aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2019-12-24 11:33:40 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2019-12-24 12:40:04 +0100
commit336ed678178032d07a97fee172237315410e8d3c (patch)
tree2b9708c791e0bb16a2fa9af05cd4d1cca22e2739
parented9052cfb6c622e8ec3609848b1e0b0823f6e443 (diff)
downloadaports-336ed678178032d07a97fee172237315410e8d3c.tar.gz
aports-336ed678178032d07a97fee172237315410e8d3c.tar.bz2
aports-336ed678178032d07a97fee172237315410e8d3c.tar.xz
main/cyrus-sasl: fix CVE-2019-19906
fixes #11079
-rw-r--r--main/cyrus-sasl/APKBUILD8
-rw-r--r--main/cyrus-sasl/CVE-2019-19906.patch15
2 files changed, 21 insertions, 2 deletions
diff --git a/main/cyrus-sasl/APKBUILD b/main/cyrus-sasl/APKBUILD
index 5bb6602ead..5d01ff4a01 100644
--- a/main/cyrus-sasl/APKBUILD
+++ b/main/cyrus-sasl/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cyrus-sasl
pkgver=2.1.27
-pkgrel=1
+pkgrel=2
pkgdesc="Cyrus Simple Authentication Service Layer (SASL)"
url="https://cyrusimap.org/"
arch="all"
@@ -12,7 +12,7 @@ subpackages="
$pkgname-dev
$pkgname-doc
$pkgname-openrc
- libsasl
+ libsasl
$pkgname-gssapiv2:_plugin
$pkgname-gs2:_plugin
$pkgname-scram:_plugin
@@ -39,10 +39,13 @@ source="https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-$pk
cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
cyrus-sasl-2.1.27-doc_build_fix.patch
cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+ CVE-2019-19906.patch
saslauthd.initd
"
# secfixes:
+# 2.1.27-r2:
+# - CVE-2019-19906
# 2.1.26-r7:
# - CVE-2013-4122
@@ -123,4 +126,5 @@ sha512sums="d11549a99b3b06af79fc62d5478dba3305d7e7cc0824f4b91f0d2638daafbe940623
4ca601839b023ef790e48dae567ffbbd57c632384c980946639ec7437ad23874961451718569455e6e25afaeff1728ecbc71a8686f6b43246f83465f95a2c904 cyrus-sasl-2.1.27-avoid_pic_overwrite.patch
6d723e7ec2c431b45c011b887187b6a670dbe646aa4c39d38171047ab23db529c30c433f8d4dd624181917c5ce4e5271f86e35e2644ede1c40dfb09cb67dccde cyrus-sasl-2.1.27-doc_build_fix.patch
fca4f2b7e427c7613f71daa4a31772c33c8c0fe9d7f85b57b85da71bc5a88a18fc52f7caea463188b4addd31cd041d5349af689d5face2cc45fb50c700a8afd7 cyrus-sasl-2.1.27-gss_c_nt_hostbased_service.patch
+c39efd87dc9c883d3b07474197f6835fbd32f23baa1f5cd04b25a0473639f847321c40f232e390d4dc9d9ee189dbd177c05d3d1461af4d28a48a4827abc5d9b8 CVE-2019-19906.patch
f76bfb61567172428cdbc1ed900d5e0b6e66afc38118db6ba0e2fd8ba01956ad896e56463b2249bdc46d8725384f1b975a2af3601c0735327d3f8bc26ce1ed75 saslauthd.initd"
diff --git a/main/cyrus-sasl/CVE-2019-19906.patch b/main/cyrus-sasl/CVE-2019-19906.patch
new file mode 100644
index 0000000000..f7edb521e8
--- /dev/null
+++ b/main/cyrus-sasl/CVE-2019-19906.patch
@@ -0,0 +1,15 @@
+https://github.com/cyrusimap/cyrus-sasl/issues/587
+
+diff --git a/lib/common.c b/lib/common.c
+index bc3bf1df..9969d6aa 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
+
+ if (add==NULL) add = "(null)";
+
+- addlen=strlen(add); /* only compute once */
++ addlen=strlen(add)+1; /* only compute once */
+ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+ return SASL_NOMEM;
+