9 +860,9 @@ - notfound) AC_WARN([SQLite Library not found]); true;; - *) - if test -d ${with_sqlite}/lib; then -- LIB_SQLITE="-L${with_sqlite}/lib -R${with_sqlite}/lib" -+ LIB_SQLITE="-L${with_sqlite}/lib" - else -- LIB_SQLITE="-L${with_sqlite} -R${with_sqlite}" -+ LIB_SQLITE="-L${with_sqlite}" - fi - - LIB_SQLITE_DIR=$LIB_SQLITE -@@ -913,9 +912,9 @@ - notfound) AC_WARN([SQLite3 Library not found]); true;; - *) - if test -d ${with_sqlite3}/lib; then -- LIB_SQLITE3="-L${with_sqlite3}/lib -R${with_sqlite3}/lib" -+ LIB_SQLITE3="-L${with_sqlite3}/lib" - else -- LIB_SQLITE3="-L${with_sqlite3} -R${with_sqlite3}" -+ LIB_SQLITE3="-L${with_sqlite3}" - fi - - LIB_SQLITE3_DIR=$LIB_SQLITE3 ---- configure.in -+++ configure.in -@@ -674,7 +674,9 @@ - LIB_PGSQL_DIR=$LIB_PGSQL - LIB_PGSQL="$LIB_PGSQL -lpq" - -- if test -d ${with_pgsql}/include/pgsql; then -+ if test -d ${with_pgsql}/include/postgresql/pgsql; then -+ CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include/postgresql/pgsql" -+ elif test -d ${with_pgsql}/include/pgsql; then - CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include/pgsql" - elif test -d ${with_pgsql}/pgsql/include; then - CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include" Deleted: fix-pkgconfig.patch =================================================================== --- fix-pkgconfig.patch 2019-02-03 14:59:06 UTC (rev 345180) +++ fix-pkgconfig.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -1,27 +0,0 @@ -From 3f42b7d7f3ef52056c79b31529d1a5be695c74c1 Mon Sep 17 00:00:00 2001 -From: Ignacio Casal Quinteiro <i...@gnome.org> -Date: Fri, 20 Nov 2015 11:16:31 +0100 -Subject: [PATCH] Fix up pkgconfig pc file - ---- - libsasl2.pc.in | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/libsasl2.pc.in b/libsasl2.pc.in -index 40bea37..ddad76d 100644 ---- a/libsasl2.pc.in -+++ b/libsasl2.pc.in -@@ -1,8 +1,12 @@ --libdir = @libdir@ -+prefix=@prefix@ -+exec_prefix=@exec_prefix@ -+libdir=@libdir@ -+includedir=@includedir@ - - Name: Cyrus SASL - Description: Cyrus SASL implementation - URL: http://www.cyrussasl.org/ - Version: @VERSION@ -+Cflags: -I${includedir} - Libs: -L${libdir} -lsasl2 - Libs.private: @LIB_DOOR@ @SASL_DL_LIB@ @LIBS@ Added: gdbm-errno.patch =================================================================== --- gdbm-errno.patch (rev 0) +++ gdbm-errno.patch 2019-02-03 15:26:46 UTC (rev 345181) @@ -0,0 +1,29 @@ +From af48f6fec9a7b6374d4153c5db894d4a1f349645 Mon Sep 17 00:00:00 2001 +From: Jonas Jelten <j...@sft.mx> +Date: Sat, 2 Feb 2019 20:53:37 +0100 +Subject: [PATCH] db_gdbm: fix gdbm_errno overlay from gdbm_close + +`gdbm_close` also sets gdbm_errno since version 1.17. +This leads to a problem in `libsasl` as the `gdbm_close` incovation overlays +the `gdbm_errno` value which is then later used for the error handling. +--- + sasldb/db_gdbm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sasldb/db_gdbm.c b/sasldb/db_gdbm.c +index ee56a6bf..c908808e 100644 +--- a/sasldb/db_gdbm.c ++++ b/sasldb/db_gdbm.c +@@ -107,9 +107,11 @@ int _sasldb_getdata(const sasl_utils_t *utils, + gkey.dptr = key; + gkey.dsize = key_len; + gvalue = gdbm_fetch(db, gkey); ++ int fetch_errno = gdbm_errno; ++ + gdbm_close(db); + if (! gvalue.dptr) { +- if (gdbm_errno == GDBM_ITEM_NOT_FOUND) { ++ if (fetch_errno == GDBM_ITEM_NOT_FOUND) { + utils->seterror(conn, SASL_NOLOG, + "user: %s@%s property: %s not found in %s", + authid, realm, propName, path);