Bug#780120: unblock: cyrus-sasl2/2.1.26.dfsg1-13
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please unblock package cyrus-sasl2
Kees Cook has brought to my attention that cyrus-sasl2 could close tcp
connection prematurely and provided a simple patch that shuts down the
socket and wait for client to close it instead of just closing it down.
See #777349 for more background information. The patch is small, and
I understand what it does :), so I recommend this for inclusion in
jessie (or in .point release).
unblock cyrus-sasl2/2.1.26.dfsg1-13
- -- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJU/aK0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHdO0QAKKuiXPiy7a/IJ6907w7RYoL
bxL9eMfouQp0B6dd8m7IZa/5ty5+cF8j3hi2B5xR25sLPWNo7nSYWYt85Lemaot7
nhk3Vct5WVyUwLO7QL2bdsNc8OPhdDfeEhIwuQ70PEChVXEBCnu9NLTpxPE3a+mB
n7jx/miEXh5p2Z2u3+jjjj1i8ZEt5iOyP2regXze7Q+5AGydQO8JOyF7HgNtuPoY
9pBqknugm+6PryI13viM2fee+EGAC+FdJamoF7KTmOGL7JvSuBvRSfjGMcvwavqg
5dHk3AMY4qSuuco1FZsqUkJUBfwpueYLmHpyq9uFDWLULXKxTs8Acapdk5NlTKfY
P42kof1ZvLnQhWRD0tTfuyyrIOqmCE8huPwdBFyXpiouqgl7Io2XNqK16AtN98hn
2TXO44H8TmPD/RccKMuSo62rQhufOW6aTc9z+6IkPNgmtc0mexxIExKVhaMxG+u4
uHgdPrAP2Q8mqHYGRf3V/ccpaU+BotX7R4Ud15Qt7pJNIzBbYNWYlSCYHz8Qks3q
Sn7on13mNTT5BNC10qlSE7j4rKutJ7MDwzm6l17Fpe59Wx6XL03nhB8lgaCQxLkF
cdkz6Xx2dEdQwG70fkD2AbmZX2e0AUipRKmepHp2oL5JmgRAM+HLkjEq2R37nQft
CC97oKsRe4QkefBYjLBx
=l/Bl
-----END PGP SIGNATURE-----
diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/changelog cyrus-sasl2-2.1.26.dfsg1/debian/changelog
--- cyrus-sasl2-2.1.26.dfsg1/debian/changelog 2014-10-17 14:41:14.000000000 +0200
+++ cyrus-sasl2-2.1.26.dfsg1/debian/changelog 2015-03-09 14:21:37.000000000 +0100
@@ -1,3 +1,11 @@
+cyrus-sasl2 (2.1.26.dfsg1-13) unstable; urgency=medium
+
+ * Shutdown down the write side of the socket and wait for the client to
+ close the connection (0 byte read) before closing the server side
+ (Closes: #777349) (Courtesy of Kees Cook)
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 09 Mar 2015 14:21:23 +0100
+
cyrus-sasl2 (2.1.26.dfsg1-12) unstable; urgency=medium
* Add patch to fix login to dovecot imapd 2.x (Closes: #715040)
diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch
--- cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch 1970-01-01 01:00:00.000000000 +0100
+++ cyrus-sasl2-2.1.26.dfsg1/debian/patches/early-hangup.patch 2015-03-09 14:21:37.000000000 +0100
@@ -0,0 +1,34 @@
+Description: it is possible for the client side of the socket to miss data
+ when the server uses close() immediately after the last write(). To avoid
+ this, shutdown down the write side of the socket and wait for the client
+ to close the connection (0 byte read) before closing the server side.
+Author: Kees Cook <kees@debian.org>
+
+--- cyrus-sasl2.orig/saslauthd/ipc_unix.c
++++ cyrus-sasl2/saslauthd/ipc_unix.c
+@@ -217,6 +217,7 @@ void ipc_loop() {
+
+ int rc;
+ int conn_fd;
++ unsigned char dummy;
+
+
+ while(1) {
+@@ -261,6 +262,8 @@ void ipc_loop() {
+ }
+
+ do_request(conn_fd);
++ shutdown(conn_fd, SHUT_WR);
++ while (read(conn_fd, &dummy, 1) > 0) { }
+ close(conn_fd);
+
+ if(flags & DETACH_TTY) {
+@@ -275,6 +278,8 @@ void ipc_loop() {
+ * Normal prefork mode.
+ *************************************************************/
+ do_request(conn_fd);
++ shutdown(conn_fd, SHUT_WR);
++ while (read(conn_fd, &dummy, 1) > 0) { }
+ close(conn_fd);
+ }
+
diff -Nru cyrus-sasl2-2.1.26.dfsg1/debian/patches/series cyrus-sasl2-2.1.26.dfsg1/debian/patches/series
--- cyrus-sasl2-2.1.26.dfsg1/debian/patches/series 2014-10-17 14:41:14.000000000 +0200
+++ cyrus-sasl2-2.1.26.dfsg1/debian/patches/series 2015-03-09 14:21:37.000000000 +0100
@@ -30,3 +30,4 @@
0046_fix_void_return.patch
properly-create-libsasl2.pc.patch
bug715040.patch
+early-hangup.patch
Reply to: