[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#855595: unblock: atheme-services/7.2.9



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package atheme-services

There is a security issue that was fixed in the upstream 7.2.8 package
(#855588), which introduced a new security issue, which was fixed in
the 7.2.9 package.

7.2.8, unfortunately, includes unrelated changes, most notably:

  * email templates: Fix leading whitespace
  * atheme.conf.example: better highlight the pbkdf2v2 crypto module
  * pbkdf2v2: make digest and rounds configurable at runtime
  * memoserv: let user know (on identify and /away) when their inbox is full
  * memoserv: unregister hooks when unloading

Those are small convenience fixes, some of those that will make the
program cryptographically stronger for the lifetime of stretch. Others
are pure bugfixes...

I think it is worth shipping the latest upstream at this point, since
those changes are small. They also factor in two patches that I had to
include in the 7.2.7-1 upload to fix builds with OpenSSL 1.1, so it
actually reduces our difference with upstream.

Attached is the debdiff against 7.2.7-1 (stretch/sid).

unblock atheme-services/7.2.9

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru atheme-services-7.2.7/configure atheme-services-7.2.9/configure
--- atheme-services-7.2.7/configure	2016-10-08 12:58:57.000000000 -0400
+++ atheme-services-7.2.9/configure	2017-02-12 10:02:49.000000000 -0500
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for atheme 7.2.7.
+# Generated by GNU Autoconf 2.69 for atheme 7.2.9.
 #
-# Report bugs to <https://github.com/atheme/atheme/issues>.
+# Report bugs to <https://github.com/atheme/atheme/issues/>.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -267,7 +267,7 @@
     $as_echo "$0: be upgraded to zsh 4.3.4 or later."
   else
     $as_echo "$0: Please tell bug-autoconf@gnu.org and
-$0: https://github.com/atheme/atheme/issues about your
+$0: https://github.com/atheme/atheme/issues/ about your
 $0: system, including any error possibly output before this
 $0: message. Then install a modern shell, or manually run
 $0: the script under such a shell if you do have one."
@@ -580,9 +580,9 @@
 # Identity of this package.
 PACKAGE_NAME='atheme'
 PACKAGE_TARNAME='atheme'
-PACKAGE_VERSION='7.2.7'
-PACKAGE_STRING='atheme 7.2.7'
-PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues'
+PACKAGE_VERSION='7.2.9'
+PACKAGE_STRING='atheme 7.2.9'
+PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues/'
 PACKAGE_URL=''
 
 ac_default_prefix=~/atheme
@@ -1341,7 +1341,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures atheme 7.2.7 to adapt to many kinds of systems.
+\`configure' configures atheme 7.2.9 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1406,7 +1406,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of atheme 7.2.7:";;
+     short | recursive ) echo "Configuration of atheme 7.2.9:";;
    esac
   cat <<\_ACEOF
 
@@ -1466,7 +1466,7 @@
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 
-Report bugs to <https://github.com/atheme/atheme/issues>.
+Report bugs to <https://github.com/atheme/atheme/issues/>.
 _ACEOF
 ac_status=$?
 fi
@@ -1529,7 +1529,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-atheme configure 7.2.7
+atheme configure 7.2.9
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1688,9 +1688,9 @@
 $as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
     { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-( $as_echo "## ------------------------------------------------------ ##
-## Report this to https://github.com/atheme/atheme/issues ##
-## ------------------------------------------------------ ##"
+( $as_echo "## ------------------------------------------------------- ##
+## Report this to https://github.com/atheme/atheme/issues/ ##
+## ------------------------------------------------------- ##"
      ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
@@ -2038,7 +2038,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by atheme $as_me 7.2.7, which was
+It was created by atheme $as_me 7.2.9, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4831,7 +4831,7 @@
 
 PACKAGE=atheme
 
-VERSION=7.2.7
+VERSION=7.2.9
 
 
 
@@ -10462,7 +10462,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by atheme $as_me 7.2.7, which was
+This file was extended by atheme $as_me 7.2.9, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -10522,13 +10522,13 @@
 Configuration commands:
 $config_commands
 
-Report bugs to <https://github.com/atheme/atheme/issues>."
+Report bugs to <https://github.com/atheme/atheme/issues/>."
 
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-atheme config.status 7.2.7
+atheme config.status 7.2.9
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru atheme-services-7.2.7/configure.ac atheme-services-7.2.9/configure.ac
--- atheme-services-7.2.7/configure.ac	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/configure.ac	2017-02-12 09:58:54.000000000 -0500
@@ -7,7 +7,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT(atheme, 7.2.7, [https://github.com/atheme/atheme/issues])
+AC_INIT(atheme, 7.2.9, [https://github.com/atheme/atheme/issues/])
 
 AC_CONFIG_AUX_DIR(autoconf)
 
diff -Nru atheme-services-7.2.7/debian/changelog atheme-services-7.2.9/debian/changelog
--- atheme-services-7.2.7/debian/changelog	2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/changelog	2017-02-07 21:01:27.000000000 -0500
@@ -1,3 +1,23 @@
+atheme-services (7.2.9-1) unstable; urgency=medium
+
+  * new upstream release (7.2.8) fixing security issue "saslserv/main: free
+    sasl_sourceinfo_t after use" see:
+    https://github.com/atheme/atheme/pull/539
+  * new upstream release (7.2.9) fixing security issue introduced in
+    7.2.8: "Fix use after free during impersonation" (Closes: #855588)
+  * remove two OpenSSL 1.1 patches merged upstream
+
+  [ Jos Ahrens ]
+  * email templates: Fix leading whitespace
+
+  [ Aaron Jones ]
+  * atheme.conf.example: better highlight the pbkdf2v2 crypto module
+  * pbkdf2v2: make digest and rounds configurable at runtime
+  * memoserv: let user know (on identify and /away) when their inbox is full
+  * memoserv: unregister hooks when unloading
+
+ -- Antoine Beaupré <anarcat@debian.org>  Tue, 07 Feb 2017 21:01:27 -0500
+
 atheme-services (7.2.7-1) unstable; urgency=medium
 
   * new upstream release
diff -Nru atheme-services-7.2.7/debian/patches/openssl-1.1.0-5480943.patch atheme-services-7.2.9/debian/patches/openssl-1.1.0-5480943.patch
--- atheme-services-7.2.7/debian/patches/openssl-1.1.0-5480943.patch	2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/openssl-1.1.0-5480943.patch	1969-12-31 19:00:00.000000000 -0500
@@ -1,82 +0,0 @@
-From 54809431abc683e43f58306e622db4ba65efcbeb Mon Sep 17 00:00:00 2001
-From: Aaron Jones <aaronmdjones@gmail.com>
-Date: Wed, 16 Nov 2016 08:21:32 +0000
-Subject: [PATCH] pbkdf2: remove obsolete compatibility function
-
-All modern supported versions of OpenSSL provide this function
-
-Fixes #528
----
- modules/crypto/pbkdf2.c | 59 -------------------------------------------------
- 1 file changed, 59 deletions(-)
-
-diff --git a/modules/crypto/pbkdf2.c b/modules/crypto/pbkdf2.c
-index 2c39bf2..82df9e6 100644
---- a/modules/crypto/pbkdf2.c
-+++ b/modules/crypto/pbkdf2.c
-@@ -31,65 +31,6 @@ DECLARE_MODULE_V1("crypto/pbkdf2", false, _modinit, _moddeinit, PACKAGE_VERSION,
- #define ROUNDS		(128000)
- #define SALTLEN		(16)
- 
--/* This is an implementation of PKCS#5 v2.0 password based encryption key
-- * derivation function PBKDF2.
-- * SHA1 version verified against test vectors posted by Peter Gutmann
-- * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
-- */
--int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
--			   const unsigned char *salt, int saltlen, int iter,
--			   const EVP_MD *digest,
--			   int keylen, unsigned char *out)
--{
--	unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
--	int cplen, j, k, tkeylen, mdlen;
--	unsigned long i = 1;
--	HMAC_CTX hctx;
--
--	mdlen = EVP_MD_size(digest);
--
--	HMAC_CTX_init(&hctx);
--	p = out;
--	tkeylen = keylen;
--	if(!pass)
--		passlen = 0;
--	else if(passlen == -1)
--		passlen = strlen(pass);
--	while(tkeylen)
--	{
--		if(tkeylen > mdlen)
--			cplen = mdlen;
--		else
--			cplen = tkeylen;
--		/* We are unlikely to ever use more than 256 blocks (5120 bits!)
--		 * but just in case...
--		 */
--		itmp[0] = (unsigned char)((i >> 24) & 0xff);
--		itmp[1] = (unsigned char)((i >> 16) & 0xff);
--		itmp[2] = (unsigned char)((i >> 8) & 0xff);
--		itmp[3] = (unsigned char)(i & 0xff);
--		HMAC_Init_ex(&hctx, pass, passlen, digest, NULL);
--		HMAC_Update(&hctx, salt, saltlen);
--		HMAC_Update(&hctx, itmp, 4);
--		HMAC_Final(&hctx, digtmp, NULL);
--		memcpy(p, digtmp, cplen);
--		for(j = 1; j < iter; j++)
--		{
--			HMAC(digest, pass, passlen,
--				 digtmp, mdlen, digtmp, NULL);
--			for(k = 0; k < cplen; k++)
--				p[k] ^= digtmp[k];
--		}
--		tkeylen-= cplen;
--		i++;
--		p+= cplen;
--	}
--	HMAC_CTX_cleanup(&hctx);
--	return 1;
--}
--
--/*******************************************************************************************/
--
- static const char *pbkdf2_salt(void)
- {
- 	static char buf[SALTLEN + 1];
diff -Nru atheme-services-7.2.7/debian/patches/openssl-1.1.0-b04f18e.patch atheme-services-7.2.9/debian/patches/openssl-1.1.0-b04f18e.patch
--- atheme-services-7.2.7/debian/patches/openssl-1.1.0-b04f18e.patch	2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/openssl-1.1.0-b04f18e.patch	1969-12-31 19:00:00.000000000 -0500
@@ -1,80 +0,0 @@
-From b04f18e7d7410797d9c043b0944d715a522465c6 Mon Sep 17 00:00:00 2001
-From: Aaron Jones <aaronmdjones@gmail.com>
-Date: Wed, 16 Nov 2016 14:31:16 +0000
-Subject: [PATCH] pbkdf2v2: remove obsolete compatibility function
-
-All modern supported versions of OpenSSL provide this function
-
-c.f. issue #528
----
- modules/crypto/pbkdf2v2.c | 57 -----------------------------------------------
- 1 file changed, 57 deletions(-)
-
-diff --git a/modules/crypto/pbkdf2v2.c b/modules/crypto/pbkdf2v2.c
-index 940281d..289e841 100644
---- a/modules/crypto/pbkdf2v2.c
-+++ b/modules/crypto/pbkdf2v2.c
-@@ -50,63 +50,6 @@ DECLARE_MODULE_V1("crypto/pbkdf2v2", false, _modinit, _moddeinit,
- static const char salt_chars[62] =
- 	"AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789";
- 
--/*
-- * This equivalent implementation provided incase the user doesn't
-- * have a new enough OpenSSL library installed on their machine
-- */
--int PKCS5_PBKDF2_HMAC(const char *pass, int pl,
--                      const unsigned char *salt, int sl,
--                      int iter, const EVP_MD *PRF,
--                      int dkLen, unsigned char *out)
--{
--	if (! pass)
--		pl = 0;
--
--	if (pass && pl < 0)
--		pl = strlen(pass);
--
--	int tkLen = dkLen;
--	int mdLen = EVP_MD_size(PRF);
--	unsigned char *p = out;
--	unsigned long i = 1;
--
--	HMAC_CTX hctx;
--	HMAC_CTX_init(&hctx);
--
--	while (tkLen) {
--
--		unsigned char itmp[4];
--		itmp[0] = (unsigned char) ((i >> 24) & 0xFF);
--		itmp[1] = (unsigned char) ((i >> 16) & 0xFF);
--		itmp[2] = (unsigned char) ((i >>  8) & 0xFF);
--		itmp[3] = (unsigned char) ((i >>  0) & 0xFF);
--		i++;
--
--		unsigned char digtmp[EVP_MAX_MD_SIZE];
--		HMAC_Init_ex(&hctx, pass, pl, PRF, NULL);
--		HMAC_Update(&hctx, salt, sl);
--		HMAC_Update(&hctx, itmp, 4);
--		HMAC_Final(&hctx, digtmp, NULL);
--
--		int cpLen = (tkLen > mdLen) ? mdLen : tkLen;
--		memcpy(p, digtmp, cpLen);
--
--		int j, k;
--		for (j = 1; j < iter; j++) {
--			HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL);
--			for (k = 0; k < cpLen; k++)
--				p[k] ^= digtmp[k];
--		}
--
--		tkLen -= cpLen;
--		p += cpLen;
--	}
--
--	HMAC_CTX_cleanup(&hctx);
--
--	return 1;
--}
--
- static const char *pbkdf2v2_make_salt(void)
- {
- 	char		salt[PBKDF2_SALTLEN + 1];
diff -Nru atheme-services-7.2.7/debian/patches/series atheme-services-7.2.9/debian/patches/series
--- atheme-services-7.2.7/debian/patches/series	2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/series	2017-02-07 21:01:27.000000000 -0500
@@ -1,4 +1,2 @@
-openssl-1.1.0-b04f18e.patch
 ecdsakeygen-rename.patch
 dbverify-path-769145.patch
-openssl-1.1.0-5480943.patch
diff -Nru atheme-services-7.2.7/dist/atheme.conf.example atheme-services-7.2.9/dist/atheme.conf.example
--- atheme-services-7.2.7/dist/atheme.conf.example	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/dist/atheme.conf.example	2017-02-12 09:58:54.000000000 -0500
@@ -107,8 +107,8 @@
  *
  * The following crypto modules are available:
  *
- * PBKDF2 cryptography (new)                    modules/crypto/pbkdf2v2
- * PBKDF2 cryptography (old)                    modules/crypto/pbkdf2
+ * PBKDF2 cryptography (new, recommended)       modules/crypto/pbkdf2v2
+ * PBKDF2 cryptography (old, compatibility)     modules/crypto/pbkdf2
  * POSIX-style crypt(3)                         modules/crypto/posix
  * IRCServices (also Anope etc) compatibility   modules/crypto/ircservices
  * Raw MD5 (Anope compatibility)                modules/crypto/rawmd5
@@ -126,6 +126,7 @@
  *
  * The rawsha1 and pbkdf2/pbkdf2v2 modules require OpenSSL.
  */
+#loadmodule "modules/crypto/pbkdf2v2";
 loadmodule "modules/crypto/posix";
 
 /* Authentication module.
@@ -803,6 +804,27 @@
  * SERVICES RUNTIME CONFIGURATION SECTION.                                    *
  ******************************************************************************/
 
+/*
+ * If you are using the crypto/pbkdf2v2 module, you may wish to edit this block
+ *
+ * It is recommended to either leave the values at the defaults, or experiment
+ * with them so that it takes approximately 1 second for users to identify.
+ */
+pbkdf2v2 {
+
+	/* digest
+	 * Valid values are "SHA256" and "SHA512"
+	 * The default is "SHA512"
+	 */
+	#digest = "SHA512";
+
+	/* rounds
+	 * Valid values are 10000 to 5000000 (inclusive)
+	 * The default is 64000
+	 */
+	#rounds = 64000;
+};
+
 /* The serverinfo{} block defines how we appear on the IRC network. */
 serverinfo {
 	/* name
diff -Nru atheme-services-7.2.7/email/default/register atheme-services-7.2.9/email/default/register
--- atheme-services-7.2.7/email/default/register	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/register	2017-02-12 09:58:54.000000000 -0500
@@ -9,7 +9,7 @@
 In order to complete your account registration, you must type the following
 command on IRC:
 
-   /msg &nicksvs& VERIFY REGISTER &accountname& &param&
+/msg &nicksvs& VERIFY REGISTER &accountname& &param&
 
 Thank you for registering your account on the &netname& IRC network!
 
diff -Nru atheme-services-7.2.7/email/default/setemail atheme-services-7.2.9/email/default/setemail
--- atheme-services-7.2.7/email/default/setemail	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/setemail	2017-02-12 09:58:54.000000000 -0500
@@ -9,7 +9,7 @@
 In order to complete the e-mail address change, you must verify your new
 e-mail address by issuing the following command on IRC:
 
-   /msg &nicksvs& VERIFY EMAILCHG &accountname& &param&
+/msg &nicksvs& VERIFY EMAILCHG &accountname& &param&
 
 Thank you for updating your e-mail address on file with the &netname&
 IRC network!
diff -Nru atheme-services-7.2.7/email/default/setpass atheme-services-7.2.9/email/default/setpass
--- atheme-services-7.2.7/email/default/setpass	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/setpass	2017-02-12 09:58:54.000000000 -0500
@@ -14,7 +14,7 @@
 In order to set a new password, you must send the following command
 on IRC, where <password> is the new password you wish to set.
 
-   /msg &nicksvs& SETPASS &accountname& &param& <password>
+/msg &nicksvs& SETPASS &accountname& &param& <password>
 
 --
 If this message is unsolicited, please contact &replyto&
diff -Nru atheme-services-7.2.7/include/serno.h atheme-services-7.2.9/include/serno.h
--- atheme-services-7.2.7/include/serno.h	2016-10-08 12:58:57.000000000 -0400
+++ atheme-services-7.2.9/include/serno.h	2017-02-12 10:02:49.000000000 -0500
@@ -1,2 +1,2 @@
 /* Generated automatically by makepackage. Any changes made here will be lost. */
-#define SERNO "ddc1fd73ee114b0f6d7a714db22c51c23c719b6e"
+#define SERNO "4db7745cc39e835c6bd00ad9fac6a8c9b71fabaa"
diff -Nru atheme-services-7.2.7/include/sysconf.h.in~ atheme-services-7.2.9/include/sysconf.h.in~
--- atheme-services-7.2.7/include/sysconf.h.in~	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/include/sysconf.h.in~	1969-12-31 19:00:00.000000000 -0500
@@ -1,290 +0,0 @@
-/* include/sysconf.h.in.  Generated from configure.ac by autoheader.  */
-
-/* Define if building universal (internal helper macro) */
-#undef AC_APPLE_UNIVERSAL_BUILD
-
-/* Define to 1 if translation of program messages to the user's native
-   language is requested. */
-#undef ENABLE_NLS
-
-/* Define to 1 if you have the `arc4random' function. */
-#undef HAVE_ARC4RANDOM
-
-/* Define to 1 if you have the `arc4random_buf' function. */
-#undef HAVE_ARC4RANDOM_BUF
-
-/* Define to 1 if you have the `arc4random_uniform' function. */
-#undef HAVE_ARC4RANDOM_UNIFORM
-
-/* Define to 1 if you have the `asprintf' function. */
-#undef HAVE_ASPRINTF
-
-/* Define if crypt() is available */
-#undef HAVE_CRYPT
-
-/* Define if the GNU dcgettext() function is already present or preinstalled.
-   */
-#undef HAVE_DCGETTEXT
-
-/* Define to 1 if you have the `execve' function. */
-#undef HAVE_EXECVE
-
-/* Define to 1 if you have the `explicit_bzero' function. */
-#undef HAVE_EXPLICIT_BZERO
-
-/* Define to 1 if you have the `fork' function. */
-#undef HAVE_FORK
-
-/* Define to 1 if you have the `getpid' function. */
-#undef HAVE_GETPID
-
-/* Define to 1 if you have the `getrlimit' function. */
-#undef HAVE_GETRLIMIT
-
-/* Define if the GNU gettext() function is already present or preinstalled. */
-#undef HAVE_GETTEXT
-
-/* Define to 1 if you have the `gettimeofday' function. */
-#undef HAVE_GETTIMEOFDAY
-
-/* Define if you have the iconv() function. */
-#undef HAVE_ICONV
-
-/* Define to 1 if you have the `inet_ntop' function. */
-#undef HAVE_INET_NTOP
-
-/* Define to 1 if you have the `inet_pton' function. */
-#undef HAVE_INET_PTON
-
-/* Define to 1 if the system has the type `intmax_t'. */
-#undef HAVE_INTMAX_T
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#undef HAVE_INTTYPES_H
-
-/* Define to 1 if you have the `nsl' library (-lnsl). */
-#undef HAVE_LIBNSL
-
-/* Define to 1 if libqrencode is available */
-#undef HAVE_LIBQRENCODE
-
-/* Define to 1 if you have the `socket' library (-lsocket). */
-#undef HAVE_LIBSOCKET
-
-/* Define to 1 if you have the <link.h> header file. */
-#undef HAVE_LINK_H
-
-/* Define to 1 if you have the `localeconv' function. */
-#undef HAVE_LOCALECONV
-
-/* Define to 1 if you have the <locale.h> header file. */
-#undef HAVE_LOCALE_H
-
-/* Define to 1 if the system has the type `long double'. */
-#undef HAVE_LONG_DOUBLE
-
-/* Define to 1 if the system has the type 'long long int'. */
-#undef HAVE_LONG_LONG_INT
-
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
-/* Define to 1 if you have the `memset_s' function. */
-#undef HAVE_MEMSET_S
-
-/* Define to 1 if openssl is available */
-#undef HAVE_OPENSSL
-
-/* Define to 1 if you have the <openssl/ec.h> header file. */
-#undef HAVE_OPENSSL_EC_H
-
-/* Define to 1 if you have the <openssl/err.h> header file. */
-#undef HAVE_OPENSSL_ERR_H
-
-/* Define to 1 if you have the <openssl/ssl.h> header file. */
-#undef HAVE_OPENSSL_SSL_H
-
-/* Define if you want to use PCRE */
-#undef HAVE_PCRE
-
-/* Define to 1 if the system has the type `ptrdiff_t'. */
-#undef HAVE_PTRDIFF_T
-
-/* Define to 1 if you have a C99 compliant `snprintf' function. */
-#undef HAVE_SNPRINTF
-
-/* Define to 1 if you have the <stdarg.h> header file. */
-#undef HAVE_STDARG_H
-
-/* Define to 1 if you have the <stddef.h> header file. */
-#undef HAVE_STDDEF_H
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#undef HAVE_STDINT_H
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#undef HAVE_STDLIB_H
-
-/* Define to 1 if you have the `strcasestr' function. */
-#undef HAVE_STRCASESTR
-
-/* Define to 1 if you have the <strings.h> header file. */
-#undef HAVE_STRINGS_H
-
-/* Define to 1 if you have the <string.h> header file. */
-#undef HAVE_STRING_H
-
-/* Define to 1 if you have the `strtok_r' function. */
-#undef HAVE_STRTOK_R
-
-/* Define to 1 if `decimal_point' is a member of `struct lconv'. */
-#undef HAVE_STRUCT_LCONV_DECIMAL_POINT
-
-/* Define to 1 if `thousands_sep' is a member of `struct lconv'. */
-#undef HAVE_STRUCT_LCONV_THOUSANDS_SEP
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#undef HAVE_SYS_STAT_H
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#undef HAVE_SYS_TYPES_H
-
-/* Define to 1 if the system has the type `uintmax_t'. */
-#undef HAVE_UINTMAX_T
-
-/* Define to 1 if the system has the type `uintptr_t'. */
-#undef HAVE_UINTPTR_T
-
-/* Define to 1 if you have the `umask' function. */
-#undef HAVE_UMASK
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
-
-/* Define to 1 if the system has the type 'unsigned long long int'. */
-#undef HAVE_UNSIGNED_LONG_LONG_INT
-
-/* Define to 1 if you have the <varargs.h> header file. */
-#undef HAVE_VARARGS_H
-
-/* Define to 1 if you have the `vasprintf' function. */
-#undef HAVE_VASPRINTF
-
-/* Define to 1 if you have the `va_copy' function or macro. */
-#undef HAVE_VA_COPY
-
-/* Define to 1 if you have a C99 compliant `vsnprintf' function. */
-#undef HAVE_VSNPRINTF
-
-/* Define to 1 if you have the `__va_copy' function or macro. */
-#undef HAVE___VA_COPY
-
-/* Uncomment to enable reproducible builds. */
-#undef REPRODUCIBLE_BUILDS
-
-/* Uncomment to enable large network support. */
-#undef LARGE_NETWORK
-
-/* Name of package */
-#undef PACKAGE
-
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-
-/* Define to the home page for this package. */
-#undef PACKAGE_URL
-
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
-
-/* Define to 1 if you have the ANSI C header files. */
-#undef STDC_HEADERS
-
-/* Enable extensions on AIX 3, Interix.  */
-#ifndef _ALL_SOURCE
-# undef _ALL_SOURCE
-#endif
-/* Enable GNU extensions on systems that have them.  */
-#ifndef _GNU_SOURCE
-# undef _GNU_SOURCE
-#endif
-/* Enable threading extensions on Solaris.  */
-#ifndef _POSIX_PTHREAD_SEMANTICS
-# undef _POSIX_PTHREAD_SEMANTICS
-#endif
-/* Enable extensions on HP NonStop.  */
-#ifndef _TANDEM_SOURCE
-# undef _TANDEM_SOURCE
-#endif
-/* Enable general extensions on Solaris.  */
-#ifndef __EXTENSIONS__
-# undef __EXTENSIONS__
-#endif
-
-
-/* Vendor and URL for modules's "vendor" field */
-#undef VENDOR_STRING
-
-/* Version number of package */
-#undef VERSION
-
-/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
-   significant byte first (like Motorola and SPARC, unlike Intel). */
-#if defined AC_APPLE_UNIVERSAL_BUILD
-# if defined __BIG_ENDIAN__
-#  define WORDS_BIGENDIAN 1
-# endif
-#else
-# ifndef WORDS_BIGENDIAN
-#  undef WORDS_BIGENDIAN
-# endif
-#endif
-
-/* Define to 1 if on MINIX. */
-#undef _MINIX
-
-/* Define to 2 if the system does not provide POSIX.1 features except with
-   this defined. */
-#undef _POSIX_1_SOURCE
-
-/* Define to 1 if you need to in order for `stat' and other things to work. */
-#undef _POSIX_SOURCE
-
-/* Define to rpl_asprintf if the replacement function should be used. */
-#undef asprintf
-
-/* Define to empty if `const' does not conform to ANSI C. */
-#undef const
-
-/* Define to the widest signed integer type if <stdint.h> and <inttypes.h> do
-   not define. */
-#undef intmax_t
-
-/* Define to `unsigned int' if <sys/types.h> does not define. */
-#undef size_t
-
-/* Define to rpl_snprintf if the replacement function should be used. */
-#undef snprintf
-
-/* Define to the widest unsigned integer type if <stdint.h> and <inttypes.h>
-   do not define. */
-#undef uintmax_t
-
-/* Define to the type of an unsigned integer type wide enough to hold a
-   pointer, if such a type exists, and if the system does not define it. */
-#undef uintptr_t
-
-/* Define to rpl_vasprintf if the replacement function should be used. */
-#undef vasprintf
-
-/* Define to rpl_vsnprintf if the replacement function should be used. */
-#undef vsnprintf
diff -Nru atheme-services-7.2.7/modules/crypto/pbkdf2.c atheme-services-7.2.9/modules/crypto/pbkdf2.c
--- atheme-services-7.2.7/modules/crypto/pbkdf2.c	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/crypto/pbkdf2.c	2017-02-12 09:58:54.000000000 -0500
@@ -31,65 +31,6 @@
 #define ROUNDS		(128000)
 #define SALTLEN		(16)
 
-/* This is an implementation of PKCS#5 v2.0 password based encryption key
- * derivation function PBKDF2.
- * SHA1 version verified against test vectors posted by Peter Gutmann
- * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
- */
-int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
-			   const unsigned char *salt, int saltlen, int iter,
-			   const EVP_MD *digest,
-			   int keylen, unsigned char *out)
-{
-	unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
-	int cplen, j, k, tkeylen, mdlen;
-	unsigned long i = 1;
-	HMAC_CTX hctx;
-
-	mdlen = EVP_MD_size(digest);
-
-	HMAC_CTX_init(&hctx);
-	p = out;
-	tkeylen = keylen;
-	if(!pass)
-		passlen = 0;
-	else if(passlen == -1)
-		passlen = strlen(pass);
-	while(tkeylen)
-	{
-		if(tkeylen > mdlen)
-			cplen = mdlen;
-		else
-			cplen = tkeylen;
-		/* We are unlikely to ever use more than 256 blocks (5120 bits!)
-		 * but just in case...
-		 */
-		itmp[0] = (unsigned char)((i >> 24) & 0xff);
-		itmp[1] = (unsigned char)((i >> 16) & 0xff);
-		itmp[2] = (unsigned char)((i >> 8) & 0xff);
-		itmp[3] = (unsigned char)(i & 0xff);
-		HMAC_Init_ex(&hctx, pass, passlen, digest, NULL);
-		HMAC_Update(&hctx, salt, saltlen);
-		HMAC_Update(&hctx, itmp, 4);
-		HMAC_Final(&hctx, digtmp, NULL);
-		memcpy(p, digtmp, cplen);
-		for(j = 1; j < iter; j++)
-		{
-			HMAC(digest, pass, passlen,
-				 digtmp, mdlen, digtmp, NULL);
-			for(k = 0; k < cplen; k++)
-				p[k] ^= digtmp[k];
-		}
-		tkeylen-= cplen;
-		i++;
-		p+= cplen;
-	}
-	HMAC_CTX_cleanup(&hctx);
-	return 1;
-}
-
-/*******************************************************************************************/
-
 static const char *pbkdf2_salt(void)
 {
 	static char buf[SALTLEN + 1];
diff -Nru atheme-services-7.2.7/modules/crypto/pbkdf2v2.c atheme-services-7.2.9/modules/crypto/pbkdf2v2.c
--- atheme-services-7.2.7/modules/crypto/pbkdf2v2.c	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/crypto/pbkdf2v2.c	2017-02-12 09:58:54.000000000 -0500
@@ -28,13 +28,6 @@
 #include <openssl/evp.h>
 
 /*
- * You can change the 2 values below without invalidating old hashes
- */
-
-#define PBKDF2_PRF_DEF		6
-#define PBKDF2_ITER_DEF		64000
-
-/*
  * Do not change anything below this line unless you know what you are doing,
  * AND how it will (possibly) break backward-, forward-, or cross-compatibility
  *
@@ -47,65 +40,15 @@
 #define PBKDF2_F_SALT		"$z$%u$%u$%s$"
 #define PBKDF2_F_PRINT		"$z$%u$%u$%s$%s"
 
+#define PBKDF2_C_MIN		10000
+#define PBKDF2_C_MAX		5000000
+#define PBKDF2_C_DEF		64000
+
 static const char salt_chars[62] =
 	"AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789";
 
-/*
- * This equivalent implementation provided incase the user doesn't
- * have a new enough OpenSSL library installed on their machine
- */
-int PKCS5_PBKDF2_HMAC(const char *pass, int pl,
-                      const unsigned char *salt, int sl,
-                      int iter, const EVP_MD *PRF,
-                      int dkLen, unsigned char *out)
-{
-	if (! pass)
-		pl = 0;
-
-	if (pass && pl < 0)
-		pl = strlen(pass);
-
-	int tkLen = dkLen;
-	int mdLen = EVP_MD_size(PRF);
-	unsigned char *p = out;
-	unsigned long i = 1;
-
-	HMAC_CTX hctx;
-	HMAC_CTX_init(&hctx);
-
-	while (tkLen) {
-
-		unsigned char itmp[4];
-		itmp[0] = (unsigned char) ((i >> 24) & 0xFF);
-		itmp[1] = (unsigned char) ((i >> 16) & 0xFF);
-		itmp[2] = (unsigned char) ((i >>  8) & 0xFF);
-		itmp[3] = (unsigned char) ((i >>  0) & 0xFF);
-		i++;
-
-		unsigned char digtmp[EVP_MAX_MD_SIZE];
-		HMAC_Init_ex(&hctx, pass, pl, PRF, NULL);
-		HMAC_Update(&hctx, salt, sl);
-		HMAC_Update(&hctx, itmp, 4);
-		HMAC_Final(&hctx, digtmp, NULL);
-
-		int cpLen = (tkLen > mdLen) ? mdLen : tkLen;
-		memcpy(p, digtmp, cpLen);
-
-		int j, k;
-		for (j = 1; j < iter; j++) {
-			HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL);
-			for (k = 0; k < cpLen; k++)
-				p[k] ^= digtmp[k];
-		}
-
-		tkLen -= cpLen;
-		p += cpLen;
-	}
-
-	HMAC_CTX_cleanup(&hctx);
-
-	return 1;
-}
+static unsigned int pbkdf2v2_digest = 6; /* SHA512 */
+static unsigned int pbkdf2v2_rounds = PBKDF2_C_DEF;
 
 static const char *pbkdf2v2_make_salt(void)
 {
@@ -119,7 +62,7 @@
 		salt[i] = salt_chars[arc4random() % sizeof salt_chars];
 
 	(void) snprintf(result, sizeof result, PBKDF2_F_SALT,
-	                PBKDF2_PRF_DEF, PBKDF2_ITER_DEF, salt);
+	                pbkdf2v2_digest, pbkdf2v2_rounds, salt);
 
 	return result;
 }
@@ -189,30 +132,59 @@
 	if (sscanf(user_pass_string, PBKDF2_F_SCAN, &prf, &iter, salt) < 3)
 		return 0;
 
-	if (prf != PBKDF2_PRF_DEF)
+	if (prf != pbkdf2v2_digest)
 		return 1;
 
-	if (iter != PBKDF2_ITER_DEF)
+	if (iter != pbkdf2v2_rounds)
 		return 1;
 
 	return 0;
 }
 
-static crypt_impl_t pbkdf2_crypt_impl = {
+static int c_ci_pbkdf2v2_digest(mowgli_config_file_entry_t *ce)
+{
+	if (ce->vardata == NULL)
+	{
+		conf_report_warning(ce, "no parameter for configuration option");
+		return 0;
+	}
+
+	if (!strcasecmp(ce->vardata, "SHA256"))
+		pbkdf2v2_digest = 5;
+	else if (!strcasecmp(ce->vardata, "SHA512"))
+		pbkdf2v2_digest = 6;
+	else
+		conf_report_warning(ce, "invalid parameter for configuration option");
+
+	return 0;
+}
+
+static crypt_impl_t pbkdf2v2_crypt_impl = {
 	.id = "pbkdf2v2",
 	.crypt = &pbkdf2v2_crypt,
 	.salt = &pbkdf2v2_make_salt,
 	.needs_param_upgrade = &pbkdf2v2_needs_param_upgrade,
 };
 
+static mowgli_list_t conf_pbkdf2v2_table;
+
 void _modinit(module_t* m)
 {
-	crypt_register(&pbkdf2_crypt_impl);
+	crypt_register(&pbkdf2v2_crypt_impl);
+
+	add_subblock_top_conf("PBKDF2V2", &conf_pbkdf2v2_table);
+	add_conf_item("DIGEST", &conf_pbkdf2v2_table, c_ci_pbkdf2v2_digest);
+	add_uint_conf_item("ROUNDS", &conf_pbkdf2v2_table, 0, &pbkdf2v2_rounds,
+	                             PBKDF2_C_MIN, PBKDF2_C_MAX, PBKDF2_C_DEF);
 }
 
 void _moddeinit(module_unload_intent_t intent)
 {
-	crypt_unregister(&pbkdf2_crypt_impl);
+	del_conf_item("DIGEST", &conf_pbkdf2v2_table);
+	del_conf_item("ROUNDS", &conf_pbkdf2v2_table);
+	del_top_conf("PBKDF2V2");
+
+	crypt_unregister(&pbkdf2v2_crypt_impl);
 }
 
-#endif
+#endif /* HAVE_OPENSSL */
diff -Nru atheme-services-7.2.7/modules/memoserv/main.c atheme-services-7.2.9/modules/memoserv/main.c
--- atheme-services-7.2.7/modules/memoserv/main.c	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/memoserv/main.c	2017-02-12 09:58:54.000000000 -0500
@@ -38,6 +38,9 @@
 
 void _moddeinit(module_unload_intent_t intent)
 {
+	hook_del_user_identify(on_user_identify);
+	hook_del_user_away(on_user_away);
+
         if (memosvs != NULL)
                 service_delete(memosvs);
 }
@@ -54,6 +57,11 @@
 		notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"),
 					ircd->uses_rcommand ? "" : "msg ", memosvs->disp);
 	}
+	if (mu->memos.count >= maxmemos)
+	{
+		notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please "
+		                                     "delete memos you no longer need."));
+	}
 }
 
 static void on_user_away(user_t *u)
@@ -80,6 +88,11 @@
 		notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"),
 					ircd->uses_rcommand ? "" : "msg ", memosvs->disp);
 	}
+	if (mu->memos.count >= maxmemos)
+	{
+		notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please "
+		                                     "delete memos you no longer need."));
+	}
 }
 
 /* vim:cinoptions=>s,e0,n0,f0,{0,}0,^0,=s,ps,t0,c3,+s,(2s,us,)20,*30,gs,hs
diff -Nru atheme-services-7.2.7/modules/saslserv/main.c atheme-services-7.2.9/modules/saslserv/main.c
--- atheme-services-7.2.7/modules/saslserv/main.c	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/saslserv/main.c	2017-02-12 09:58:54.000000000 -0500
@@ -609,6 +609,7 @@
 	req.mu = source_mu;
 	req.allowed = true;
 	hook_call_user_can_login(&req);
+	object_unref(req.si);
 	if (!req.allowed)
 	{
 		sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(source_mu)->name);
@@ -645,9 +646,11 @@
 
 		sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "allowed IMPERSONATE by \2%s\2 to \2%s\2", entity(source_mu)->name, entity(target_mu)->name);
 
+		req.si = sasl_sourceinfo_create(p);
 		req.mu = target_mu;
 		req.allowed = true;
 		hook_call_user_can_login(&req);
+		object_unref(req.si);
 		if (!req.allowed)
 		{
 			sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(target_mu)->name);
diff -Nru atheme-services-7.2.7/NEWS.md atheme-services-7.2.9/NEWS.md
--- atheme-services-7.2.7/NEWS.md	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/NEWS.md	2017-02-12 09:58:54.000000000 -0500
@@ -1,3 +1,18 @@
+Atheme Services 7.2.9 Release Notes
+===================================
+
+This is a security release fixing use after free that could potentially be abused
+by an attacker already having the privilege to use SASL impersonation to cause a
+denial of service. Users of 7.2.8 should update to version 7.2.9; older releases
+are not affected.
+
+Atheme Services 7.2.8 Release Notes
+===================================
+
+This is a security release fixing a memory leak that could potentially be abused
+by attackers to cause a denial of service. Users of Atheme 7.2.7 should update to
+version 7.2.8; older releases are not affected.
+
 Atheme Services 7.2.7 Release Notes
 ===================================
 

Reply to: