* [PR PATCH] cyrus-sasl, libsasl: fix CVE 2019-19906
@ 2021-07-09 18:13 paper42
2021-07-09 18:24 ` ericonr
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: paper42 @ 2021-07-09 18:13 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1608 bytes --]
There is a new pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages CVE-2019-19906
https://github.com/void-linux/void-packages/pull/31873
cyrus-sasl, libsasl: fix CVE 2019-19906
<!-- Mark items with [x] where applicable -->
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [x] I generally don't use the affected packages but briefly tested this PR
<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!--
#### Does it build and run successfully?
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
- [ ] aarch64-musl
- [ ] armv7l
- [ ] armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/31873.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-CVE-2019-19906-31873.patch --]
[-- Type: text/x-diff, Size: 2290 bytes --]
From 5cb00f77810dcf5eb596019ec3a19c85b7b81368 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Mon, 5 Jul 2021 00:53:15 +0200
Subject: [PATCH 1/2] libsasl: fix CVE-2019-19906
---
srcpkgs/libsasl/patches/CVE-2019-19906.patch | 15 +++++++++++++++
srcpkgs/libsasl/template | 2 +-
2 files changed, 16 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/libsasl/patches/CVE-2019-19906.patch
diff --git a/srcpkgs/libsasl/patches/CVE-2019-19906.patch b/srcpkgs/libsasl/patches/CVE-2019-19906.patch
new file mode 100644
index 000000000000..f7edb521e89f
--- /dev/null
+++ b/srcpkgs/libsasl/patches/CVE-2019-19906.patch
@@ -0,0 +1,15 @@
+https://github.com/cyrusimap/cyrus-sasl/issues/587
+
+diff --git a/lib/common.c b/lib/common.c
+index bc3bf1df..9969d6aa 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
+
+ if (add==NULL) add = "(null)";
+
+- addlen=strlen(add); /* only compute once */
++ addlen=strlen(add)+1; /* only compute once */
+ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+ return SASL_NOMEM;
+
diff --git a/srcpkgs/libsasl/template b/srcpkgs/libsasl/template
index b9dbe7bc2f86..a8817042f843 100644
--- a/srcpkgs/libsasl/template
+++ b/srcpkgs/libsasl/template
@@ -1,7 +1,7 @@
# Template file for 'libsasl'
pkgname=libsasl
version=2.1.27
-revision=1
+revision=2
wrksrc="cyrus-sasl-${version}"
build_style=gnu-configure
configure_args="--enable-cram --enable-digest --enable-auth-sasldb
From a448b5d45d7c51c887088c71f39cdceca91c1739 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Mon, 5 Jul 2021 00:53:23 +0200
Subject: [PATCH 2/2] cyrus-sasl: revbump for CVE-2019-19906
---
srcpkgs/cyrus-sasl/template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/srcpkgs/cyrus-sasl/template b/srcpkgs/cyrus-sasl/template
index 32bcc8ebc6ba..b259152139fd 100644
--- a/srcpkgs/cyrus-sasl/template
+++ b/srcpkgs/cyrus-sasl/template
@@ -1,7 +1,7 @@
# Template file for 'cyrus-sasl'
pkgname=cyrus-sasl
version=2.1.27
-revision=8
+revision=9
build_style=gnu-configure
configure_args="--disable-static --enable-shared --enable-checkapop
--enable-cram --enable-digest --disable-otp --disable-srp
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: cyrus-sasl, libsasl: fix CVE 2019-19906
2021-07-09 18:13 [PR PATCH] cyrus-sasl, libsasl: fix CVE 2019-19906 paper42
@ 2021-07-09 18:24 ` ericonr
2021-07-09 19:59 ` paper42
2021-07-09 20:47 ` [PR PATCH] [Merged]: " ericonr
2 siblings, 0 replies; 4+ messages in thread
From: ericonr @ 2021-07-09 18:24 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 170 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/pull/31873#issuecomment-877375018
Comment:
Why is the revbump necessary?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: cyrus-sasl, libsasl: fix CVE 2019-19906
2021-07-09 18:13 [PR PATCH] cyrus-sasl, libsasl: fix CVE 2019-19906 paper42
2021-07-09 18:24 ` ericonr
@ 2021-07-09 19:59 ` paper42
2021-07-09 20:47 ` [PR PATCH] [Merged]: " ericonr
2 siblings, 0 replies; 4+ messages in thread
From: paper42 @ 2021-07-09 19:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 192 bytes --]
New comment by paper42 on void-packages repository
https://github.com/void-linux/void-packages/pull/31873#issuecomment-877424244
Comment:
cyrus-sasl/patches/ is a symlink to libsasl/patches
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PR PATCH] [Merged]: cyrus-sasl, libsasl: fix CVE 2019-19906
2021-07-09 18:13 [PR PATCH] cyrus-sasl, libsasl: fix CVE 2019-19906 paper42
2021-07-09 18:24 ` ericonr
2021-07-09 19:59 ` paper42
@ 2021-07-09 20:47 ` ericonr
2 siblings, 0 replies; 4+ messages in thread
From: ericonr @ 2021-07-09 20:47 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]
There's a merged pull request on the void-packages repository
cyrus-sasl, libsasl: fix CVE 2019-19906
https://github.com/void-linux/void-packages/pull/31873
Description:
<!-- Mark items with [x] where applicable -->
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [x] I generally don't use the affected packages but briefly tested this PR
<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!--
#### Does it build and run successfully?
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
- [ ] aarch64-musl
- [ ] armv7l
- [ ] armv6l-musl
-->
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-09 20:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-09 18:13 [PR PATCH] cyrus-sasl, libsasl: fix CVE 2019-19906 paper42
2021-07-09 18:24 ` ericonr
2021-07-09 19:59 ` paper42
2021-07-09 20:47 ` [PR PATCH] [Merged]: " ericonr
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).