Bug#855595: unblock: atheme-services/7.2.9
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package atheme-services
There is a security issue that was fixed in the upstream 7.2.8 package
(#855588), which introduced a new security issue, which was fixed in
the 7.2.9 package.
7.2.8, unfortunately, includes unrelated changes, most notably:
* email templates: Fix leading whitespace
* atheme.conf.example: better highlight the pbkdf2v2 crypto module
* pbkdf2v2: make digest and rounds configurable at runtime
* memoserv: let user know (on identify and /away) when their inbox is full
* memoserv: unregister hooks when unloading
Those are small convenience fixes, some of those that will make the
program cryptographically stronger for the lifetime of stretch. Others
are pure bugfixes...
I think it is worth shipping the latest upstream at this point, since
those changes are small. They also factor in two patches that I had to
include in the 7.2.7-1 upload to fix builds with OpenSSL 1.1, so it
actually reduces our difference with upstream.
Attached is the debdiff against 7.2.7-1 (stretch/sid).
unblock atheme-services/7.2.9
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru atheme-services-7.2.7/configure atheme-services-7.2.9/configure
--- atheme-services-7.2.7/configure 2016-10-08 12:58:57.000000000 -0400
+++ atheme-services-7.2.9/configure 2017-02-12 10:02:49.000000000 -0500
@@ -1,8 +1,8 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for atheme 7.2.7.
+# Generated by GNU Autoconf 2.69 for atheme 7.2.9.
#
-# Report bugs to <https://github.com/atheme/atheme/issues>.
+# Report bugs to <https://github.com/atheme/atheme/issues/>.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -267,7 +267,7 @@
$as_echo "$0: be upgraded to zsh 4.3.4 or later."
else
$as_echo "$0: Please tell bug-autoconf@gnu.org and
-$0: https://github.com/atheme/atheme/issues about your
+$0: https://github.com/atheme/atheme/issues/ about your
$0: system, including any error possibly output before this
$0: message. Then install a modern shell, or manually run
$0: the script under such a shell if you do have one."
@@ -580,9 +580,9 @@
# Identity of this package.
PACKAGE_NAME='atheme'
PACKAGE_TARNAME='atheme'
-PACKAGE_VERSION='7.2.7'
-PACKAGE_STRING='atheme 7.2.7'
-PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues'
+PACKAGE_VERSION='7.2.9'
+PACKAGE_STRING='atheme 7.2.9'
+PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues/'
PACKAGE_URL=''
ac_default_prefix=~/atheme
@@ -1341,7 +1341,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures atheme 7.2.7 to adapt to many kinds of systems.
+\`configure' configures atheme 7.2.9 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1406,7 +1406,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of atheme 7.2.7:";;
+ short | recursive ) echo "Configuration of atheme 7.2.9:";;
esac
cat <<\_ACEOF
@@ -1466,7 +1466,7 @@
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
-Report bugs to <https://github.com/atheme/atheme/issues>.
+Report bugs to <https://github.com/atheme/atheme/issues/>.
_ACEOF
ac_status=$?
fi
@@ -1529,7 +1529,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-atheme configure 7.2.7
+atheme configure 7.2.9
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1688,9 +1688,9 @@
$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;}
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-( $as_echo "## ------------------------------------------------------ ##
-## Report this to https://github.com/atheme/atheme/issues ##
-## ------------------------------------------------------ ##"
+( $as_echo "## ------------------------------------------------------- ##
+## Report this to https://github.com/atheme/atheme/issues/ ##
+## ------------------------------------------------------- ##"
) | sed "s/^/$as_me: WARNING: /" >&2
;;
esac
@@ -2038,7 +2038,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by atheme $as_me 7.2.7, which was
+It was created by atheme $as_me 7.2.9, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4831,7 +4831,7 @@
PACKAGE=atheme
-VERSION=7.2.7
+VERSION=7.2.9
@@ -10462,7 +10462,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by atheme $as_me 7.2.7, which was
+This file was extended by atheme $as_me 7.2.9, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -10522,13 +10522,13 @@
Configuration commands:
$config_commands
-Report bugs to <https://github.com/atheme/atheme/issues>."
+Report bugs to <https://github.com/atheme/atheme/issues/>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-atheme config.status 7.2.7
+atheme config.status 7.2.9
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru atheme-services-7.2.7/configure.ac atheme-services-7.2.9/configure.ac
--- atheme-services-7.2.7/configure.ac 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/configure.ac 2017-02-12 09:58:54.000000000 -0500
@@ -7,7 +7,7 @@
AC_PREREQ(2.59)
-AC_INIT(atheme, 7.2.7, [https://github.com/atheme/atheme/issues])
+AC_INIT(atheme, 7.2.9, [https://github.com/atheme/atheme/issues/])
AC_CONFIG_AUX_DIR(autoconf)
diff -Nru atheme-services-7.2.7/debian/changelog atheme-services-7.2.9/debian/changelog
--- atheme-services-7.2.7/debian/changelog 2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/changelog 2017-02-07 21:01:27.000000000 -0500
@@ -1,3 +1,23 @@
+atheme-services (7.2.9-1) unstable; urgency=medium
+
+ * new upstream release (7.2.8) fixing security issue "saslserv/main: free
+ sasl_sourceinfo_t after use" see:
+ https://github.com/atheme/atheme/pull/539
+ * new upstream release (7.2.9) fixing security issue introduced in
+ 7.2.8: "Fix use after free during impersonation" (Closes: #855588)
+ * remove two OpenSSL 1.1 patches merged upstream
+
+ [ Jos Ahrens ]
+ * email templates: Fix leading whitespace
+
+ [ Aaron Jones ]
+ * atheme.conf.example: better highlight the pbkdf2v2 crypto module
+ * pbkdf2v2: make digest and rounds configurable at runtime
+ * memoserv: let user know (on identify and /away) when their inbox is full
+ * memoserv: unregister hooks when unloading
+
+ -- Antoine Beaupré <anarcat@debian.org> Tue, 07 Feb 2017 21:01:27 -0500
+
atheme-services (7.2.7-1) unstable; urgency=medium
* new upstream release
diff -Nru atheme-services-7.2.7/debian/patches/openssl-1.1.0-5480943.patch atheme-services-7.2.9/debian/patches/openssl-1.1.0-5480943.patch
--- atheme-services-7.2.7/debian/patches/openssl-1.1.0-5480943.patch 2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/openssl-1.1.0-5480943.patch 1969-12-31 19:00:00.000000000 -0500
@@ -1,82 +0,0 @@
-From 54809431abc683e43f58306e622db4ba65efcbeb Mon Sep 17 00:00:00 2001
-From: Aaron Jones <aaronmdjones@gmail.com>
-Date: Wed, 16 Nov 2016 08:21:32 +0000
-Subject: [PATCH] pbkdf2: remove obsolete compatibility function
-
-All modern supported versions of OpenSSL provide this function
-
-Fixes #528
----
- modules/crypto/pbkdf2.c | 59 -------------------------------------------------
- 1 file changed, 59 deletions(-)
-
-diff --git a/modules/crypto/pbkdf2.c b/modules/crypto/pbkdf2.c
-index 2c39bf2..82df9e6 100644
---- a/modules/crypto/pbkdf2.c
-+++ b/modules/crypto/pbkdf2.c
-@@ -31,65 +31,6 @@ DECLARE_MODULE_V1("crypto/pbkdf2", false, _modinit, _moddeinit, PACKAGE_VERSION,
- #define ROUNDS (128000)
- #define SALTLEN (16)
-
--/* This is an implementation of PKCS#5 v2.0 password based encryption key
-- * derivation function PBKDF2.
-- * SHA1 version verified against test vectors posted by Peter Gutmann
-- * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
-- */
--int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
-- const unsigned char *salt, int saltlen, int iter,
-- const EVP_MD *digest,
-- int keylen, unsigned char *out)
--{
-- unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
-- int cplen, j, k, tkeylen, mdlen;
-- unsigned long i = 1;
-- HMAC_CTX hctx;
--
-- mdlen = EVP_MD_size(digest);
--
-- HMAC_CTX_init(&hctx);
-- p = out;
-- tkeylen = keylen;
-- if(!pass)
-- passlen = 0;
-- else if(passlen == -1)
-- passlen = strlen(pass);
-- while(tkeylen)
-- {
-- if(tkeylen > mdlen)
-- cplen = mdlen;
-- else
-- cplen = tkeylen;
-- /* We are unlikely to ever use more than 256 blocks (5120 bits!)
-- * but just in case...
-- */
-- itmp[0] = (unsigned char)((i >> 24) & 0xff);
-- itmp[1] = (unsigned char)((i >> 16) & 0xff);
-- itmp[2] = (unsigned char)((i >> 8) & 0xff);
-- itmp[3] = (unsigned char)(i & 0xff);
-- HMAC_Init_ex(&hctx, pass, passlen, digest, NULL);
-- HMAC_Update(&hctx, salt, saltlen);
-- HMAC_Update(&hctx, itmp, 4);
-- HMAC_Final(&hctx, digtmp, NULL);
-- memcpy(p, digtmp, cplen);
-- for(j = 1; j < iter; j++)
-- {
-- HMAC(digest, pass, passlen,
-- digtmp, mdlen, digtmp, NULL);
-- for(k = 0; k < cplen; k++)
-- p[k] ^= digtmp[k];
-- }
-- tkeylen-= cplen;
-- i++;
-- p+= cplen;
-- }
-- HMAC_CTX_cleanup(&hctx);
-- return 1;
--}
--
--/*******************************************************************************************/
--
- static const char *pbkdf2_salt(void)
- {
- static char buf[SALTLEN + 1];
diff -Nru atheme-services-7.2.7/debian/patches/openssl-1.1.0-b04f18e.patch atheme-services-7.2.9/debian/patches/openssl-1.1.0-b04f18e.patch
--- atheme-services-7.2.7/debian/patches/openssl-1.1.0-b04f18e.patch 2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/openssl-1.1.0-b04f18e.patch 1969-12-31 19:00:00.000000000 -0500
@@ -1,80 +0,0 @@
-From b04f18e7d7410797d9c043b0944d715a522465c6 Mon Sep 17 00:00:00 2001
-From: Aaron Jones <aaronmdjones@gmail.com>
-Date: Wed, 16 Nov 2016 14:31:16 +0000
-Subject: [PATCH] pbkdf2v2: remove obsolete compatibility function
-
-All modern supported versions of OpenSSL provide this function
-
-c.f. issue #528
----
- modules/crypto/pbkdf2v2.c | 57 -----------------------------------------------
- 1 file changed, 57 deletions(-)
-
-diff --git a/modules/crypto/pbkdf2v2.c b/modules/crypto/pbkdf2v2.c
-index 940281d..289e841 100644
---- a/modules/crypto/pbkdf2v2.c
-+++ b/modules/crypto/pbkdf2v2.c
-@@ -50,63 +50,6 @@ DECLARE_MODULE_V1("crypto/pbkdf2v2", false, _modinit, _moddeinit,
- static const char salt_chars[62] =
- "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789";
-
--/*
-- * This equivalent implementation provided incase the user doesn't
-- * have a new enough OpenSSL library installed on their machine
-- */
--int PKCS5_PBKDF2_HMAC(const char *pass, int pl,
-- const unsigned char *salt, int sl,
-- int iter, const EVP_MD *PRF,
-- int dkLen, unsigned char *out)
--{
-- if (! pass)
-- pl = 0;
--
-- if (pass && pl < 0)
-- pl = strlen(pass);
--
-- int tkLen = dkLen;
-- int mdLen = EVP_MD_size(PRF);
-- unsigned char *p = out;
-- unsigned long i = 1;
--
-- HMAC_CTX hctx;
-- HMAC_CTX_init(&hctx);
--
-- while (tkLen) {
--
-- unsigned char itmp[4];
-- itmp[0] = (unsigned char) ((i >> 24) & 0xFF);
-- itmp[1] = (unsigned char) ((i >> 16) & 0xFF);
-- itmp[2] = (unsigned char) ((i >> 8) & 0xFF);
-- itmp[3] = (unsigned char) ((i >> 0) & 0xFF);
-- i++;
--
-- unsigned char digtmp[EVP_MAX_MD_SIZE];
-- HMAC_Init_ex(&hctx, pass, pl, PRF, NULL);
-- HMAC_Update(&hctx, salt, sl);
-- HMAC_Update(&hctx, itmp, 4);
-- HMAC_Final(&hctx, digtmp, NULL);
--
-- int cpLen = (tkLen > mdLen) ? mdLen : tkLen;
-- memcpy(p, digtmp, cpLen);
--
-- int j, k;
-- for (j = 1; j < iter; j++) {
-- HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL);
-- for (k = 0; k < cpLen; k++)
-- p[k] ^= digtmp[k];
-- }
--
-- tkLen -= cpLen;
-- p += cpLen;
-- }
--
-- HMAC_CTX_cleanup(&hctx);
--
-- return 1;
--}
--
- static const char *pbkdf2v2_make_salt(void)
- {
- char salt[PBKDF2_SALTLEN + 1];
diff -Nru atheme-services-7.2.7/debian/patches/series atheme-services-7.2.9/debian/patches/series
--- atheme-services-7.2.7/debian/patches/series 2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/series 2017-02-07 21:01:27.000000000 -0500
@@ -1,4 +1,2 @@
-openssl-1.1.0-b04f18e.patch
ecdsakeygen-rename.patch
dbverify-path-769145.patch
-openssl-1.1.0-5480943.patch
diff -Nru atheme-services-7.2.7/dist/atheme.conf.example atheme-services-7.2.9/dist/atheme.conf.example
--- atheme-services-7.2.7/dist/atheme.conf.example 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/dist/atheme.conf.example 2017-02-12 09:58:54.000000000 -0500
@@ -107,8 +107,8 @@
*
* The following crypto modules are available:
*
- * PBKDF2 cryptography (new) modules/crypto/pbkdf2v2
- * PBKDF2 cryptography (old) modules/crypto/pbkdf2
+ * PBKDF2 cryptography (new, recommended) modules/crypto/pbkdf2v2
+ * PBKDF2 cryptography (old, compatibility) modules/crypto/pbkdf2
* POSIX-style crypt(3) modules/crypto/posix
* IRCServices (also Anope etc) compatibility modules/crypto/ircservices
* Raw MD5 (Anope compatibility) modules/crypto/rawmd5
@@ -126,6 +126,7 @@
*
* The rawsha1 and pbkdf2/pbkdf2v2 modules require OpenSSL.
*/
+#loadmodule "modules/crypto/pbkdf2v2";
loadmodule "modules/crypto/posix";
/* Authentication module.
@@ -803,6 +804,27 @@
* SERVICES RUNTIME CONFIGURATION SECTION. *
******************************************************************************/
+/*
+ * If you are using the crypto/pbkdf2v2 module, you may wish to edit this block
+ *
+ * It is recommended to either leave the values at the defaults, or experiment
+ * with them so that it takes approximately 1 second for users to identify.
+ */
+pbkdf2v2 {
+
+ /* digest
+ * Valid values are "SHA256" and "SHA512"
+ * The default is "SHA512"
+ */
+ #digest = "SHA512";
+
+ /* rounds
+ * Valid values are 10000 to 5000000 (inclusive)
+ * The default is 64000
+ */
+ #rounds = 64000;
+};
+
/* The serverinfo{} block defines how we appear on the IRC network. */
serverinfo {
/* name
diff -Nru atheme-services-7.2.7/email/default/register atheme-services-7.2.9/email/default/register
--- atheme-services-7.2.7/email/default/register 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/register 2017-02-12 09:58:54.000000000 -0500
@@ -9,7 +9,7 @@
In order to complete your account registration, you must type the following
command on IRC:
- /msg &nicksvs& VERIFY REGISTER &accountname& ¶m&
+/msg &nicksvs& VERIFY REGISTER &accountname& ¶m&
Thank you for registering your account on the &netname& IRC network!
diff -Nru atheme-services-7.2.7/email/default/setemail atheme-services-7.2.9/email/default/setemail
--- atheme-services-7.2.7/email/default/setemail 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/setemail 2017-02-12 09:58:54.000000000 -0500
@@ -9,7 +9,7 @@
In order to complete the e-mail address change, you must verify your new
e-mail address by issuing the following command on IRC:
- /msg &nicksvs& VERIFY EMAILCHG &accountname& ¶m&
+/msg &nicksvs& VERIFY EMAILCHG &accountname& ¶m&
Thank you for updating your e-mail address on file with the &netname&
IRC network!
diff -Nru atheme-services-7.2.7/email/default/setpass atheme-services-7.2.9/email/default/setpass
--- atheme-services-7.2.7/email/default/setpass 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/setpass 2017-02-12 09:58:54.000000000 -0500
@@ -14,7 +14,7 @@
In order to set a new password, you must send the following command
on IRC, where <password> is the new password you wish to set.
- /msg &nicksvs& SETPASS &accountname& ¶m& <password>
+/msg &nicksvs& SETPASS &accountname& ¶m& <password>
--
If this message is unsolicited, please contact &replyto&
diff -Nru atheme-services-7.2.7/include/serno.h atheme-services-7.2.9/include/serno.h
--- atheme-services-7.2.7/include/serno.h 2016-10-08 12:58:57.000000000 -0400
+++ atheme-services-7.2.9/include/serno.h 2017-02-12 10:02:49.000000000 -0500
@@ -1,2 +1,2 @@
/* Generated automatically by makepackage. Any changes made here will be lost. */
-#define SERNO "ddc1fd73ee114b0f6d7a714db22c51c23c719b6e"
+#define SERNO "4db7745cc39e835c6bd00ad9fac6a8c9b71fabaa"
diff -Nru atheme-services-7.2.7/include/sysconf.h.in~ atheme-services-7.2.9/include/sysconf.h.in~
--- atheme-services-7.2.7/include/sysconf.h.in~ 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/include/sysconf.h.in~ 1969-12-31 19:00:00.000000000 -0500
@@ -1,290 +0,0 @@
-/* include/sysconf.h.in. Generated from configure.ac by autoheader. */
-
-/* Define if building universal (internal helper macro) */
-#undef AC_APPLE_UNIVERSAL_BUILD
-
-/* Define to 1 if translation of program messages to the user's native
- language is requested. */
-#undef ENABLE_NLS
-
-/* Define to 1 if you have the `arc4random' function. */
-#undef HAVE_ARC4RANDOM
-
-/* Define to 1 if you have the `arc4random_buf' function. */
-#undef HAVE_ARC4RANDOM_BUF
-
-/* Define to 1 if you have the `arc4random_uniform' function. */
-#undef HAVE_ARC4RANDOM_UNIFORM
-
-/* Define to 1 if you have the `asprintf' function. */
-#undef HAVE_ASPRINTF
-
-/* Define if crypt() is available */
-#undef HAVE_CRYPT
-
-/* Define if the GNU dcgettext() function is already present or preinstalled.
- */
-#undef HAVE_DCGETTEXT
-
-/* Define to 1 if you have the `execve' function. */
-#undef HAVE_EXECVE
-
-/* Define to 1 if you have the `explicit_bzero' function. */
-#undef HAVE_EXPLICIT_BZERO
-
-/* Define to 1 if you have the `fork' function. */
-#undef HAVE_FORK
-
-/* Define to 1 if you have the `getpid' function. */
-#undef HAVE_GETPID
-
-/* Define to 1 if you have the `getrlimit' function. */
-#undef HAVE_GETRLIMIT
-
-/* Define if the GNU gettext() function is already present or preinstalled. */
-#undef HAVE_GETTEXT
-
-/* Define to 1 if you have the `gettimeofday' function. */
-#undef HAVE_GETTIMEOFDAY
-
-/* Define if you have the iconv() function. */
-#undef HAVE_ICONV
-
-/* Define to 1 if you have the `inet_ntop' function. */
-#undef HAVE_INET_NTOP
-
-/* Define to 1 if you have the `inet_pton' function. */
-#undef HAVE_INET_PTON
-
-/* Define to 1 if the system has the type `intmax_t'. */
-#undef HAVE_INTMAX_T
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#undef HAVE_INTTYPES_H
-
-/* Define to 1 if you have the `nsl' library (-lnsl). */
-#undef HAVE_LIBNSL
-
-/* Define to 1 if libqrencode is available */
-#undef HAVE_LIBQRENCODE
-
-/* Define to 1 if you have the `socket' library (-lsocket). */
-#undef HAVE_LIBSOCKET
-
-/* Define to 1 if you have the <link.h> header file. */
-#undef HAVE_LINK_H
-
-/* Define to 1 if you have the `localeconv' function. */
-#undef HAVE_LOCALECONV
-
-/* Define to 1 if you have the <locale.h> header file. */
-#undef HAVE_LOCALE_H
-
-/* Define to 1 if the system has the type `long double'. */
-#undef HAVE_LONG_DOUBLE
-
-/* Define to 1 if the system has the type 'long long int'. */
-#undef HAVE_LONG_LONG_INT
-
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
-/* Define to 1 if you have the `memset_s' function. */
-#undef HAVE_MEMSET_S
-
-/* Define to 1 if openssl is available */
-#undef HAVE_OPENSSL
-
-/* Define to 1 if you have the <openssl/ec.h> header file. */
-#undef HAVE_OPENSSL_EC_H
-
-/* Define to 1 if you have the <openssl/err.h> header file. */
-#undef HAVE_OPENSSL_ERR_H
-
-/* Define to 1 if you have the <openssl/ssl.h> header file. */
-#undef HAVE_OPENSSL_SSL_H
-
-/* Define if you want to use PCRE */
-#undef HAVE_PCRE
-
-/* Define to 1 if the system has the type `ptrdiff_t'. */
-#undef HAVE_PTRDIFF_T
-
-/* Define to 1 if you have a C99 compliant `snprintf' function. */
-#undef HAVE_SNPRINTF
-
-/* Define to 1 if you have the <stdarg.h> header file. */
-#undef HAVE_STDARG_H
-
-/* Define to 1 if you have the <stddef.h> header file. */
-#undef HAVE_STDDEF_H
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#undef HAVE_STDINT_H
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#undef HAVE_STDLIB_H
-
-/* Define to 1 if you have the `strcasestr' function. */
-#undef HAVE_STRCASESTR
-
-/* Define to 1 if you have the <strings.h> header file. */
-#undef HAVE_STRINGS_H
-
-/* Define to 1 if you have the <string.h> header file. */
-#undef HAVE_STRING_H
-
-/* Define to 1 if you have the `strtok_r' function. */
-#undef HAVE_STRTOK_R
-
-/* Define to 1 if `decimal_point' is a member of `struct lconv'. */
-#undef HAVE_STRUCT_LCONV_DECIMAL_POINT
-
-/* Define to 1 if `thousands_sep' is a member of `struct lconv'. */
-#undef HAVE_STRUCT_LCONV_THOUSANDS_SEP
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#undef HAVE_SYS_STAT_H
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#undef HAVE_SYS_TYPES_H
-
-/* Define to 1 if the system has the type `uintmax_t'. */
-#undef HAVE_UINTMAX_T
-
-/* Define to 1 if the system has the type `uintptr_t'. */
-#undef HAVE_UINTPTR_T
-
-/* Define to 1 if you have the `umask' function. */
-#undef HAVE_UMASK
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
-
-/* Define to 1 if the system has the type 'unsigned long long int'. */
-#undef HAVE_UNSIGNED_LONG_LONG_INT
-
-/* Define to 1 if you have the <varargs.h> header file. */
-#undef HAVE_VARARGS_H
-
-/* Define to 1 if you have the `vasprintf' function. */
-#undef HAVE_VASPRINTF
-
-/* Define to 1 if you have the `va_copy' function or macro. */
-#undef HAVE_VA_COPY
-
-/* Define to 1 if you have a C99 compliant `vsnprintf' function. */
-#undef HAVE_VSNPRINTF
-
-/* Define to 1 if you have the `__va_copy' function or macro. */
-#undef HAVE___VA_COPY
-
-/* Uncomment to enable reproducible builds. */
-#undef REPRODUCIBLE_BUILDS
-
-/* Uncomment to enable large network support. */
-#undef LARGE_NETWORK
-
-/* Name of package */
-#undef PACKAGE
-
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-
-/* Define to the home page for this package. */
-#undef PACKAGE_URL
-
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
-
-/* Define to 1 if you have the ANSI C header files. */
-#undef STDC_HEADERS
-
-/* Enable extensions on AIX 3, Interix. */
-#ifndef _ALL_SOURCE
-# undef _ALL_SOURCE
-#endif
-/* Enable GNU extensions on systems that have them. */
-#ifndef _GNU_SOURCE
-# undef _GNU_SOURCE
-#endif
-/* Enable threading extensions on Solaris. */
-#ifndef _POSIX_PTHREAD_SEMANTICS
-# undef _POSIX_PTHREAD_SEMANTICS
-#endif
-/* Enable extensions on HP NonStop. */
-#ifndef _TANDEM_SOURCE
-# undef _TANDEM_SOURCE
-#endif
-/* Enable general extensions on Solaris. */
-#ifndef __EXTENSIONS__
-# undef __EXTENSIONS__
-#endif
-
-
-/* Vendor and URL for modules's "vendor" field */
-#undef VENDOR_STRING
-
-/* Version number of package */
-#undef VERSION
-
-/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
- significant byte first (like Motorola and SPARC, unlike Intel). */
-#if defined AC_APPLE_UNIVERSAL_BUILD
-# if defined __BIG_ENDIAN__
-# define WORDS_BIGENDIAN 1
-# endif
-#else
-# ifndef WORDS_BIGENDIAN
-# undef WORDS_BIGENDIAN
-# endif
-#endif
-
-/* Define to 1 if on MINIX. */
-#undef _MINIX
-
-/* Define to 2 if the system does not provide POSIX.1 features except with
- this defined. */
-#undef _POSIX_1_SOURCE
-
-/* Define to 1 if you need to in order for `stat' and other things to work. */
-#undef _POSIX_SOURCE
-
-/* Define to rpl_asprintf if the replacement function should be used. */
-#undef asprintf
-
-/* Define to empty if `const' does not conform to ANSI C. */
-#undef const
-
-/* Define to the widest signed integer type if <stdint.h> and <inttypes.h> do
- not define. */
-#undef intmax_t
-
-/* Define to `unsigned int' if <sys/types.h> does not define. */
-#undef size_t
-
-/* Define to rpl_snprintf if the replacement function should be used. */
-#undef snprintf
-
-/* Define to the widest unsigned integer type if <stdint.h> and <inttypes.h>
- do not define. */
-#undef uintmax_t
-
-/* Define to the type of an unsigned integer type wide enough to hold a
- pointer, if such a type exists, and if the system does not define it. */
-#undef uintptr_t
-
-/* Define to rpl_vasprintf if the replacement function should be used. */
-#undef vasprintf
-
-/* Define to rpl_vsnprintf if the replacement function should be used. */
-#undef vsnprintf
diff -Nru atheme-services-7.2.7/modules/crypto/pbkdf2.c atheme-services-7.2.9/modules/crypto/pbkdf2.c
--- atheme-services-7.2.7/modules/crypto/pbkdf2.c 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/crypto/pbkdf2.c 2017-02-12 09:58:54.000000000 -0500
@@ -31,65 +31,6 @@
#define ROUNDS (128000)
#define SALTLEN (16)
-/* This is an implementation of PKCS#5 v2.0 password based encryption key
- * derivation function PBKDF2.
- * SHA1 version verified against test vectors posted by Peter Gutmann
- * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
- */
-int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
- const unsigned char *salt, int saltlen, int iter,
- const EVP_MD *digest,
- int keylen, unsigned char *out)
-{
- unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
- int cplen, j, k, tkeylen, mdlen;
- unsigned long i = 1;
- HMAC_CTX hctx;
-
- mdlen = EVP_MD_size(digest);
-
- HMAC_CTX_init(&hctx);
- p = out;
- tkeylen = keylen;
- if(!pass)
- passlen = 0;
- else if(passlen == -1)
- passlen = strlen(pass);
- while(tkeylen)
- {
- if(tkeylen > mdlen)
- cplen = mdlen;
- else
- cplen = tkeylen;
- /* We are unlikely to ever use more than 256 blocks (5120 bits!)
- * but just in case...
- */
- itmp[0] = (unsigned char)((i >> 24) & 0xff);
- itmp[1] = (unsigned char)((i >> 16) & 0xff);
- itmp[2] = (unsigned char)((i >> 8) & 0xff);
- itmp[3] = (unsigned char)(i & 0xff);
- HMAC_Init_ex(&hctx, pass, passlen, digest, NULL);
- HMAC_Update(&hctx, salt, saltlen);
- HMAC_Update(&hctx, itmp, 4);
- HMAC_Final(&hctx, digtmp, NULL);
- memcpy(p, digtmp, cplen);
- for(j = 1; j < iter; j++)
- {
- HMAC(digest, pass, passlen,
- digtmp, mdlen, digtmp, NULL);
- for(k = 0; k < cplen; k++)
- p[k] ^= digtmp[k];
- }
- tkeylen-= cplen;
- i++;
- p+= cplen;
- }
- HMAC_CTX_cleanup(&hctx);
- return 1;
-}
-
-/*******************************************************************************************/
-
static const char *pbkdf2_salt(void)
{
static char buf[SALTLEN + 1];
diff -Nru atheme-services-7.2.7/modules/crypto/pbkdf2v2.c atheme-services-7.2.9/modules/crypto/pbkdf2v2.c
--- atheme-services-7.2.7/modules/crypto/pbkdf2v2.c 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/crypto/pbkdf2v2.c 2017-02-12 09:58:54.000000000 -0500
@@ -28,13 +28,6 @@
#include <openssl/evp.h>
/*
- * You can change the 2 values below without invalidating old hashes
- */
-
-#define PBKDF2_PRF_DEF 6
-#define PBKDF2_ITER_DEF 64000
-
-/*
* Do not change anything below this line unless you know what you are doing,
* AND how it will (possibly) break backward-, forward-, or cross-compatibility
*
@@ -47,65 +40,15 @@
#define PBKDF2_F_SALT "$z$%u$%u$%s$"
#define PBKDF2_F_PRINT "$z$%u$%u$%s$%s"
+#define PBKDF2_C_MIN 10000
+#define PBKDF2_C_MAX 5000000
+#define PBKDF2_C_DEF 64000
+
static const char salt_chars[62] =
"AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789";
-/*
- * This equivalent implementation provided incase the user doesn't
- * have a new enough OpenSSL library installed on their machine
- */
-int PKCS5_PBKDF2_HMAC(const char *pass, int pl,
- const unsigned char *salt, int sl,
- int iter, const EVP_MD *PRF,
- int dkLen, unsigned char *out)
-{
- if (! pass)
- pl = 0;
-
- if (pass && pl < 0)
- pl = strlen(pass);
-
- int tkLen = dkLen;
- int mdLen = EVP_MD_size(PRF);
- unsigned char *p = out;
- unsigned long i = 1;
-
- HMAC_CTX hctx;
- HMAC_CTX_init(&hctx);
-
- while (tkLen) {
-
- unsigned char itmp[4];
- itmp[0] = (unsigned char) ((i >> 24) & 0xFF);
- itmp[1] = (unsigned char) ((i >> 16) & 0xFF);
- itmp[2] = (unsigned char) ((i >> 8) & 0xFF);
- itmp[3] = (unsigned char) ((i >> 0) & 0xFF);
- i++;
-
- unsigned char digtmp[EVP_MAX_MD_SIZE];
- HMAC_Init_ex(&hctx, pass, pl, PRF, NULL);
- HMAC_Update(&hctx, salt, sl);
- HMAC_Update(&hctx, itmp, 4);
- HMAC_Final(&hctx, digtmp, NULL);
-
- int cpLen = (tkLen > mdLen) ? mdLen : tkLen;
- memcpy(p, digtmp, cpLen);
-
- int j, k;
- for (j = 1; j < iter; j++) {
- HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL);
- for (k = 0; k < cpLen; k++)
- p[k] ^= digtmp[k];
- }
-
- tkLen -= cpLen;
- p += cpLen;
- }
-
- HMAC_CTX_cleanup(&hctx);
-
- return 1;
-}
+static unsigned int pbkdf2v2_digest = 6; /* SHA512 */
+static unsigned int pbkdf2v2_rounds = PBKDF2_C_DEF;
static const char *pbkdf2v2_make_salt(void)
{
@@ -119,7 +62,7 @@
salt[i] = salt_chars[arc4random() % sizeof salt_chars];
(void) snprintf(result, sizeof result, PBKDF2_F_SALT,
- PBKDF2_PRF_DEF, PBKDF2_ITER_DEF, salt);
+ pbkdf2v2_digest, pbkdf2v2_rounds, salt);
return result;
}
@@ -189,30 +132,59 @@
if (sscanf(user_pass_string, PBKDF2_F_SCAN, &prf, &iter, salt) < 3)
return 0;
- if (prf != PBKDF2_PRF_DEF)
+ if (prf != pbkdf2v2_digest)
return 1;
- if (iter != PBKDF2_ITER_DEF)
+ if (iter != pbkdf2v2_rounds)
return 1;
return 0;
}
-static crypt_impl_t pbkdf2_crypt_impl = {
+static int c_ci_pbkdf2v2_digest(mowgli_config_file_entry_t *ce)
+{
+ if (ce->vardata == NULL)
+ {
+ conf_report_warning(ce, "no parameter for configuration option");
+ return 0;
+ }
+
+ if (!strcasecmp(ce->vardata, "SHA256"))
+ pbkdf2v2_digest = 5;
+ else if (!strcasecmp(ce->vardata, "SHA512"))
+ pbkdf2v2_digest = 6;
+ else
+ conf_report_warning(ce, "invalid parameter for configuration option");
+
+ return 0;
+}
+
+static crypt_impl_t pbkdf2v2_crypt_impl = {
.id = "pbkdf2v2",
.crypt = &pbkdf2v2_crypt,
.salt = &pbkdf2v2_make_salt,
.needs_param_upgrade = &pbkdf2v2_needs_param_upgrade,
};
+static mowgli_list_t conf_pbkdf2v2_table;
+
void _modinit(module_t* m)
{
- crypt_register(&pbkdf2_crypt_impl);
+ crypt_register(&pbkdf2v2_crypt_impl);
+
+ add_subblock_top_conf("PBKDF2V2", &conf_pbkdf2v2_table);
+ add_conf_item("DIGEST", &conf_pbkdf2v2_table, c_ci_pbkdf2v2_digest);
+ add_uint_conf_item("ROUNDS", &conf_pbkdf2v2_table, 0, &pbkdf2v2_rounds,
+ PBKDF2_C_MIN, PBKDF2_C_MAX, PBKDF2_C_DEF);
}
void _moddeinit(module_unload_intent_t intent)
{
- crypt_unregister(&pbkdf2_crypt_impl);
+ del_conf_item("DIGEST", &conf_pbkdf2v2_table);
+ del_conf_item("ROUNDS", &conf_pbkdf2v2_table);
+ del_top_conf("PBKDF2V2");
+
+ crypt_unregister(&pbkdf2v2_crypt_impl);
}
-#endif
+#endif /* HAVE_OPENSSL */
diff -Nru atheme-services-7.2.7/modules/memoserv/main.c atheme-services-7.2.9/modules/memoserv/main.c
--- atheme-services-7.2.7/modules/memoserv/main.c 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/memoserv/main.c 2017-02-12 09:58:54.000000000 -0500
@@ -38,6 +38,9 @@
void _moddeinit(module_unload_intent_t intent)
{
+ hook_del_user_identify(on_user_identify);
+ hook_del_user_away(on_user_away);
+
if (memosvs != NULL)
service_delete(memosvs);
}
@@ -54,6 +57,11 @@
notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"),
ircd->uses_rcommand ? "" : "msg ", memosvs->disp);
}
+ if (mu->memos.count >= maxmemos)
+ {
+ notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please "
+ "delete memos you no longer need."));
+ }
}
static void on_user_away(user_t *u)
@@ -80,6 +88,11 @@
notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"),
ircd->uses_rcommand ? "" : "msg ", memosvs->disp);
}
+ if (mu->memos.count >= maxmemos)
+ {
+ notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please "
+ "delete memos you no longer need."));
+ }
}
/* vim:cinoptions=>s,e0,n0,f0,{0,}0,^0,=s,ps,t0,c3,+s,(2s,us,)20,*30,gs,hs
diff -Nru atheme-services-7.2.7/modules/saslserv/main.c atheme-services-7.2.9/modules/saslserv/main.c
--- atheme-services-7.2.7/modules/saslserv/main.c 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/saslserv/main.c 2017-02-12 09:58:54.000000000 -0500
@@ -609,6 +609,7 @@
req.mu = source_mu;
req.allowed = true;
hook_call_user_can_login(&req);
+ object_unref(req.si);
if (!req.allowed)
{
sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(source_mu)->name);
@@ -645,9 +646,11 @@
sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "allowed IMPERSONATE by \2%s\2 to \2%s\2", entity(source_mu)->name, entity(target_mu)->name);
+ req.si = sasl_sourceinfo_create(p);
req.mu = target_mu;
req.allowed = true;
hook_call_user_can_login(&req);
+ object_unref(req.si);
if (!req.allowed)
{
sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(target_mu)->name);
diff -Nru atheme-services-7.2.7/NEWS.md atheme-services-7.2.9/NEWS.md
--- atheme-services-7.2.7/NEWS.md 2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/NEWS.md 2017-02-12 09:58:54.000000000 -0500
@@ -1,3 +1,18 @@
+Atheme Services 7.2.9 Release Notes
+===================================
+
+This is a security release fixing use after free that could potentially be abused
+by an attacker already having the privilege to use SASL impersonation to cause a
+denial of service. Users of 7.2.8 should update to version 7.2.9; older releases
+are not affected.
+
+Atheme Services 7.2.8 Release Notes
+===================================
+
+This is a security release fixing a memory leak that could potentially be abused
+by attackers to cause a denial of service. Users of Atheme 7.2.7 should update to
+version 7.2.8; older releases are not affected.
+
Atheme Services 7.2.7 Release Notes
===================================
Reply to: