main/cyrus-sasl: fix CVE-2019-19906

fixes #11079
author: Natanael Copa <ncopa@alpinelinux.org> 2019-12-24 11:33:40 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-12-24 12:38:35 +0100
commit: 0595a8cfd177012e492000c76033a8a089b51270 (patch)
tree: dcac2c3a9ce9662fabc8c7639f9536957cabcd6a
parent: 2606d2b27c5e6739d86229be7a7a042584225ff2 (diff)
2 files changed, 20 insertions, 1 deletions
diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD
index 9909a2bbb4a..33336704378 100644
--- a/main/cyrus-sasl/APKBUILD
+++ b/main/cyrus-sasl/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=cyrus-sasl
 pkgver=2.1.27
-pkgrel=3
+pkgrel=4
 pkgdesc="Cyrus Simple Authentication Service Layer (SASL)"
 url="https://cyrusimap.org/"
 arch="all"
@@ -39,10 +39,13 @@ source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pk
 	cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
 	cyrus-sasl-2.1.27-doc_build_fix.patch
 	cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+	CVE-2019-19906.patch
 	saslauthd.initd
 	"
 
 # secfixes:
+#   2.1.27-r4:
+#   - CVE-2019-19906
 #   2.1.26-r7:
 #   - CVE-2013-4122
 
@@ -123,4 +126,5 @@ sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623
 4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904  cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
 6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde  cyrus-sasl-2.1.27-doc_build_fix.patch
 fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7  cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+c39efd87dc9c883d3b07474197f6835fbd32f23baa1f5cd04b25a0473639f847321c40f232e390d4dc9d9ee189dbd177c05d3d1461af4d28a48a4827abc5d9b8  CVE-2019-19906.patch
 f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75  saslauthd.initd"
diff --git a/main/cyrus-sasl/CVE-2019-19906.patch b/main/cyrus-sasl/CVE-2019-19906.patch
new file mode 100644
index 00000000000..f7edb521e89
--- /dev/null
+++ b/main/cyrus-sasl/CVE-2019-19906.patch
@@ -0,0 +1,15 @@
+https://github.com/cyrusimap/cyrus-sasl/issues/587
+
+diff --git a/lib/common.c b/lib/common.c
+index bc3bf1df..9969d6aa 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
+
+   if (add==NULL) add = "(null)";
+
+-  addlen=strlen(add); /* only compute once */
++  addlen=strlen(add)+1; /* only compute once */
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+     return SASL_NOMEM;
+
author	Natanael Copa <ncopa@alpinelinux.org>	2019-12-24 11:33:40 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-12-24 12:38:35 +0100
commit	0595a8cfd177012e492000c76033a8a089b51270 (patch)
tree	dcac2c3a9ce9662fabc8c7639f9536957cabcd6a
parent	2606d2b27c5e6739d86229be7a7a042584225ff2 (diff)