[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780120: marked as done (unblock: cyrus-sasl2/2.1.26.dfsg1-13)

Your message dated Mon, 09 Mar 2015 17:46:04 +0100
with message-id <54FDCE4C.5030203@thykier.net>
and subject line Re: Bug#780120: unblock: cyrus-sasl2/2.1.26.dfsg1-13
has caused the Debian Bug report #780120,
regarding unblock: cyrus-sasl2/2.1.26.dfsg1-13
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780120
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package cyrus-sasl2

Kees Cook has brought to my attention that cyrus-sasl2 could close tcp
connection prematurely and provided a simple patch that shuts down the
socket and wait for client to close it instead of just closing it down.

See #777349 for more background information.  The patch is small, and
I understand what it does :), so I recommend this for inclusion in
jessie (or in .point release).

unblock cyrus-sasl2/2.1.26.dfsg1-13

- -- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJU/aK0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHdO0QAKKuiXPiy7a/IJ6907w7RYoL
bxL9eMfouQp0B6dd8m7IZa/5ty5+cF8j3hi2B5xR25sLPWNo7nSYWYt85Lemaot7
nhk3Vct5WVyUwLO7QL2bdsNc8OPhdDfeEhIwuQ70PEChVXEBCnu9NLTpxPE3a+mB
n7jx/miEXh5p2Z2u3+jjjj1i8ZEt5iOyP2regXze7Q+5AGydQO8JOyF7HgNtuPoY
9pBqknugm+6PryI13viM2fee+EGAC+FdJamoF7KTmOGL7JvSuBvRSfjGMcvwavqg
5dHk3AMY4qSuuco1FZsqUkJUBfwpueYLmHpyq9uFDWLULXKxTs8Acapdk5NlTKfY
P42kof1ZvLnQhWRD0tTfuyyrIOqmCE8huPwdBFyXpiouqgl7Io2XNqK16AtN98hn
2TXO44H8TmPD/RccKMuSo62rQhufOW6aTc9z+6IkPNgmtc0mexxIExKVhaMxG+u4
uHgdPrAP2Q8mqHYGRf3V/ccpaU+BotX7R4Ud15Qt7pJNIzBbYNWYlSCYHz8Qks3q
Sn7on13mNTT5BNC10qlSE7j4rKutJ7MDwzm6l17Fpe59Wx6XL03nhB8lgaCQxLkF
cdkz6Xx2dEdQwG70fkD2AbmZX2e0AUipRKmepHp2oL5JmgRAM+HLkjEq2R37nQft
CC97oKsRe4QkefBYjLBx
=l/Bl
-----END PGP SIGNATURE-----

diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/changelog cyrus-sasl2-2.1.26.dfsg1/debian/changelog
--- cyrus-sasl2-2.1.26.dfsg1/debian/changelog	2014-10-17 14:41:14.000000000 +0200
+++ cyrus-sasl2-2.1.26.dfsg1/debian/changelog	2015-03-09 14:21:37.000000000 +0100
@@ -1,3 +1,11 @@
+cyrus-sasl2 (2.1.26.dfsg1-13) unstable; urgency=medium
+
+  * Shutdown down the write side of the socket and wait for the client to
+    close the connection (0 byte read) before closing the server side
+    (Closes: #777349) (Courtesy of Kees Cook)
+
+ -- Ondřej Surý <ondrej@debian.org>  Mon, 09 Mar 2015 14:21:23 +0100
+
 cyrus-sasl2 (2.1.26.dfsg1-12) unstable; urgency=medium
 
   * Add patch to fix login to dovecot imapd 2.x (Closes: #715040)
diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch
--- cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch	1970-01-01 01:00:00.000000000 +0100
+++ cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch	2015-03-09 14:21:37.000000000 +0100
@@ -0,0 +1,34 @@
+Description: it is possible for the client side of the socket to miss data
+ when the server uses close() immediately after the last write(). To avoid
+ this, shutdown down the write side of the socket and wait for the client
+ to close the connection (0 byte read) before closing the server side.
+Author: Kees Cook <kees@debian.org>
+
+--- cyrus-sasl2.orig/saslauthd/ipc_unix.c
++++ cyrus-sasl2/saslauthd/ipc_unix.c
+@@ -217,6 +217,7 @@ void ipc_loop() {
+ 
+ 	int		rc;
+ 	int		conn_fd;
++	unsigned char	dummy;
+ 
+ 
+ 	while(1) {
+@@ -261,6 +262,8 @@ void ipc_loop() {
+ 		    }
+ 		    
+ 		    do_request(conn_fd);
++		    shutdown(conn_fd, SHUT_WR);
++		    while (read(conn_fd, &dummy, 1) > 0) { }
+ 		    close(conn_fd);
+ 
+ 		    if(flags & DETACH_TTY) {
+@@ -275,6 +278,8 @@ void ipc_loop() {
+ 		 * Normal prefork mode.
+ 		 *************************************************************/
+ 		do_request(conn_fd);
++		shutdown(conn_fd, SHUT_WR);
++		while (read(conn_fd, &dummy, 1) > 0) { }
+ 		close(conn_fd);
+ 	}
+ 
diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/patches/series cyrus-sasl2-2.1.26.dfsg1/debian/patches/series
--- cyrus-sasl2-2.1.26.dfsg1/debian/patches/series	2014-10-17 14:41:14.000000000 +0200
+++ cyrus-sasl2-2.1.26.dfsg1/debian/patches/series	2015-03-09 14:21:37.000000000 +0100
@@ -30,3 +30,4 @@
 0046_fix_void_return.patch
 properly-create-libsasl2.pc.patch
 bug715040.patch
+early-hangup.patch

--- End Message ---
--- Begin Message --- 
On 2015-03-09 14:40, Ondřej Surý wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package cyrus-sasl2
> 
> Kees Cook has brought to my attention that cyrus-sasl2 could close tcp
> connection prematurely and provided a simple patch that shuts down the
> socket and wait for client to close it instead of just closing it down.
> 
> See #777349 for more background information.  The patch is small, and
> I understand what it does :), so I recommend this for inclusion in
> jessie (or in .point release).
> 
> unblock cyrus-sasl2/2.1.26.dfsg1-13
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: