[Pkg-cyrus-sasl2-commits] r310 - in /cyrus-sasl-2.1/trunk/debian: changelog patches/0018_auth_rimap_quotes.dpatch patches/00list

fabbe at users.alioth.debian.org fabbe at users.alioth.debian.org
Fri Feb 15 12:17:40 UTC 2008 

Author: fabbe
Date: Fri Feb 15 12:17:40 2008
New Revision: 310

URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/?sc=1&rev=310
Log:
Add upstream fix for potential DoS attack through infinite loop.

Added:
    cyrus-sasl-2.1/trunk/debian/patches/0018_auth_rimap_quotes.dpatch   (with props)
Modified:
    cyrus-sasl-2.1/trunk/debian/changelog
    cyrus-sasl-2.1/trunk/debian/patches/00list

Modified: cyrus-sasl-2.1/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/changelog?rev=310&op=diff
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/changelog (original)
+++ cyrus-sasl-2.1/trunk/debian/changelog Fri Feb 15 12:17:40 2008
@@ -5,11 +5,13 @@
   [ Fabian Fagerholm ]
   * debian/control: We conform to 3.7.3.0 of the Debian policy.
   * debian/control: Change Vcs-Browser to point to human-readable interface.
+  * debian/patches/0018_auth_rimap_quotes.dpatch: Upstream fix for potential
+    DoS attack through infinite loop.
 
   [ Roberto C. Sanchez ]
   * Add Swedish translation (Closes: #460496)
 
- -- Fabian Fagerholm <fabbe at debian.org>  Wed, 13 Feb 2008 12:13:45 +0200
+ -- Fabian Fagerholm <fabbe at debian.org>  Fri, 15 Feb 2008 14:14:40 +0200
 
 cyrus-sasl2 (2.1.22.dfsg1-17) unstable; urgency=low
 

Added: cyrus-sasl-2.1/trunk/debian/patches/0018_auth_rimap_quotes.dpatch
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/patches/0018_auth_rimap_quotes.dpatch?rev=310&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/patches/0018_auth_rimap_quotes.dpatch (added)
+++ cyrus-sasl-2.1/trunk/debian/patches/0018_auth_rimap_quotes.dpatch Fri Feb 15 12:17:40 2008
@@ -1,0 +1,37 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 0016_auth_rimap_quotes.dpatch by  <fabbe at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Avoid infinite loop when username/password has a double quote character.
+## DP: Upstream change: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/saslauthd/auth_rimap.c.diff?r1=1.12;r2=1.13
+
+ at DPATCH@
+diff -urNad etch~/saslauthd/auth_rimap.c etch/saslauthd/auth_rimap.c
+--- etch~/saslauthd/auth_rimap.c	2007-03-29 15:16:20.000000000 +0300
++++ etch/saslauthd/auth_rimap.c	2008-02-13 13:42:53.000000000 +0200
+@@ -162,6 +162,7 @@
+     num_quotes = 0;
+     p1 = s;
+     while ((p1 = strchr(p1, '"')) != NULL) {
++	p1++;
+ 	num_quotes++;
+     }
+     
+@@ -438,7 +439,7 @@
+ 	syslog(LOG_WARNING, "auth_rimap: writev: %m");
+ 	memset(qlogin, 0, strlen(qlogin));
+ 	free(qlogin);
+-	memset(qpass, 0, strlen(qlogin));
++	memset(qpass, 0, strlen(qpass));
+ 	free(qpass);
+ 	(void)close(s);
+ 	return strdup(RESP_IERROR);
+@@ -447,7 +448,7 @@
+     /* don't need these any longer */
+     memset(qlogin, 0, strlen(qlogin));
+     free(qlogin);
+-    memset(qpass, 0, strlen(qlogin));
++    memset(qpass, 0, strlen(qpass));
+     free(qpass);
+ 
+     /* read and parse the LOGIN response */

Propchange: cyrus-sasl-2.1/trunk/debian/patches/0018_auth_rimap_quotes.dpatch
------------------------------------------------------------------------------
    svn:executable = *

Modified: cyrus-sasl-2.1/trunk/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/patches/00list?rev=310&op=diff
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/patches/00list (original)
+++ cyrus-sasl-2.1/trunk/debian/patches/00list Fri Feb 15 12:17:40 2008
@@ -15,3 +15,4 @@
 0015_saslutil_decode64_fix
 0016_pid_file_lock_creation_mask
 0017_db4.6
+0018_auth_rimap_quotes

More information about the Pkg-cyrus-sasl2-commits mailing list