[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#855595: marked as done (unblock: atheme-services/7.2.9)



Your message dated Tue, 28 Feb 2017 18:47:31 +0000
with message-id <E1cimo7-0003Sh-38@respighi.debian.org>
and subject line unblock atheme-services
has caused the Debian Bug report #855595,
regarding unblock: atheme-services/7.2.9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
855595: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855595
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package atheme-services

There is a security issue that was fixed in the upstream 7.2.8 package
(#855588), which introduced a new security issue, which was fixed in
the 7.2.9 package.

7.2.8, unfortunately, includes unrelated changes, most notably:

  * email templates: Fix leading whitespace
  * atheme.conf.example: better highlight the pbkdf2v2 crypto module
  * pbkdf2v2: make digest and rounds configurable at runtime
  * memoserv: let user know (on identify and /away) when their inbox is full
  * memoserv: unregister hooks when unloading

Those are small convenience fixes, some of those that will make the
program cryptographically stronger for the lifetime of stretch. Others
are pure bugfixes...

I think it is worth shipping the latest upstream at this point, since
those changes are small. They also factor in two patches that I had to
include in the 7.2.7-1 upload to fix builds with OpenSSL 1.1, so it
actually reduces our difference with upstream.

Attached is the debdiff against 7.2.7-1 (stretch/sid).

unblock atheme-services/7.2.9

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru atheme-services-7.2.7/configure atheme-services-7.2.9/configure
--- atheme-services-7.2.7/configure	2016-10-08 12:58:57.000000000 -0400
+++ atheme-services-7.2.9/configure	2017-02-12 10:02:49.000000000 -0500
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for atheme 7.2.7.
+# Generated by GNU Autoconf 2.69 for atheme 7.2.9.
 #
-# Report bugs to <https://github.com/atheme/atheme/issues>.
+# Report bugs to <https://github.com/atheme/atheme/issues/>.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -267,7 +267,7 @@
     $as_echo "$0: be upgraded to zsh 4.3.4 or later."
   else
     $as_echo "$0: Please tell bug-autoconf@gnu.org and
-$0: https://github.com/atheme/atheme/issues about your
+$0: https://github.com/atheme/atheme/issues/ about your
 $0: system, including any error possibly output before this
 $0: message. Then install a modern shell, or manually run
 $0: the script under such a shell if you do have one."
@@ -580,9 +580,9 @@
 # Identity of this package.
 PACKAGE_NAME='atheme'
 PACKAGE_TARNAME='atheme'
-PACKAGE_VERSION='7.2.7'
-PACKAGE_STRING='atheme 7.2.7'
-PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues'
+PACKAGE_VERSION='7.2.9'
+PACKAGE_STRING='atheme 7.2.9'
+PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues/'
 PACKAGE_URL=''
 
 ac_default_prefix=~/atheme
@@ -1341,7 +1341,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures atheme 7.2.7 to adapt to many kinds of systems.
+\`configure' configures atheme 7.2.9 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1406,7 +1406,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of atheme 7.2.7:";;
+     short | recursive ) echo "Configuration of atheme 7.2.9:";;
    esac
   cat <<\_ACEOF
 
@@ -1466,7 +1466,7 @@
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 
-Report bugs to <https://github.com/atheme/atheme/issues>.
+Report bugs to <https://github.com/atheme/atheme/issues/>.
 _ACEOF
 ac_status=$?
 fi
@@ -1529,7 +1529,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-atheme configure 7.2.7
+atheme configure 7.2.9
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1688,9 +1688,9 @@
 $as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
     { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-( $as_echo "## ------------------------------------------------------ ##
-## Report this to https://github.com/atheme/atheme/issues ##
-## ------------------------------------------------------ ##"
+( $as_echo "## ------------------------------------------------------- ##
+## Report this to https://github.com/atheme/atheme/issues/ ##
+## ------------------------------------------------------- ##"
      ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
@@ -2038,7 +2038,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by atheme $as_me 7.2.7, which was
+It was created by atheme $as_me 7.2.9, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4831,7 +4831,7 @@
 
 PACKAGE=atheme
 
-VERSION=7.2.7
+VERSION=7.2.9
 
 
 
@@ -10462,7 +10462,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by atheme $as_me 7.2.7, which was
+This file was extended by atheme $as_me 7.2.9, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -10522,13 +10522,13 @@
 Configuration commands:
 $config_commands
 
-Report bugs to <https://github.com/atheme/atheme/issues>."
+Report bugs to <https://github.com/atheme/atheme/issues/>."
 
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-atheme config.status 7.2.7
+atheme config.status 7.2.9
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru atheme-services-7.2.7/configure.ac atheme-services-7.2.9/configure.ac
--- atheme-services-7.2.7/configure.ac	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/configure.ac	2017-02-12 09:58:54.000000000 -0500
@@ -7,7 +7,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT(atheme, 7.2.7, [https://github.com/atheme/atheme/issues])
+AC_INIT(atheme, 7.2.9, [https://github.com/atheme/atheme/issues/])
 
 AC_CONFIG_AUX_DIR(autoconf)
 
diff -Nru atheme-services-7.2.7/debian/changelog atheme-services-7.2.9/debian/changelog
--- atheme-services-7.2.7/debian/changelog	2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/changelog	2017-02-07 21:01:27.000000000 -0500
@@ -1,3 +1,23 @@
+atheme-services (7.2.9-1) unstable; urgency=medium
+
+  * new upstream release (7.2.8) fixing security issue "saslserv/main: free
+    sasl_sourceinfo_t after use" see:
+    https://github.com/atheme/atheme/pull/539
+  * new upstream release (7.2.9) fixing security issue introduced in
+    7.2.8: "Fix use after free during impersonation" (Closes: #855588)
+  * remove two OpenSSL 1.1 patches merged upstream
+
+  [ Jos Ahrens ]
+  * email templates: Fix leading whitespace
+
+  [ Aaron Jones ]
+  * atheme.conf.example: better highlight the pbkdf2v2 crypto module
+  * pbkdf2v2: make digest and rounds configurable at runtime
+  * memoserv: let user know (on identify and /away) when their inbox is full
+  * memoserv: unregister hooks when unloading
+
+ -- Antoine Beaupré <anarcat@debian.org>  Tue, 07 Feb 2017 21:01:27 -0500
+
 atheme-services (7.2.7-1) unstable; urgency=medium
 
   * new upstream release
diff -Nru atheme-services-7.2.7/debian/patches/openssl-1.1.0-5480943.patch atheme-services-7.2.9/debian/patches/openssl-1.1.0-5480943.patch
--- atheme-services-7.2.7/debian/patches/openssl-1.1.0-5480943.patch	2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/openssl-1.1.0-5480943.patch	1969-12-31 19:00:00.000000000 -0500
@@ -1,82 +0,0 @@
-From 54809431abc683e43f58306e622db4ba65efcbeb Mon Sep 17 00:00:00 2001
-From: Aaron Jones <aaronmdjones@gmail.com>
-Date: Wed, 16 Nov 2016 08:21:32 +0000
-Subject: [PATCH] pbkdf2: remove obsolete compatibility function
-
-All modern supported versions of OpenSSL provide this function
-
-Fixes #528
----
- modules/crypto/pbkdf2.c | 59 -------------------------------------------------
- 1 file changed, 59 deletions(-)
-
-diff --git a/modules/crypto/pbkdf2.c b/modules/crypto/pbkdf2.c
-index 2c39bf2..82df9e6 100644
---- a/modules/crypto/pbkdf2.c
-+++ b/modules/crypto/pbkdf2.c
-@@ -31,65 +31,6 @@ DECLARE_MODULE_V1("crypto/pbkdf2", false, _modinit, _moddeinit, PACKAGE_VERSION,
- #define ROUNDS		(128000)
- #define SALTLEN		(16)
- 
--/* This is an implementation of PKCS#5 v2.0 password based encryption key
-- * derivation function PBKDF2.
-- * SHA1 version verified against test vectors posted by Peter Gutmann
-- * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
-- */
--int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
--			   const unsigned char *salt, int saltlen, int iter,
--			   const EVP_MD *digest,
--			   int keylen, unsigned char *out)
--{
--	unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
--	int cplen, j, k, tkeylen, mdlen;
--	unsigned long i = 1;
--	HMAC_CTX hctx;
--
--	mdlen = EVP_MD_size(digest);
--
--	HMAC_CTX_init(&hctx);
--	p = out;
--	tkeylen = keylen;
--	if(!pass)
--		passlen = 0;
--	else if(passlen == -1)
--		passlen = strlen(pass);
--	while(tkeylen)
--	{
--		if(tkeylen > mdlen)
--			cplen = mdlen;
--		else
--			cplen = tkeylen;
--		/* We are unlikely to ever use more than 256 blocks (5120 bits!)
--		 * but just in case...
--		 */
--		itmp[0] = (unsigned char)((i >> 24) & 0xff);
--		itmp[1] = (unsigned char)((i >> 16) & 0xff);
--		itmp[2] = (unsigned char)((i >> 8) & 0xff);
--		itmp[3] = (unsigned char)(i & 0xff);
--		HMAC_Init_ex(&hctx, pass, passlen, digest, NULL);
--		HMAC_Update(&hctx, salt, saltlen);
--		HMAC_Update(&hctx, itmp, 4);
--		HMAC_Final(&hctx, digtmp, NULL);
--		memcpy(p, digtmp, cplen);
--		for(j = 1; j < iter; j++)
--		{
--			HMAC(digest, pass, passlen,
--				 digtmp, mdlen, digtmp, NULL);
--			for(k = 0; k < cplen; k++)
--				p[k] ^= digtmp[k];
--		}
--		tkeylen-= cplen;
--		i++;
--		p+= cplen;
--	}
--	HMAC_CTX_cleanup(&hctx);
--	return 1;
--}
--
--/*******************************************************************************************/
--
- static const char *pbkdf2_salt(void)
- {
- 	static char buf[SALTLEN + 1];
diff -Nru atheme-services-7.2.7/debian/patches/openssl-1.1.0-b04f18e.patch atheme-services-7.2.9/debian/patches/openssl-1.1.0-b04f18e.patch
--- atheme-services-7.2.7/debian/patches/openssl-1.1.0-b04f18e.patch	2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/openssl-1.1.0-b04f18e.patch	1969-12-31 19:00:00.000000000 -0500
@@ -1,80 +0,0 @@
-From b04f18e7d7410797d9c043b0944d715a522465c6 Mon Sep 17 00:00:00 2001
-From: Aaron Jones <aaronmdjones@gmail.com>
-Date: Wed, 16 Nov 2016 14:31:16 +0000
-Subject: [PATCH] pbkdf2v2: remove obsolete compatibility function
-
-All modern supported versions of OpenSSL provide this function
-
-c.f. issue #528
----
- modules/crypto/pbkdf2v2.c | 57 -----------------------------------------------
- 1 file changed, 57 deletions(-)
-
-diff --git a/modules/crypto/pbkdf2v2.c b/modules/crypto/pbkdf2v2.c
-index 940281d..289e841 100644
---- a/modules/crypto/pbkdf2v2.c
-+++ b/modules/crypto/pbkdf2v2.c
-@@ -50,63 +50,6 @@ DECLARE_MODULE_V1("crypto/pbkdf2v2", false, _modinit, _moddeinit,
- static const char salt_chars[62] =
- 	"AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789";
- 
--/*
-- * This equivalent implementation provided incase the user doesn't
-- * have a new enough OpenSSL library installed on their machine
-- */
--int PKCS5_PBKDF2_HMAC(const char *pass, int pl,
--                      const unsigned char *salt, int sl,
--                      int iter, const EVP_MD *PRF,
--                      int dkLen, unsigned char *out)
--{
--	if (! pass)
--		pl = 0;
--
--	if (pass && pl < 0)
--		pl = strlen(pass);
--
--	int tkLen = dkLen;
--	int mdLen = EVP_MD_size(PRF);
--	unsigned char *p = out;
--	unsigned long i = 1;
--
--	HMAC_CTX hctx;
--	HMAC_CTX_init(&hctx);
--
--	while (tkLen) {
--
--		unsigned char itmp[4];
--		itmp[0] = (unsigned char) ((i >> 24) & 0xFF);
--		itmp[1] = (unsigned char) ((i >> 16) & 0xFF);
--		itmp[2] = (unsigned char) ((i >>  8) & 0xFF);
--		itmp[3] = (unsigned char) ((i >>  0) & 0xFF);
--		i++;
--
--		unsigned char digtmp[EVP_MAX_MD_SIZE];
--		HMAC_Init_ex(&hctx, pass, pl, PRF, NULL);
--		HMAC_Update(&hctx, salt, sl);
--		HMAC_Update(&hctx, itmp, 4);
--		HMAC_Final(&hctx, digtmp, NULL);
--
--		int cpLen = (tkLen > mdLen) ? mdLen : tkLen;
--		memcpy(p, digtmp, cpLen);
--
--		int j, k;
--		for (j = 1; j < iter; j++) {
--			HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL);
--			for (k = 0; k < cpLen; k++)
--				p[k] ^= digtmp[k];
--		}
--
--		tkLen -= cpLen;
--		p += cpLen;
--	}
--
--	HMAC_CTX_cleanup(&hctx);
--
--	return 1;
--}
--
- static const char *pbkdf2v2_make_salt(void)
- {
- 	char		salt[PBKDF2_SALTLEN + 1];
diff -Nru atheme-services-7.2.7/debian/patches/series atheme-services-7.2.9/debian/patches/series
--- atheme-services-7.2.7/debian/patches/series	2016-11-16 09:59:17.000000000 -0500
+++ atheme-services-7.2.9/debian/patches/series	2017-02-07 21:01:27.000000000 -0500
@@ -1,4 +1,2 @@
-openssl-1.1.0-b04f18e.patch
 ecdsakeygen-rename.patch
 dbverify-path-769145.patch
-openssl-1.1.0-5480943.patch
diff -Nru atheme-services-7.2.7/dist/atheme.conf.example atheme-services-7.2.9/dist/atheme.conf.example
--- atheme-services-7.2.7/dist/atheme.conf.example	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/dist/atheme.conf.example	2017-02-12 09:58:54.000000000 -0500
@@ -107,8 +107,8 @@
  *
  * The following crypto modules are available:
  *
- * PBKDF2 cryptography (new)                    modules/crypto/pbkdf2v2
- * PBKDF2 cryptography (old)                    modules/crypto/pbkdf2
+ * PBKDF2 cryptography (new, recommended)       modules/crypto/pbkdf2v2
+ * PBKDF2 cryptography (old, compatibility)     modules/crypto/pbkdf2
  * POSIX-style crypt(3)                         modules/crypto/posix
  * IRCServices (also Anope etc) compatibility   modules/crypto/ircservices
  * Raw MD5 (Anope compatibility)                modules/crypto/rawmd5
@@ -126,6 +126,7 @@
  *
  * The rawsha1 and pbkdf2/pbkdf2v2 modules require OpenSSL.
  */
+#loadmodule "modules/crypto/pbkdf2v2";
 loadmodule "modules/crypto/posix";
 
 /* Authentication module.
@@ -803,6 +804,27 @@
  * SERVICES RUNTIME CONFIGURATION SECTION.                                    *
  ******************************************************************************/
 
+/*
+ * If you are using the crypto/pbkdf2v2 module, you may wish to edit this block
+ *
+ * It is recommended to either leave the values at the defaults, or experiment
+ * with them so that it takes approximately 1 second for users to identify.
+ */
+pbkdf2v2 {
+
+	/* digest
+	 * Valid values are "SHA256" and "SHA512"
+	 * The default is "SHA512"
+	 */
+	#digest = "SHA512";
+
+	/* rounds
+	 * Valid values are 10000 to 5000000 (inclusive)
+	 * The default is 64000
+	 */
+	#rounds = 64000;
+};
+
 /* The serverinfo{} block defines how we appear on the IRC network. */
 serverinfo {
 	/* name
diff -Nru atheme-services-7.2.7/email/default/register atheme-services-7.2.9/email/default/register
--- atheme-services-7.2.7/email/default/register	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/register	2017-02-12 09:58:54.000000000 -0500
@@ -9,7 +9,7 @@
 In order to complete your account registration, you must type the following
 command on IRC:
 
-   /msg &nicksvs& VERIFY REGISTER &accountname& &param&
+/msg &nicksvs& VERIFY REGISTER &accountname& &param&
 
 Thank you for registering your account on the &netname& IRC network!
 
diff -Nru atheme-services-7.2.7/email/default/setemail atheme-services-7.2.9/email/default/setemail
--- atheme-services-7.2.7/email/default/setemail	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/setemail	2017-02-12 09:58:54.000000000 -0500
@@ -9,7 +9,7 @@
 In order to complete the e-mail address change, you must verify your new
 e-mail address by issuing the following command on IRC:
 
-   /msg &nicksvs& VERIFY EMAILCHG &accountname& &param&
+/msg &nicksvs& VERIFY EMAILCHG &accountname& &param&
 
 Thank you for updating your e-mail address on file with the &netname&
 IRC network!
diff -Nru atheme-services-7.2.7/email/default/setpass atheme-services-7.2.9/email/default/setpass
--- atheme-services-7.2.7/email/default/setpass	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/email/default/setpass	2017-02-12 09:58:54.000000000 -0500
@@ -14,7 +14,7 @@
 In order to set a new password, you must send the following command
 on IRC, where <password> is the new password you wish to set.
 
-   /msg &nicksvs& SETPASS &accountname& &param& <password>
+/msg &nicksvs& SETPASS &accountname& &param& <password>
 
 --
 If this message is unsolicited, please contact &replyto&
diff -Nru atheme-services-7.2.7/include/serno.h atheme-services-7.2.9/include/serno.h
--- atheme-services-7.2.7/include/serno.h	2016-10-08 12:58:57.000000000 -0400
+++ atheme-services-7.2.9/include/serno.h	2017-02-12 10:02:49.000000000 -0500
@@ -1,2 +1,2 @@
 /* Generated automatically by makepackage. Any changes made here will be lost. */
-#define SERNO "ddc1fd73ee114b0f6d7a714db22c51c23c719b6e"
+#define SERNO "4db7745cc39e835c6bd00ad9fac6a8c9b71fabaa"
diff -Nru atheme-services-7.2.7/include/sysconf.h.in~ atheme-services-7.2.9/include/sysconf.h.in~
--- atheme-services-7.2.7/include/sysconf.h.in~	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/include/sysconf.h.in~	1969-12-31 19:00:00.000000000 -0500
@@ -1,290 +0,0 @@
-/* include/sysconf.h.in.  Generated from configure.ac by autoheader.  */
-
-/* Define if building universal (internal helper macro) */
-#undef AC_APPLE_UNIVERSAL_BUILD
-
-/* Define to 1 if translation of program messages to the user's native
-   language is requested. */
-#undef ENABLE_NLS
-
-/* Define to 1 if you have the `arc4random' function. */
-#undef HAVE_ARC4RANDOM
-
-/* Define to 1 if you have the `arc4random_buf' function. */
-#undef HAVE_ARC4RANDOM_BUF
-
-/* Define to 1 if you have the `arc4random_uniform' function. */
-#undef HAVE_ARC4RANDOM_UNIFORM
-
-/* Define to 1 if you have the `asprintf' function. */
-#undef HAVE_ASPRINTF
-
-/* Define if crypt() is available */
-#undef HAVE_CRYPT
-
-/* Define if the GNU dcgettext() function is already present or preinstalled.
-   */
-#undef HAVE_DCGETTEXT
-
-/* Define to 1 if you have the `execve' function. */
-#undef HAVE_EXECVE
-
-/* Define to 1 if you have the `explicit_bzero' function. */
-#undef HAVE_EXPLICIT_BZERO
-
-/* Define to 1 if you have the `fork' function. */
-#undef HAVE_FORK
-
-/* Define to 1 if you have the `getpid' function. */
-#undef HAVE_GETPID
-
-/* Define to 1 if you have the `getrlimit' function. */
-#undef HAVE_GETRLIMIT
-
-/* Define if the GNU gettext() function is already present or preinstalled. */
-#undef HAVE_GETTEXT
-
-/* Define to 1 if you have the `gettimeofday' function. */
-#undef HAVE_GETTIMEOFDAY
-
-/* Define if you have the iconv() function. */
-#undef HAVE_ICONV
-
-/* Define to 1 if you have the `inet_ntop' function. */
-#undef HAVE_INET_NTOP
-
-/* Define to 1 if you have the `inet_pton' function. */
-#undef HAVE_INET_PTON
-
-/* Define to 1 if the system has the type `intmax_t'. */
-#undef HAVE_INTMAX_T
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#undef HAVE_INTTYPES_H
-
-/* Define to 1 if you have the `nsl' library (-lnsl). */
-#undef HAVE_LIBNSL
-
-/* Define to 1 if libqrencode is available */
-#undef HAVE_LIBQRENCODE
-
-/* Define to 1 if you have the `socket' library (-lsocket). */
-#undef HAVE_LIBSOCKET
-
-/* Define to 1 if you have the <link.h> header file. */
-#undef HAVE_LINK_H
-
-/* Define to 1 if you have the `localeconv' function. */
-#undef HAVE_LOCALECONV
-
-/* Define to 1 if you have the <locale.h> header file. */
-#undef HAVE_LOCALE_H
-
-/* Define to 1 if the system has the type `long double'. */
-#undef HAVE_LONG_DOUBLE
-
-/* Define to 1 if the system has the type 'long long int'. */
-#undef HAVE_LONG_LONG_INT
-
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
-/* Define to 1 if you have the `memset_s' function. */
-#undef HAVE_MEMSET_S
-
-/* Define to 1 if openssl is available */
-#undef HAVE_OPENSSL
-
-/* Define to 1 if you have the <openssl/ec.h> header file. */
-#undef HAVE_OPENSSL_EC_H
-
-/* Define to 1 if you have the <openssl/err.h> header file. */
-#undef HAVE_OPENSSL_ERR_H
-
-/* Define to 1 if you have the <openssl/ssl.h> header file. */
-#undef HAVE_OPENSSL_SSL_H
-
-/* Define if you want to use PCRE */
-#undef HAVE_PCRE
-
-/* Define to 1 if the system has the type `ptrdiff_t'. */
-#undef HAVE_PTRDIFF_T
-
-/* Define to 1 if you have a C99 compliant `snprintf' function. */
-#undef HAVE_SNPRINTF
-
-/* Define to 1 if you have the <stdarg.h> header file. */
-#undef HAVE_STDARG_H
-
-/* Define to 1 if you have the <stddef.h> header file. */
-#undef HAVE_STDDEF_H
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#undef HAVE_STDINT_H
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#undef HAVE_STDLIB_H
-
-/* Define to 1 if you have the `strcasestr' function. */
-#undef HAVE_STRCASESTR
-
-/* Define to 1 if you have the <strings.h> header file. */
-#undef HAVE_STRINGS_H
-
-/* Define to 1 if you have the <string.h> header file. */
-#undef HAVE_STRING_H
-
-/* Define to 1 if you have the `strtok_r' function. */
-#undef HAVE_STRTOK_R
-
-/* Define to 1 if `decimal_point' is a member of `struct lconv'. */
-#undef HAVE_STRUCT_LCONV_DECIMAL_POINT
-
-/* Define to 1 if `thousands_sep' is a member of `struct lconv'. */
-#undef HAVE_STRUCT_LCONV_THOUSANDS_SEP
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#undef HAVE_SYS_STAT_H
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#undef HAVE_SYS_TYPES_H
-
-/* Define to 1 if the system has the type `uintmax_t'. */
-#undef HAVE_UINTMAX_T
-
-/* Define to 1 if the system has the type `uintptr_t'. */
-#undef HAVE_UINTPTR_T
-
-/* Define to 1 if you have the `umask' function. */
-#undef HAVE_UMASK
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
-
-/* Define to 1 if the system has the type 'unsigned long long int'. */
-#undef HAVE_UNSIGNED_LONG_LONG_INT
-
-/* Define to 1 if you have the <varargs.h> header file. */
-#undef HAVE_VARARGS_H
-
-/* Define to 1 if you have the `vasprintf' function. */
-#undef HAVE_VASPRINTF
-
-/* Define to 1 if you have the `va_copy' function or macro. */
-#undef HAVE_VA_COPY
-
-/* Define to 1 if you have a C99 compliant `vsnprintf' function. */
-#undef HAVE_VSNPRINTF
-
-/* Define to 1 if you have the `__va_copy' function or macro. */
-#undef HAVE___VA_COPY
-
-/* Uncomment to enable reproducible builds. */
-#undef REPRODUCIBLE_BUILDS
-
-/* Uncomment to enable large network support. */
-#undef LARGE_NETWORK
-
-/* Name of package */
-#undef PACKAGE
-
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-
-/* Define to the home page for this package. */
-#undef PACKAGE_URL
-
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
-
-/* Define to 1 if you have the ANSI C header files. */
-#undef STDC_HEADERS
-
-/* Enable extensions on AIX 3, Interix.  */
-#ifndef _ALL_SOURCE
-# undef _ALL_SOURCE
-#endif
-/* Enable GNU extensions on systems that have them.  */
-#ifndef _GNU_SOURCE
-# undef _GNU_SOURCE
-#endif
-/* Enable threading extensions on Solaris.  */
-#ifndef _POSIX_PTHREAD_SEMANTICS
-# undef _POSIX_PTHREAD_SEMANTICS
-#endif
-/* Enable extensions on HP NonStop.  */
-#ifndef _TANDEM_SOURCE
-# undef _TANDEM_SOURCE
-#endif
-/* Enable general extensions on Solaris.  */
-#ifndef __EXTENSIONS__
-# undef __EXTENSIONS__
-#endif
-
-
-/* Vendor and URL for modules's "vendor" field */
-#undef VENDOR_STRING
-
-/* Version number of package */
-#undef VERSION
-
-/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
-   significant byte first (like Motorola and SPARC, unlike Intel). */
-#if defined AC_APPLE_UNIVERSAL_BUILD
-# if defined __BIG_ENDIAN__
-#  define WORDS_BIGENDIAN 1
-# endif
-#else
-# ifndef WORDS_BIGENDIAN
-#  undef WORDS_BIGENDIAN
-# endif
-#endif
-
-/* Define to 1 if on MINIX. */
-#undef _MINIX
-
-/* Define to 2 if the system does not provide POSIX.1 features except with
-   this defined. */
-#undef _POSIX_1_SOURCE
-
-/* Define to 1 if you need to in order for `stat' and other things to work. */
-#undef _POSIX_SOURCE
-
-/* Define to rpl_asprintf if the replacement function should be used. */
-#undef asprintf
-
-/* Define to empty if `const' does not conform to ANSI C. */
-#undef const
-
-/* Define to the widest signed integer type if <stdint.h> and <inttypes.h> do
-   not define. */
-#undef intmax_t
-
-/* Define to `unsigned int' if <sys/types.h> does not define. */
-#undef size_t
-
-/* Define to rpl_snprintf if the replacement function should be used. */
-#undef snprintf
-
-/* Define to the widest unsigned integer type if <stdint.h> and <inttypes.h>
-   do not define. */
-#undef uintmax_t
-
-/* Define to the type of an unsigned integer type wide enough to hold a
-   pointer, if such a type exists, and if the system does not define it. */
-#undef uintptr_t
-
-/* Define to rpl_vasprintf if the replacement function should be used. */
-#undef vasprintf
-
-/* Define to rpl_vsnprintf if the replacement function should be used. */
-#undef vsnprintf
diff -Nru atheme-services-7.2.7/modules/crypto/pbkdf2.c atheme-services-7.2.9/modules/crypto/pbkdf2.c
--- atheme-services-7.2.7/modules/crypto/pbkdf2.c	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/crypto/pbkdf2.c	2017-02-12 09:58:54.000000000 -0500
@@ -31,65 +31,6 @@
 #define ROUNDS		(128000)
 #define SALTLEN		(16)
 
-/* This is an implementation of PKCS#5 v2.0 password based encryption key
- * derivation function PBKDF2.
- * SHA1 version verified against test vectors posted by Peter Gutmann
- * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
- */
-int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
-			   const unsigned char *salt, int saltlen, int iter,
-			   const EVP_MD *digest,
-			   int keylen, unsigned char *out)
-{
-	unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
-	int cplen, j, k, tkeylen, mdlen;
-	unsigned long i = 1;
-	HMAC_CTX hctx;
-
-	mdlen = EVP_MD_size(digest);
-
-	HMAC_CTX_init(&hctx);
-	p = out;
-	tkeylen = keylen;
-	if(!pass)
-		passlen = 0;
-	else if(passlen == -1)
-		passlen = strlen(pass);
-	while(tkeylen)
-	{
-		if(tkeylen > mdlen)
-			cplen = mdlen;
-		else
-			cplen = tkeylen;
-		/* We are unlikely to ever use more than 256 blocks (5120 bits!)
-		 * but just in case...
-		 */
-		itmp[0] = (unsigned char)((i >> 24) & 0xff);
-		itmp[1] = (unsigned char)((i >> 16) & 0xff);
-		itmp[2] = (unsigned char)((i >> 8) & 0xff);
-		itmp[3] = (unsigned char)(i & 0xff);
-		HMAC_Init_ex(&hctx, pass, passlen, digest, NULL);
-		HMAC_Update(&hctx, salt, saltlen);
-		HMAC_Update(&hctx, itmp, 4);
-		HMAC_Final(&hctx, digtmp, NULL);
-		memcpy(p, digtmp, cplen);
-		for(j = 1; j < iter; j++)
-		{
-			HMAC(digest, pass, passlen,
-				 digtmp, mdlen, digtmp, NULL);
-			for(k = 0; k < cplen; k++)
-				p[k] ^= digtmp[k];
-		}
-		tkeylen-= cplen;
-		i++;
-		p+= cplen;
-	}
-	HMAC_CTX_cleanup(&hctx);
-	return 1;
-}
-
-/*******************************************************************************************/
-
 static const char *pbkdf2_salt(void)
 {
 	static char buf[SALTLEN + 1];
diff -Nru atheme-services-7.2.7/modules/crypto/pbkdf2v2.c atheme-services-7.2.9/modules/crypto/pbkdf2v2.c
--- atheme-services-7.2.7/modules/crypto/pbkdf2v2.c	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/crypto/pbkdf2v2.c	2017-02-12 09:58:54.000000000 -0500
@@ -28,13 +28,6 @@
 #include <openssl/evp.h>
 
 /*
- * You can change the 2 values below without invalidating old hashes
- */
-
-#define PBKDF2_PRF_DEF		6
-#define PBKDF2_ITER_DEF		64000
-
-/*
  * Do not change anything below this line unless you know what you are doing,
  * AND how it will (possibly) break backward-, forward-, or cross-compatibility
  *
@@ -47,65 +40,15 @@
 #define PBKDF2_F_SALT		"$z$%u$%u$%s$"
 #define PBKDF2_F_PRINT		"$z$%u$%u$%s$%s"
 
+#define PBKDF2_C_MIN		10000
+#define PBKDF2_C_MAX		5000000
+#define PBKDF2_C_DEF		64000
+
 static const char salt_chars[62] =
 	"AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789";
 
-/*
- * This equivalent implementation provided incase the user doesn't
- * have a new enough OpenSSL library installed on their machine
- */
-int PKCS5_PBKDF2_HMAC(const char *pass, int pl,
-                      const unsigned char *salt, int sl,
-                      int iter, const EVP_MD *PRF,
-                      int dkLen, unsigned char *out)
-{
-	if (! pass)
-		pl = 0;
-
-	if (pass && pl < 0)
-		pl = strlen(pass);
-
-	int tkLen = dkLen;
-	int mdLen = EVP_MD_size(PRF);
-	unsigned char *p = out;
-	unsigned long i = 1;
-
-	HMAC_CTX hctx;
-	HMAC_CTX_init(&hctx);
-
-	while (tkLen) {
-
-		unsigned char itmp[4];
-		itmp[0] = (unsigned char) ((i >> 24) & 0xFF);
-		itmp[1] = (unsigned char) ((i >> 16) & 0xFF);
-		itmp[2] = (unsigned char) ((i >>  8) & 0xFF);
-		itmp[3] = (unsigned char) ((i >>  0) & 0xFF);
-		i++;
-
-		unsigned char digtmp[EVP_MAX_MD_SIZE];
-		HMAC_Init_ex(&hctx, pass, pl, PRF, NULL);
-		HMAC_Update(&hctx, salt, sl);
-		HMAC_Update(&hctx, itmp, 4);
-		HMAC_Final(&hctx, digtmp, NULL);
-
-		int cpLen = (tkLen > mdLen) ? mdLen : tkLen;
-		memcpy(p, digtmp, cpLen);
-
-		int j, k;
-		for (j = 1; j < iter; j++) {
-			HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL);
-			for (k = 0; k < cpLen; k++)
-				p[k] ^= digtmp[k];
-		}
-
-		tkLen -= cpLen;
-		p += cpLen;
-	}
-
-	HMAC_CTX_cleanup(&hctx);
-
-	return 1;
-}
+static unsigned int pbkdf2v2_digest = 6; /* SHA512 */
+static unsigned int pbkdf2v2_rounds = PBKDF2_C_DEF;
 
 static const char *pbkdf2v2_make_salt(void)
 {
@@ -119,7 +62,7 @@
 		salt[i] = salt_chars[arc4random() % sizeof salt_chars];
 
 	(void) snprintf(result, sizeof result, PBKDF2_F_SALT,
-	                PBKDF2_PRF_DEF, PBKDF2_ITER_DEF, salt);
+	                pbkdf2v2_digest, pbkdf2v2_rounds, salt);
 
 	return result;
 }
@@ -189,30 +132,59 @@
 	if (sscanf(user_pass_string, PBKDF2_F_SCAN, &prf, &iter, salt) < 3)
 		return 0;
 
-	if (prf != PBKDF2_PRF_DEF)
+	if (prf != pbkdf2v2_digest)
 		return 1;
 
-	if (iter != PBKDF2_ITER_DEF)
+	if (iter != pbkdf2v2_rounds)
 		return 1;
 
 	return 0;
 }
 
-static crypt_impl_t pbkdf2_crypt_impl = {
+static int c_ci_pbkdf2v2_digest(mowgli_config_file_entry_t *ce)
+{
+	if (ce->vardata == NULL)
+	{
+		conf_report_warning(ce, "no parameter for configuration option");
+		return 0;
+	}
+
+	if (!strcasecmp(ce->vardata, "SHA256"))
+		pbkdf2v2_digest = 5;
+	else if (!strcasecmp(ce->vardata, "SHA512"))
+		pbkdf2v2_digest = 6;
+	else
+		conf_report_warning(ce, "invalid parameter for configuration option");
+
+	return 0;
+}
+
+static crypt_impl_t pbkdf2v2_crypt_impl = {
 	.id = "pbkdf2v2",
 	.crypt = &pbkdf2v2_crypt,
 	.salt = &pbkdf2v2_make_salt,
 	.needs_param_upgrade = &pbkdf2v2_needs_param_upgrade,
 };
 
+static mowgli_list_t conf_pbkdf2v2_table;
+
 void _modinit(module_t* m)
 {
-	crypt_register(&pbkdf2_crypt_impl);
+	crypt_register(&pbkdf2v2_crypt_impl);
+
+	add_subblock_top_conf("PBKDF2V2", &conf_pbkdf2v2_table);
+	add_conf_item("DIGEST", &conf_pbkdf2v2_table, c_ci_pbkdf2v2_digest);
+	add_uint_conf_item("ROUNDS", &conf_pbkdf2v2_table, 0, &pbkdf2v2_rounds,
+	                             PBKDF2_C_MIN, PBKDF2_C_MAX, PBKDF2_C_DEF);
 }
 
 void _moddeinit(module_unload_intent_t intent)
 {
-	crypt_unregister(&pbkdf2_crypt_impl);
+	del_conf_item("DIGEST", &conf_pbkdf2v2_table);
+	del_conf_item("ROUNDS", &conf_pbkdf2v2_table);
+	del_top_conf("PBKDF2V2");
+
+	crypt_unregister(&pbkdf2v2_crypt_impl);
 }
 
-#endif
+#endif /* HAVE_OPENSSL */
diff -Nru atheme-services-7.2.7/modules/memoserv/main.c atheme-services-7.2.9/modules/memoserv/main.c
--- atheme-services-7.2.7/modules/memoserv/main.c	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/memoserv/main.c	2017-02-12 09:58:54.000000000 -0500
@@ -38,6 +38,9 @@
 
 void _moddeinit(module_unload_intent_t intent)
 {
+	hook_del_user_identify(on_user_identify);
+	hook_del_user_away(on_user_away);
+
         if (memosvs != NULL)
                 service_delete(memosvs);
 }
@@ -54,6 +57,11 @@
 		notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"),
 					ircd->uses_rcommand ? "" : "msg ", memosvs->disp);
 	}
+	if (mu->memos.count >= maxmemos)
+	{
+		notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please "
+		                                     "delete memos you no longer need."));
+	}
 }
 
 static void on_user_away(user_t *u)
@@ -80,6 +88,11 @@
 		notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"),
 					ircd->uses_rcommand ? "" : "msg ", memosvs->disp);
 	}
+	if (mu->memos.count >= maxmemos)
+	{
+		notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please "
+		                                     "delete memos you no longer need."));
+	}
 }
 
 /* vim:cinoptions=>s,e0,n0,f0,{0,}0,^0,=s,ps,t0,c3,+s,(2s,us,)20,*30,gs,hs
diff -Nru atheme-services-7.2.7/modules/saslserv/main.c atheme-services-7.2.9/modules/saslserv/main.c
--- atheme-services-7.2.7/modules/saslserv/main.c	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/modules/saslserv/main.c	2017-02-12 09:58:54.000000000 -0500
@@ -609,6 +609,7 @@
 	req.mu = source_mu;
 	req.allowed = true;
 	hook_call_user_can_login(&req);
+	object_unref(req.si);
 	if (!req.allowed)
 	{
 		sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(source_mu)->name);
@@ -645,9 +646,11 @@
 
 		sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "allowed IMPERSONATE by \2%s\2 to \2%s\2", entity(source_mu)->name, entity(target_mu)->name);
 
+		req.si = sasl_sourceinfo_create(p);
 		req.mu = target_mu;
 		req.allowed = true;
 		hook_call_user_can_login(&req);
+		object_unref(req.si);
 		if (!req.allowed)
 		{
 			sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(target_mu)->name);
diff -Nru atheme-services-7.2.7/NEWS.md atheme-services-7.2.9/NEWS.md
--- atheme-services-7.2.7/NEWS.md	2016-10-08 10:58:00.000000000 -0400
+++ atheme-services-7.2.9/NEWS.md	2017-02-12 09:58:54.000000000 -0500
@@ -1,3 +1,18 @@
+Atheme Services 7.2.9 Release Notes
+===================================
+
+This is a security release fixing use after free that could potentially be abused
+by an attacker already having the privilege to use SASL impersonation to cause a
+denial of service. Users of 7.2.8 should update to version 7.2.9; older releases
+are not affected.
+
+Atheme Services 7.2.8 Release Notes
+===================================
+
+This is a security release fixing a memory leak that could potentially be abused
+by attackers to cause a denial of service. Users of Atheme 7.2.7 should update to
+version 7.2.8; older releases are not affected.
+
 Atheme Services 7.2.7 Release Notes
 ===================================
 

--- End Message ---
--- Begin Message ---
Unblocked atheme-services.

--- End Message ---

Reply to: