Bug#711328: pu: package cyrus-sasl2/2.1.25.dfsg1-6+deb7u1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I must confess that I have somehow neglected cyrus-sasl2 before the
release, so some of the bugs have slipped under my radar. I would
like to make amends with pu now.
The updated package fixes three bugs:
* Fix heavy CPU usage in saslauthd (Closes: #708552)
* Send LOGOUT before closing connection in auth_rimap (Closes: #708547)
* Fix garbage in output buffer when using canonuser_plugin: ldapdb
(Closes: #689346)
The first two patches are (mostly) isolated in auth_rimap.c affecting
dovecot users.
The last patch adds missing \0 in ldapdb string which might lead to
garbled canonical user authname.
$ diffstat cyrus-sasl2_2.1.25.dfsg1-6+deb7u1.debdiff
changelog | 9 +
gbp.conf | 4
patches/0034-fix_dovecot_authentication.patch | 40 ++++++--
patches/0038-send_imap_logout.patch | 48 ++++++++++
patches/0039-fix-canonuser-ldapdb-garbage-in-out-buffer.patch | 10 ++
patches/series | 2
6 files changed, 102 insertions(+), 11 deletions(-)
Thank you for considering this update.
Ondrej
- -- System Information:
Debian Release: 7.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlGwbHsACgkQ9OZqfMIN8nOfZgCcCb2Rp30ddQMm5gEy7vkZXZVN
pd0An1P89csp8wP8moVvdAYkj9kza9pw
=aGJO
-----END PGP SIGNATURE-----
diff -Nru cyrus-sasl2-2.1.25.dfsg1/debian/changelog cyrus-sasl2-2.1.25.dfsg1/debian/changelog
--- cyrus-sasl2-2.1.25.dfsg1/debian/changelog 2012-10-26 14:06:17.000000000 +0200
+++ cyrus-sasl2-2.1.25.dfsg1/debian/changelog 2013-06-06 12:46:29.000000000 +0200
@@ -1,3 +1,12 @@
+cyrus-sasl2 (2.1.25.dfsg1-6+deb7u1) unstable; urgency=low
+
+ * Fix heavy CPU usage in saslauthd (Closes: #708552)
+ * Send LOGOUT before closing connection in auth_rimap (Closes: #708547)
+ * Fix garbage in output buffer when using canonuser_plugin: ldapdb
+ (Closes: #689346)
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 17 May 2013 18:11:26 +0200
+
cyrus-sasl2 (2.1.25.dfsg1-6) unstable; urgency=low
* Fix failures when the host have broken hostname (Closes: #683555)
diff -Nru cyrus-sasl2-2.1.25.dfsg1/debian/gbp.conf cyrus-sasl2-2.1.25.dfsg1/debian/gbp.conf
--- cyrus-sasl2-2.1.25.dfsg1/debian/gbp.conf 2012-10-26 14:06:17.000000000 +0200
+++ cyrus-sasl2-2.1.25.dfsg1/debian/gbp.conf 2013-06-06 12:46:29.000000000 +0200
@@ -1,7 +1,7 @@
[DEFAULT]
-debian-branch = debian-sid
+debian-branch = master-wheezy
debian-tag = debian/%(version)s
-upstream-branch = upstream-sid
+upstream-branch = upstream-wheezy
upstream-tag = upstream/%(version)s
pristine-tar = True
diff -Nru cyrus-sasl2-2.1.25.dfsg1/debian/patches/0034-fix_dovecot_authentication.patch cyrus-sasl2-2.1.25.dfsg1/debian/patches/0034-fix_dovecot_authentication.patch
--- cyrus-sasl2-2.1.25.dfsg1/debian/patches/0034-fix_dovecot_authentication.patch 2012-10-26 14:06:17.000000000 +0200
+++ cyrus-sasl2-2.1.25.dfsg1/debian/patches/0034-fix_dovecot_authentication.patch 2013-06-06 12:46:29.000000000 +0200
@@ -1,18 +1,20 @@
---- a/saslauthd/auth_rimap.c
-+++ b/saslauthd/auth_rimap.c
+Index: cyrus-sasl2-2.1.25.dfsg1/saslauthd/auth_rimap.c
+===================================================================
+--- cyrus-sasl2-2.1.25.dfsg1.orig/saslauthd/auth_rimap.c 2013-05-16 15:36:35.000000000 +0000
++++ cyrus-sasl2-2.1.25.dfsg1/saslauthd/auth_rimap.c 2013-05-16 15:43:24.000000000 +0000
@@ -1,3 +1,4 @@
+
/* MODULE: auth_rimap */
/* COPYRIGHT
-@@ -367,6 +368,30 @@ auth_rimap (
+@@ -367,6 +368,39 @@
alarm(NETWORK_IO_TIMEOUT);
rc = read(s, rbuf, sizeof(rbuf));
alarm(0);
+ if ( rc>0 ) {
+ /* check if there is more to read */
+ fd_set perm;
-+ int fds, ret;
++ int fds, ret, loopc;
+ struct timeval timeout;
+
+ FD_ZERO(&perm);
@@ -21,6 +23,7 @@
+
+ timeout.tv_sec = 1;
+ timeout.tv_usec = 0;
++ loopc = 0;
+ while( select (fds, &perm, NULL, NULL, &timeout ) >0 ) {
+ if ( FD_ISSET(s, &perm) ) {
+ ret = read(s, rbuf+rc, sizeof(rbuf)-rc);
@@ -28,6 +31,14 @@
+ rc = ret;
+ break;
+ } else {
++ if (ret == 0) {
++ loopc += 1;
++ } else {
++ loopc = 0;
++ }
++ if (loopc > sizeof(rbuf)) { // arbitrary chosen value
++ break;
++ }
+ rc += ret;
+ }
+ }
@@ -36,14 +47,14 @@
if (rc == -1) {
syslog(LOG_WARNING, "auth_rimap: read (banner): %m");
(void) close(s);
-@@ -456,6 +481,30 @@ auth_rimap (
+@@ -456,6 +490,39 @@
alarm(NETWORK_IO_TIMEOUT);
rc = read(s, rbuf, sizeof(rbuf));
alarm(0);
+ if ( rc>0 ) {
+ /* check if there is more to read */
+ fd_set perm;
-+ int fds, ret;
++ int fds, ret, loopc;
+ struct timeval timeout;
+
+ FD_ZERO(&perm);
@@ -52,6 +63,7 @@
+
+ timeout.tv_sec = 1;
+ timeout.tv_usec = 0;
++ loopc = 0;
+ while( select (fds, &perm, NULL, NULL, &timeout ) >0 ) {
+ if ( FD_ISSET(s, &perm) ) {
+ ret = read(s, rbuf+rc, sizeof(rbuf)-rc);
@@ -59,6 +71,14 @@
+ rc = ret;
+ break;
+ } else {
++ if (ret == 0) {
++ loopc += 1;
++ } else {
++ loopc = 0;
++ }
++ if (loopc > sizeof(rbuf)) { // arbitrary chosen value
++ break;
++ }
+ rc += ret;
+ }
+ }
@@ -67,9 +87,11 @@
(void) close(s); /* we're done with the remote */
if (rc == -1) {
syslog(LOG_WARNING, "auth_rimap: read (response): %m");
---- a/lib/checkpw.c
-+++ b/lib/checkpw.c
-@@ -587,16 +587,14 @@ static int read_wait(int fd, unsigned de
+Index: cyrus-sasl2-2.1.25.dfsg1/lib/checkpw.c
+===================================================================
+--- cyrus-sasl2-2.1.25.dfsg1.orig/lib/checkpw.c 2013-05-16 15:36:35.000000000 +0000
++++ cyrus-sasl2-2.1.25.dfsg1/lib/checkpw.c 2013-05-16 15:36:53.000000000 +0000
+@@ -587,16 +587,14 @@
/* Timeout. */
errno = ETIMEDOUT;
return -1;
diff -Nru cyrus-sasl2-2.1.25.dfsg1/debian/patches/0038-send_imap_logout.patch cyrus-sasl2-2.1.25.dfsg1/debian/patches/0038-send_imap_logout.patch
--- cyrus-sasl2-2.1.25.dfsg1/debian/patches/0038-send_imap_logout.patch 1970-01-01 01:00:00.000000000 +0100
+++ cyrus-sasl2-2.1.25.dfsg1/debian/patches/0038-send_imap_logout.patch 2013-06-06 12:46:29.000000000 +0200
@@ -0,0 +1,48 @@
+--- a/saslauthd/auth_rimap.c
++++ b/saslauthd/auth_rimap.c
+@@ -90,6 +90,7 @@ static struct addrinfo *ai = NULL; /* re
+ service we connect to. */
+ #define TAG "saslauthd" /* IMAP command tag */
+ #define LOGIN_CMD (TAG " LOGIN ") /* IMAP login command (with tag) */
++#define LOGOUT_CMD (TAG " LOGOUT ") /* IMAP logout command (with tag)*/
+ #define NETWORK_IO_TIMEOUT 30 /* network I/O timeout (seconds) */
+ #define RESP_LEN 1000 /* size of read response buffer */
+
+@@ -307,10 +308,12 @@ auth_rimap (
+ int s=-1; /* socket to remote auth host */
+ struct addrinfo *r; /* remote socket address info */
+ struct iovec iov[5]; /* for sending LOGIN command */
++ struct iovec iov2[1]; /* for sending LOGOUT command */
+ char *qlogin; /* pointer to "quoted" login */
+ char *qpass; /* pointer to "quoted" password */
+ char *c; /* scratch pointer */
+ int rc; /* return code scratch area */
++ int rcl; /* return code scratch area */
+ char rbuf[RESP_LEN]; /* response read buffer */
+ char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
+ int saved_errno;
+@@ -523,6 +526,24 @@ auth_rimap (
+ }
+ }
+ }
++
++ /* close remote imap */
++ iov2[0].iov_base = LOGOUT_CMD;
++ iov2[0].iov_len = sizeof(LOGOUT_CMD) - 1;
++ iov2[1].iov_base = "\r\n";
++ iov2[1].iov_len = sizeof("\r\n") - 1;
++
++ if (flags & VERBOSE) {
++ syslog(LOG_DEBUG, "auth_rimap: sending %s%s %s",
++ LOGOUT_CMD, qlogin, qpass);
++ }
++ alarm(NETWORK_IO_TIMEOUT);
++ rcl = retry_writev(s, iov2, 2);
++ alarm(0);
++ if (rcl == -1) {
++ syslog(LOG_WARNING, "auth_rimap: writev logout: %m");
++ }
++
+ (void) close(s); /* we're done with the remote */
+ if (rc == -1) {
+ syslog(LOG_WARNING, "auth_rimap: read (response): %m");
diff -Nru cyrus-sasl2-2.1.25.dfsg1/debian/patches/0039-fix-canonuser-ldapdb-garbage-in-out-buffer.patch cyrus-sasl2-2.1.25.dfsg1/debian/patches/0039-fix-canonuser-ldapdb-garbage-in-out-buffer.patch
--- cyrus-sasl2-2.1.25.dfsg1/debian/patches/0039-fix-canonuser-ldapdb-garbage-in-out-buffer.patch 1970-01-01 01:00:00.000000000 +0100
+++ cyrus-sasl2-2.1.25.dfsg1/debian/patches/0039-fix-canonuser-ldapdb-garbage-in-out-buffer.patch 2013-06-06 12:46:29.000000000 +0200
@@ -0,0 +1,10 @@
+--- a/plugins/ldapdb.c
++++ b/plugins/ldapdb.c
+@@ -406,6 +406,7 @@ ldapdb_canon_server(void *glob_context,
+ if ( len > out_max )
+ len = out_max;
+ memcpy(out, bvals[0]->bv_val, len);
++ out[len] = '\0';
+ *out_ulen = len;
+ ber_bvecfree(bvals);
+ }
diff -Nru cyrus-sasl2-2.1.25.dfsg1/debian/patches/series cyrus-sasl2-2.1.25.dfsg1/debian/patches/series
--- cyrus-sasl2-2.1.25.dfsg1/debian/patches/series 2012-10-26 14:06:17.000000000 +0200
+++ cyrus-sasl2-2.1.25.dfsg1/debian/patches/series 2013-06-06 12:46:29.000000000 +0200
@@ -22,3 +22,5 @@
0035-temporary_multiarch_fixes.patch
0036-add-reference-to-LDAP_SASLAUTHD-file.patch
0037-abort_if_no_fqdn_fix.patch
+0038-send_imap_logout.patch
+0039-fix-canonuser-ldapdb-garbage-in-out-buffer.patch
Reply to: