From: paper42 <paper42@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: [PR PATCH] cyrus-sasl, libsasl: fix CVE 2019-19906
Date: Fri, 09 Jul 2021 20:13:34 +0200 [thread overview]
Message-ID: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-31873@inbox.vuxu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 1608 bytes --]
There is a new pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages CVE-2019-19906
https://github.com/void-linux/void-packages/pull/31873
cyrus-sasl, libsasl: fix CVE 2019-19906
<!-- Mark items with [x] where applicable -->
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [x] I generally don't use the affected packages but briefly tested this PR
<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!--
#### Does it build and run successfully?
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
- [ ] aarch64-musl
- [ ] armv7l
- [ ] armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/31873.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-CVE-2019-19906-31873.patch --]
[-- Type: text/x-diff, Size: 2290 bytes --]
From 5cb00f77810dcf5eb596019ec3a19c85b7b81368 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Mon, 5 Jul 2021 00:53:15 +0200
Subject: [PATCH 1/2] libsasl: fix CVE-2019-19906
---
srcpkgs/libsasl/patches/CVE-2019-19906.patch | 15 +++++++++++++++
srcpkgs/libsasl/template | 2 +-
2 files changed, 16 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/libsasl/patches/CVE-2019-19906.patch
diff --git a/srcpkgs/libsasl/patches/CVE-2019-19906.patch b/srcpkgs/libsasl/patches/CVE-2019-19906.patch
new file mode 100644
index 000000000000..f7edb521e89f
--- /dev/null
+++ b/srcpkgs/libsasl/patches/CVE-2019-19906.patch
@@ -0,0 +1,15 @@
+https://github.com/cyrusimap/cyrus-sasl/issues/587
+
+diff --git a/lib/common.c b/lib/common.c
+index bc3bf1df..9969d6aa 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
+
+ if (add==NULL) add = "(null)";
+
+- addlen=strlen(add); /* only compute once */
++ addlen=strlen(add)+1; /* only compute once */
+ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+ return SASL_NOMEM;
+
diff --git a/srcpkgs/libsasl/template b/srcpkgs/libsasl/template
index b9dbe7bc2f86..a8817042f843 100644
--- a/srcpkgs/libsasl/template
+++ b/srcpkgs/libsasl/template
@@ -1,7 +1,7 @@
# Template file for 'libsasl'
pkgname=libsasl
version=2.1.27
-revision=1
+revision=2
wrksrc="cyrus-sasl-${version}"
build_style=gnu-configure
configure_args="--enable-cram --enable-digest --enable-auth-sasldb
From a448b5d45d7c51c887088c71f39cdceca91c1739 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Mon, 5 Jul 2021 00:53:23 +0200
Subject: [PATCH 2/2] cyrus-sasl: revbump for CVE-2019-19906
---
srcpkgs/cyrus-sasl/template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/srcpkgs/cyrus-sasl/template b/srcpkgs/cyrus-sasl/template
index 32bcc8ebc6ba..b259152139fd 100644
--- a/srcpkgs/cyrus-sasl/template
+++ b/srcpkgs/cyrus-sasl/template
@@ -1,7 +1,7 @@
# Template file for 'cyrus-sasl'
pkgname=cyrus-sasl
version=2.1.27
-revision=8
+revision=9
build_style=gnu-configure
configure_args="--disable-static --enable-shared --enable-checkapop
--enable-cram --enable-digest --disable-otp --disable-srp
next reply other threads:[~2021-07-09 18:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-09 18:13 paper42 [this message]
2021-07-09 18:24 ` ericonr
2021-07-09 19:59 ` paper42
2021-07-09 20:47 ` [PR PATCH] [Merged]: " ericonr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-31873@inbox.vuxu.org \
--to=paper42@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).