fixed cyrus packages break sendmail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cyrus-sasl2 (Debian) |
Fix Released
|
Unknown
|
|||
cyrus-sasl2 (Ubuntu) |
Invalid
|
Medium
|
Matt Zimmerman |
Bug Description
Automatically imported from Debian bug report #276637 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Fri, 15 Oct 2004 11:50:51 +0200
From: Andreas Barth <email address hidden>
To: <email address hidden>
Subject: fixed cyrus packages break sendmail
Package: cyrus-sasl2
Version: 1.5.28-6.2
Severity: serious
Tags: patch
Hi,
the new cyrus-sasl package breaks sendmail - it fails if the path is not
set at all (except if it by chance 0). So, please use
- char *path;
+ char *path = NULL;
before the test whether we take SASL_PATH_ENV_VAR from the envrionment.
Thanks.
Cheers,
Andi
--
http://
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Martin Pitt (pitti) wrote : | #3 |
I just checked the cyrus-sasl2 code; we have a totally different version (this
report probably refers to a woody security update) and the only relevant portion
of code is different and seems to be implemented very sanely (check for NULL, etc.).
Closing as NOTWARTY.
In Debian Bug tracker #276637, Andreas Barth (aba-amd) wrote : Fixed in NMU of cyrus-sasl2 2.1.19-1.4 | #4 |
tag 276637 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 15 Oct 2004 20:26:41 +0200
Source: cyrus-sasl2
Binary: libsasl2 libsasl2-
Architecture: source i386
Version: 2.1.19-1.4
Distribution: unstable
Urgency: low
Maintainer: Dima Barsky <email address hidden>
Changed-By: Andreas Barth <aba@amd>
Description:
libsasl2 - Authentication abstraction library
libsasl2-dev - Development files for authentication abstraction library
libsasl2-modules - Pluggable Authentication Modules for SASL
libsasl2-
libsasl2-
libsasl2-
sasl2-bin - Programs for manipulating the SASL users database
Closes: 276637
Changes:
cyrus-sasl2 (2.1.19-1.4) unstable; urgency=low
.
* NMU
* fix the security fix: Initialize *path with 0.
Closes: #276637.
Files:
945ef7283ea51f
78cc11cd8fe13b
9a89f0563283c1
6ac744f45b8862
80bddf72b853bc
47cb3807d070a5
ad32e385a2db10
43abc1aa8e3b2c
0a6731b4a6204e
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iEYEARECAAYFAkF
QZgAn22R/
=7ypF
-----END PGP SIGNATURE-----
In Debian Bug tracker #276637, Andreas Barth (aba) wrote : NMU uploaded | #5 |
Hi,
I uploaded a package with this patch. Please see this as a part to
help your package to be in good shape for debians next stable release.
Cheers,
Andi
diff -ur cyrus-sasl2-
--- cyrus-sasl2-
+++ cyrus-sasl2-
@@ -1,3 +1,11 @@
+cyrus-sasl2 (2.1.19-1.4) unstable; urgency=low
+
+ * NMU
+ * fix the security fix: Initialize *path with 0.
+ Closes: #276637.
+
+ -- Andreas Barth <aba@amd> Fri, 15 Oct 2004 20:26:41 +0200
+
cyrus-sasl2 (2.1.19-1.3) unstable; urgency=high
* NMU
diff -ur cyrus-sasl2-
--- cyrus-sasl2-
+++ cyrus-sasl2-
@@ -1,23 +1,6 @@
-------
-PatchSet 2377
-Date: 2004/09/22 20:35:34
-Author: shadow
-Branch: HEAD
-Tag: (none)
-Log:
-don't honor SASL_PATH in setuid environment. from Gentoo.
-
-Members:
- lib/common.
-
-Index: cyrus-sasl-
-======
-RCS file: /cvs/src/
-retrieving revision 1.103
-retrieving revision 1.104
-diff -u -r1.103 -r1.104
---- cyrus-sasl-
-+++ cyrus-sasl-
+diff -ur cyrus-sasl-
+--- cyrus-sasl-
++++ cyrus-sasl-
@@ -1,7 +1,7 @@
/* common.c - Functions that are common to server and clinet
* Rob Siemborski
@@ -27,11 +10,12 @@
*/
/*
* Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved.
-@@ -1838,7 +1838,10 @@
+@@ -1846,7 +1846,11 @@
if (! path)
return SASL_BADPARAM;
- *path = getenv(
++ *path = 0;
+ /* Honor external variable only in a safe environment */
+ if (getuid() == geteuid() && getgid() == getegid())
+ *path = getenv(
@@ -39,3 +23,4 @@
if (! *path)
*path = PLUGINDIR;
--
http://
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Fri, 15 Oct 2004 21:55:46 +0200
From: Andreas Barth <email address hidden>
To: <email address hidden>
Subject: NMU uploaded
Hi,
I uploaded a package with this patch. Please see this as a part to
help your package to be in good shape for debians next stable release.
Cheers,
Andi
diff -ur cyrus-sasl2-
--- cyrus-sasl2-
+++ cyrus-sasl2-
@@ -1,3 +1,11 @@
+cyrus-sasl2 (2.1.19-1.4) unstable; urgency=low
+
+ * NMU
+ * fix the security fix: Initialize *path with 0.
+ Closes: #276637.
+
+ -- Andreas Barth <aba@amd> Fri, 15 Oct 2004 20:26:41 +0200
+
cyrus-sasl2 (2.1.19-1.3) unstable; urgency=high
* NMU
diff -ur cyrus-sasl2-
--- cyrus-sasl2-
+++ cyrus-sasl2-
@@ -1,23 +1,6 @@
-------
-PatchSet 2377
-Date: 2004/09/22 20:35:34
-Author: shadow
-Branch: HEAD
-Tag: (none)
-Log:
-don't honor SASL_PATH in setuid environment. from Gentoo.
-
-Members:
- lib/common.
-
-Index: cyrus-sasl-
-======
-RCS file: /cvs/src/
-retrieving revision 1.103
-retrieving revision 1.104
-diff -u -r1.103 -r1.104
---- cyrus-sasl-
-+++ cyrus-sasl-
+diff -ur cyrus-sasl-
+--- cyrus-sasl-
++++ cyrus-sasl-
@@ -1,7 +1,7 @@
/* common.c - Functions that are common to server and clinet
* Rob Siemborski
@@ -27,11 +10,12 @@
*/
/*
* Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved.
-@@ -1838,7 +1838,10 @@
+@@ -1846,7 +1846,11 @@
if (! path)
return SASL_BADPARAM;
- *path = getenv(
++ *path = 0;
+ /* Honor external variable only in a safe environment */
+ if (getuid() == geteuid() && getgid() == getegid())
+ *path = getenv(
@@ -39,3 +23,4 @@
if (! *path)
*path = PLUGINDIR;
--
http://
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Debian Bug Importer (debzilla) wrote : | #7 |
Message-Id: <email address hidden>
Date: Fri, 15 Oct 2004 15:47:13 -0400
From: Andreas Barth <aba@amd>
To: <email address hidden>
Cc: Andreas Barth <aba@amd>, Dima Barsky <email address hidden>
Subject: Fixed in NMU of cyrus-sasl2 2.1.19-1.4
tag 276637 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 15 Oct 2004 20:26:41 +0200
Source: cyrus-sasl2
Binary: libsasl2 libsasl2-
Architecture: source i386
Version: 2.1.19-1.4
Distribution: unstable
Urgency: low
Maintainer: Dima Barsky <email address hidden>
Changed-By: Andreas Barth <aba@amd>
Description:
libsasl2 - Authentication abstraction library
libsasl2-dev - Development files for authentication abstraction library
libsasl2-modules - Pluggable Authentication Modules for SASL
libsasl2-
libsasl2-
libsasl2-
sasl2-bin - Programs for manipulating the SASL users database
Closes: 276637
Changes:
cyrus-sasl2 (2.1.19-1.4) unstable; urgency=low
.
* NMU
* fix the security fix: Initialize *path with 0.
Closes: #276637.
Files:
945ef7283ea51f
78cc11cd8fe13b
9a89f0563283c1
6ac744f45b8862
80bddf72b853bc
47cb3807d070a5
ad32e385a2db10
43abc1aa8e3b2c
0a6731b4a6204e
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iEYEARECAAYFAkF
QZgAn22R/
=7ypF
-----END PGP SIGNATURE-----
In Debian Bug tracker #276637, Sam Hartman (hartmans) wrote : Debian Kerberosish: r2292 - in cyrus-sasl2-mit: . debian/current debian/current/debian debian/current/debian/patches debian/current/p | #8 |
tags 332703 pending
tags 285605 pending
tags 276637 pending
tags 275431 pending
tags 274087 pending
tags 245818 pending
tags 248333 pending
tags 256808 pending
tags 202836 pending
tags 262339 pending
tags 242184 pending
tags 259503 pending
tags 259658 pending
tags 254818 pending
tags 253894 pending
tags 254454 pending
tags 254818 pending
tags 240714 pending
tags 232086 pending
tags 212615 pending
tags 213521 pending
tags 223253 pending
tags 202354 pending
tags 217538 pending
tags 213510 pending
tags 212945 pending
tags 212318 pending
tags 211958 pending
tags 215862 pending
tags 213510 pending
tags 212945 pending
tags 212318 pending
tags 202876 pending
tags 203096 pending
tags 202838 pending
tags 202642 pending
tags 202569 pending
tags 201893 pending
tags 192502 pending
tags 197070 pending
tags 193958 pending
tags 188716 pending
tags 166702 pending
tags 190673 pending
tags 177426 pending
tags 179810 pending
tags 178987 pending
tags 172453 pending
tags 170740 pending
tags 167858 pending
tags 167855 pending
tags 171938 pending
tags 170495 pending
tags 167876 pending
tags 166538 pending
tags 166810 pending
tags 163845 pending
tags 163042 pending
tags 164393 pending
tags 162927 pending
tags 154153 pending
tags 146543 pending
tags 156286 pending
tags 158296 pending
tags 155025 pending
tags 154965 pending
tags 151798 pending
tags 153127 pending
tags 146229 pending
tags 151796 pending
tags 146791 pending
tags 151567 pending
tags 133458 pending
tags 148693 pending
tags 131792 pending
tags 150957 pending
tags 144200 pending
tags 146982 pending
tags 147484 pending
tags 146790 pending
tags 131791 pending
tags 131792 pending
thanks
Author: hartmans
Date: 2005-12-16 21:10:04 -0500 (Fri, 16 Dec 2005)
New Revision: 2292
Added:
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
tags 332703 pending
tags 285605 pending
tags 276637 pending
tags 275431 pending
tags 274087 pending
tags 245818 pending
tags 248333 pending
tags 256808 pending
tags 202836 pending
tags 262339 pending
tags 242184 pending
tags 259503 pending
tags 259658 pending
tags 254818 pending
tags 253894 pending
tags 254454 pending
tags 254818 pending
tags 240714 pending
tags 232086 pending
tags 212615 pending
tags 213521 pending
tags 223253 pending
tags 202354 pending
tags 217538 pending
tags 213510 pending
tags 212945 pending
tags 212318 pending
tags 211958 pending
tags 215862 pending
tags 213510 pending
tags 212945 pending
tags 212318 pending
tags 202876 pending
tags 203096 pending
tags 202838 pending
tags 202642 pending
tags 202569 pending
tags 201893 pending
tags 192502 pending
tags 197070 pending
tags 193958 pending
tags 188716 pending
tags 166702 pending
tags 190673 pending
tags 177426 pending
tags 179810 pending
tags 178987 pending
tags 172453 pending
tags 170740 pending
tags 167858 pending
tags 167855 pending
tags 171938 pending
tags 170495 pending
tags 167876 pending
tags 166538 pending
tags 166810 pending
tags 163845 pending
tags 163042 pending
tags 164393 pending
tags 162927 pending
tags 154153 pending
tags 146543 pending
tags 156286 pending
tags 158296 pending
tags 155025 pending
tags 154965 pending
tags 151798 pending
tags 153127 pending
tags 146229 pending
tags 151796 pending
tags 146791 pending
tags 151567 pending
tags 133458 pending
tags 148693 pending
tags 131792 pending
tags 150957 pending
tags 144200 pending
tags 146982 pending
tags 147484 pending
tags 146790 pending
tags 131791 pending
tags 131792 pending
thanks
Author: hartmans
Date: 2005-12-16 21:10:49 -0500 (Fri, 16 Dec 2005)
New Revision: 2296
Added:
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
cyrus-
In Debian Bug tracker #276637, Roberto C. Sanchez (roberto-connexer) wrote : add pending tags | #10 |
tags 274087 pending
tags 344686 pending
tags 362511 pending
tags 245818 pending
tags 276637 pending
tags 285605 pending
tags 332703 pending
tags 336485 pending
tags 345880 pending
tags 357527 pending
tags 379846 pending
tags 248333 pending
tags 315177 pending
tags 324288 pending
tags 361937 pending
tags 242184 pending
tags 256808 pending
tags 202836 pending
tags 262339 pending
tags 265751 pending
tags 275498 pending
tags 276849 pending
tags 368370 pending
tags 282775 pending
tags 321760 pending
tags 205859 pending
tags 348685 pending
tags 286285 pending
tags 314724 pending
tags 316404 pending
tags 328879 pending
tags 296449 pending
tags 257306 pending
tags 310438 pending
tags 365183 pending
tags 327749 pending
tags 302280 pending
tags 365287 pending
tags 354413 pending
tags 254298 pending
tags 300710 pending
tags 287313 pending
tags 392571 pending
tags 211156 pending
tags 251735 pending
tags 257181 pending
tags 274402 pending
tags 190658 pending
thanks
--
Roberto C. Sanchez
http://
http://
In Debian Bug tracker #276637, Adam D. Barratt (debian-bts-adam-barratt) wrote : Bugs fixed in NMU, documenting versions | #11 |
# Hi,
#
# These bugs were fixed in an NMU, but have not been acknowledged by the
# maintainers. With version tracking in the Debian BTS, it is important
# to know which version of a package fixes each bug so that they can be
# tracked for release status, so I'm closing these bugs with the
#relevant version information now
close 271146 2.10c-3.1
close 271221 0.9.14-1.1
close 273411 0.9.14-1.1
close 271673 6:6.0.6.2-1.3
close 271956 1.0-7.1
close 272245 2.04-11.2
close 273043 5.0.13-0.1
close 273338 1.2-4.2
close 273357 0.16.14-1.2
close 271221 0.9.14-1.1
close 273411 0.9.14-1.1
close 273613 1.0.5-1.1
close 273800 1.3-0.1
close 274087 2.1.19-1.2
close 275431 2.1.19-1.2
close 274106 1:19970918-12.2
close 274501 0.99.16-1.1
close 274503 0.99.17-2.1
close 274507 0.4-9.1
close 274955 0.3.35.1
close 275432 1.5.28-6.2
close 276637 2.1.19-1.4
close 276825 3.8.3-4.1
close 276851 0.61-6.1
close 278001 0.99.17-2.2
close 279483 6.1
close 279484 1.1
close 280309 1.5-9.1
close 212905 1.5-9.1
close 235681 1.5-9.1
close 236463 1.5-9.1
close 280337 3.2.0.115-7.1
close 356855 3.2.0.115-7.1
close 281282 0.9.3-2
close 282879 2.04-11.1
close 300174 1.0.0b-4.1
close 283756 0.63-1.2
close 284741 0.1.18-1.2
close 284872 0.70-pre2003112
close 284925 1.1.2-2.1
close 285058 1.2-7.1
close 347152 0.9.7.1+
close 285528 2.3.11-1.1
close 322368 2.3.11-1.1
close 285605 2.1.19-1.6
close 285628 0.8.3-1.1
close 285762 0.94-7woody4
close 289464 0.94-7woody4
close 285889 0.98.38-1.1
close 285902 20050625-0.1
close 285918 3.06-9.1
close 288966 3.06-9.1
close 326367 3.06-9.1
close 346671 3.06-9.1
close 286309 1:0.5.0-1.1
close 286633 1:0.5.0-1.1
close 286492 2.5.7-3
close 329499 2.5.7-3
close 287059 2.0.12-1.1
close 287066 2.1.1-3.1
close 314008 2.1.1-3.1
close 327992 2.1.1-3.1
close 287190 1.99.11-1.1
close 287628 0.6-10.1
close 323728 0.6-10.1
close 287629 2.0b3-13.1
close 287639 0.6.2-2.1
close 287677 1.4.8-9.1
close 206905 0.7-7.1
close 221950 0.7-7.1
close 287749 0.7-7.1
close 296526 0.7-7.1
close 317259 0.7-7.1
close 287886 0.4.2+cvs.
close 336046 0.4.2+cvs.
close 287891 2.1.8-2.1
close 326106 2.1.8-2.1
close 275651 0.6.0-8.1
close 287923 0.6.0-8.1
close 313937 0.6.0-8.1
close 324839 0.6.0-8.1
close 288158 200300506-1.1
close 288441 1.0.8-1.1
close 336944 1.0.8-1.1
close 288536 0.0.7E6F3-4.1
close 290390 0.0.7E6F3-4.1
close 295080 0.0.7E6F3-4.1
close 318375 0.0.7E6F3-4.1
close 288819 0.1.5.9+
close 288834 0.2.1-1.1
close 307036 0.2.1-1.1
close 322985 0.2.1-1.1
close 322993 0.2.1-1.1
close 288925 0.9.5+really0.
Changed in cyrus-sasl2: | |
status: | Fix Committed → Fix Released |
In Debian Bug tracker #276637, Fabian Fagerholm (fabbe-debian) wrote : Bug#276637: fixed in cyrus-sasl-2.1 2.1.22-0~pre01 | #12 |
Source: cyrus-sasl-2.1
Source-Version: 2.1.22-0~pre01
We believe that the bug you reported is fixed in the latest version of
cyrus-sasl-2.1, which is due to be installed in the Debian FTP archive:
cyrus-sasl-
to pool/main/
cyrus-sasl-
to pool/main/
cyrus-sasl-
to pool/main/
cyrus-sasl-
to pool/main/
cyrus-sasl-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2-
to pool/main/
libsasl2_
to pool/main/
sasl2-bin_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Fagerholm <email address hidden> (supplier of updated cyrus-sasl-2.1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 19 Oct 2006 23:26:02 +0300
Source: cyrus-sasl-2.1
Binary: libsasl2-2 cyrus-sasl-2.1-bin libsasl2 libsasl2-2-dev sasl2-bin libsasl2-dev libsasl2-
Architecture: source i386 all
Version: 2.1.22-0~pre01
Distribution: ex...
Automatically imported from Debian bug report #276637 http:// bugs.debian. org/276637