From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1132947-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 446D8138335
	for <garchives@archives.gentoo.org>; Mon, 23 Dec 2019 21:41:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 225BBE09E4;
	Mon, 23 Dec 2019 21:41:55 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id EA532E09DD
	for <gentoo-commits@lists.gentoo.org>; Mon, 23 Dec 2019 21:41:54 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id A2B6F34DB0A
	for <gentoo-commits@lists.gentoo.org>; Mon, 23 Dec 2019 21:41:53 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 168AA7B38B
	for <gentoo-commits@lists.gentoo.org>; Mon, 23 Dec 2019 21:41:52 +0000 (UTC)
From: "Thomas Deutschmann" <whissi@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Thomas Deutschmann" <whissi@gentoo.org>
Message-ID: <1577136894.ec41e92e4aec19aa605f5d410ba06cc86e7b48f0.whissi@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/cyrus-sasl/, dev-libs/cyrus-sasl/files/
X-VCS-Repository: repo/gentoo
X-VCS-Files: dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch
X-VCS-Directories: dev-libs/cyrus-sasl/files/ dev-libs/cyrus-sasl/
X-VCS-Committer: whissi
X-VCS-Committer-Name: Thomas Deutschmann
X-VCS-Revision: ec41e92e4aec19aa605f5d410ba06cc86e7b48f0
X-VCS-Branch: master
Date: Mon, 23 Dec 2019 21:41:52 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 5ef9c621-2940-4463-b8c0-11c0af03419c
X-Archives-Hash: 24f4572e168e63024957517aec3c7692

commit:     ec41e92e4aec19aa605f5d410ba06cc86e7b48f0
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 23 21:34:38 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon Dec 23 21:34:54 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec41e92e

dev-libs/cyrus-sasl: fix CVE-2019-19906

Bug: https://bugs.gentoo.org/703628
Package-Manager: Portage-2.3.82, Repoman-2.3.20
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild    | 259 +++++++++++++++++++++
 .../files/cyrus-sasl-2.1.27-CVE-2019-19906.patch   |  20 ++
 2 files changed, 279 insertions(+)

diff --git a/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
new file mode 100644
index 00000000000..25c41df746a
--- /dev/null
+++ b/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
@@ -0,0 +1,259 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd eapi7-ver
+
+SASLAUTHD_CONF_VER="2.1.26"
+
+DESCRIPTION="The Cyrus SASL (Simple Authentication and Security Layer)"
+HOMEPAGE="https://www.cyrusimap.org/sasl/"
+#SRC_URI="ftp://ftp.cyrusimap.org/cyrus-sasl/${P}.tar.gz"
+SRC_URI="https://github.com/cyrusimap/${PN}/releases/download/${P}/${P}.tar.gz"
+
+LICENSE="BSD-with-attribution"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="authdaemond berkdb gdbm kerberos ldapdb libressl openldap mysql pam postgres sample selinux sqlite srp ssl static-libs urandom"
+
+CDEPEND="
+	net-mail/mailbase
+	authdaemond? ( || ( net-mail/courier-imap mail-mta/courier ) )
+	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
+	gdbm? ( >=sys-libs/gdbm-1.10-r1:=[${MULTILIB_USEDEP}] )
+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	mysql? ( dev-db/mysql-connector-c:0=[${MULTILIB_USEDEP}] )
+	pam? ( >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] )
+	postgres? ( dev-db/postgresql:* )
+	sqlite? ( >=dev-db/sqlite-3.8.2:3[${MULTILIB_USEDEP}] )
+	ssl? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl:=[${MULTILIB_USEDEP}] )
+	)
+	java? ( >=virtual/jdk-1.6:= )"
+
+REQUIRED_USE="ldapdb? ( openldap )"
+
+RDEPEND="
+	${CDEPEND}
+	selinux? ( sec-policy/selinux-sasl )"
+
+DEPEND="${CDEPEND}"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/sasl/md5global.h
+)
+
+PATCHES=(
+	"${FILESDIR}/${PN}-2.1.27-avoid_pic_overwrite.patch"
+	"${FILESDIR}/${PN}-2.1.27-autotools_fixes.patch"
+	"${FILESDIR}/${PN}-2.1.27-as_needed.patch"
+	"${FILESDIR}/${PN}-2.1.25-auxprop.patch"
+	"${FILESDIR}/${PN}-2.1.27-gss_c_nt_hostbased_service.patch"
+	"${FILESDIR}/${PN}-2.1.26-missing-size_t.patch"
+	"${FILESDIR}/${PN}-2.1.27-doc_build_fix.patch"
+	"${FILESDIR}/${PN}-2.1.27-memmem.patch"
+	"${FILESDIR}/${PN}-2.1.27-CVE-2019-19906.patch"
+)
+
+pkg_setup() {
+	java-pkg-opt-2_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	# Get rid of the -R switch (runpath_switch for Sun)
+	# >=gcc-4.6 errors out with unknown option
+	sed -i -e '/LIB_SQLITE.*-R/s/ -R[^"]*//' \
+		configure.ac || die
+
+	# Use plugindir for sasldir
+	sed -i '/^sasldir =/s:=.*:= $(plugindir):' \
+		"${S}"/plugins/Makefile.{am,in} || die "sed failed"
+
+	# #486740 #468556
+	sed -i -e 's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:g' \
+		-e 's:AC_CONFIG_MACRO_DIR:AC_CONFIG_MACRO_DIRS:g' \
+		configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	append-flags -fno-strict-aliasing
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# getpassphrase is defined in /usr/include/stdlib.h
+		append-cppflags -DHAVE_GETPASSPHRASE
+	else
+		# this horrendously breaks things on Solaris
+		append-cppflags -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED -D_BSD_SOURCE -DLDAP_DEPRECATED
+	fi
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	# Java support.
+	multilib_is_native_abi && use java && export JAVAC="${JAVAC} ${JAVACFLAGS}"
+
+	local myeconfargs=(
+		--enable-login
+		--enable-ntlm
+		--enable-auth-sasldb
+		--disable-cmulocal
+		--disable-krb4
+		--disable-macos-framework
+		--enable-otp
+		--without-sqlite
+		--with-saslauthd="${EPREFIX}"/run/saslauthd
+		--with-pwcheck="${EPREFIX}"/run/saslauthd
+		--with-configdir="${EPREFIX}"/etc/sasl2
+		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sasl2
+		--with-dbpath="${EPREFIX}"/etc/sasl2/sasldb2
+		--with-sphinx-build=no
+		$(use_with ssl openssl)
+		$(use_with pam)
+		$(use_with openldap ldap)
+		$(use_enable ldapdb)
+		$(multilib_native_use_enable sample)
+		$(use_enable kerberos gssapi)
+		$(multilib_native_use_enable java)
+		$(multilib_native_use_with mysql mysql "${EPREFIX}"/usr)
+		$(multilib_native_use_with postgres pgsql "${EPREFIX}"/usr/$(get_libdir)/postgresql)
+		$(use_with sqlite sqlite3 "${EPREFIX}"/usr/$(get_libdir))
+		$(use_enable srp)
+		$(use_enable static-libs static)
+
+		# Add authdaemond support (bug #56523).
+		$(usex authdaemond --with-authdaemond="${EPREFIX}"/var/lib/courier/authdaemon/socket '')
+
+		# Fix for bug #59634.
+		$(usex ssl '' --without-des)
+
+		# Use /dev/urandom instead of /dev/random (bug #46038).
+		$(usex urandom --with-devrandom=/dev/urandom '')
+	)
+
+	if use sqlite || { multilib_is_native_abi && { use mysql || use postgres; }; } ; then
+		myeconfargs+=( --enable-sql )
+	else
+		myeconfargs+=( --disable-sql )
+	fi
+
+	# Default to GDBM if both 'gdbm' and 'berkdb' are present.
+	if use gdbm ; then
+		einfo "Building with GNU DB as database backend for your SASLdb"
+		myeconfargs+=( --with-dblib=gdbm )
+	elif use berkdb ; then
+		einfo "Building with BerkeleyDB as database backend for your SASLdb"
+		myeconfargs+=(
+			--with-dblib=berkeley
+			--with-bdb-incdir="$(db_includedir)"
+		)
+	else
+		einfo "Building without SASLdb support"
+		myeconfargs+=( --with-dblib=none )
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake
+
+	# Default location for java classes breaks OpenOffice (bug #60769).
+	# Thanks to axxo@gentoo.org for the solution.
+	if multilib_is_native_abi && use java ; then
+		jar -cvf ${PN}.jar -C java $(find java -name "*.class")
+	fi
+}
+
+multilib_src_install() {
+	default
+
+	if multilib_is_native_abi; then
+		if use sample ; then
+			docinto sample
+			dodoc "${S}"/sample/*.c
+			exeinto /usr/share/doc/${P}/sample
+			doexe sample/client sample/server
+		fi
+
+		# Default location for java classes breaks OpenOffice (bug #60769).
+		if use java; then
+			java-pkg_dojar ${PN}.jar
+			java-pkg_regso "${ED}/usr/$(get_libdir)/libjavasasl$(get_libname)"
+			# hackish, don't wanna dig through makefile
+			rm -rf "${ED}/usr/$(get_libdir)/java" || die
+			docinto "java"
+			dodoc "${S}/java/README" "${FILESDIR}/java.README.gentoo" "${S}"/java/doc/*
+			dodir "/usr/share/doc/${PF}/java/Test"
+			insinto "/usr/share/doc/${PF}/java/Test"
+			doins "${S}"/java/Test/*.java
+		fi
+
+		dosbin saslauthd/testsaslauthd
+	fi
+}
+
+multilib_src_install_all() {
+	doman man/*
+
+	keepdir /etc/sasl2
+
+	# Reset docinto to default value (#674296)
+	docinto
+	dodoc AUTHORS ChangeLog doc/legacy/TODO
+	newdoc pwcheck/README README.pwcheck
+
+	newdoc docsrc/sasl/release-notes/$(ver_cut 1-2)/index.rst release-notes
+	edos2unix ${ED%/}/usr/share/doc/${PF}/release-notes
+
+	docinto html
+	dodoc doc/html/*.html
+
+	newpamd "${FILESDIR}/saslauthd.pam-include" saslauthd
+
+	newinitd "${FILESDIR}/pwcheck.rc6" pwcheck
+	systemd_dounit "${FILESDIR}/pwcheck.service"
+
+	newinitd "${FILESDIR}/saslauthd2.rc7" saslauthd
+	newconfd "${FILESDIR}/saslauthd-${SASLAUTHD_CONF_VER}.conf" saslauthd
+	systemd_dounit "${FILESDIR}/saslauthd.service"
+	systemd_dotmpfilesd "${FILESDIR}/${PN}.conf"
+
+	# The get_modname bit is important: do not remove the .la files on
+	# platforms where the lib isn't called .so for cyrus searches the .la to
+	# figure out what the name is supposed to be instead
+	if ! use static-libs && [[ $(get_modname) == .so ]] ; then
+		find "${ED}" -name "*.la" -delete || die
+	fi
+}
+
+pkg_postinst () {
+	# Generate an empty sasldb2 with correct permissions.
+	if ( use berkdb || use gdbm ) && [[ ! -f "${EROOT}/etc/sasl2/sasldb2" ]] ; then
+		einfo "Generating an empty sasldb2 with correct permissions ..."
+		echo "p" | "${EROOT}/usr/sbin/saslpasswd2" -f "${EROOT}/etc/sasl2/sasldb2" -p login \
+			|| die "Failed to generate sasldb2"
+		"${EROOT}/usr/sbin/saslpasswd2" -f "${EROOT}/etc/sasl2/sasldb2" -d login \
+			|| die "Failed to delete temp user"
+		chown root:mail "${EROOT}/etc/sasl2/sasldb2" \
+			|| die "Failed to chown ${EROOT}/etc/sasl2/sasldb2"
+		chmod 0640 "${EROOT}/etc/sasl2/sasldb2" \
+			|| die "Failed to chmod ${EROOT}/etc/sasl2/sasldb2"
+	fi
+
+	if use authdaemond ; then
+		elog "You need to add a user running a service using Courier's"
+		elog "authdaemon to the 'mail' group. For example, do:"
+		elog "	gpasswd -a postfix mail"
+		elog "to add the 'postfix' user to the 'mail' group."
+	fi
+
+	elog "pwcheck and saslauthd home directories have moved to:"
+	elog "  /run/saslauthd, using tmpfiles.d"
+}

diff --git a/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch
new file mode 100644
index 00000000000..82b9e1fb6db
--- /dev/null
+++ b/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-CVE-2019-19906.patch
@@ -0,0 +1,20 @@
+Description: CVE-2019-19906: Off-by-one in _sasl_add_string function
+Origin: vendor
+Bug: https://github.com/cyrusimap/cyrus-sasl/issues/587
+Bug-Debian: https://bugs.debian.org/947043
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19906
+Author: Stephan Zeisberg <stephan@srlabs.de>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2019-12-19
+
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t
+ 
+   if (add==NULL) add = "(null)";
+ 
+-  addlen=strlen(add); /* only compute once */
++  addlen=strlen(add)+1; /* only compute once */
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+     return SASL_NOMEM;
+