Ubuntu
cyrus-sasl2 package

Bug #9127
Comment #6

Comment 6 for bug 9127

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-10-15:

Message-ID: <email address hidden>
Date: Fri, 15 Oct 2004 21:55:46 +0200
From: Andreas Barth <email address hidden>
To: <email address hidden>
Subject: NMU uploaded

Hi,

I uploaded a package with this patch. Please see this as a part to
help your package to be in good shape for debians next stable release.

Cheers,
Andi

   * NMU
diff -ur cyrus-sasl2-2.1.19-prev/debian/patches/21_237x_3_sasl_upstream_cvs.diff cyrus-sasl2-2.1.19/debian/patches/21_237x_3_sasl_upstream_cvs.diff
--- cyrus-sasl2-2.1.19-prev/debian/patches/21_237x_3_sasl_upstream_cvs.diff Fri Oct 15 20:06:25 2004
+++ cyrus-sasl2-2.1.19/debian/patches/21_237x_3_sasl_upstream_cvs.diff Fri Oct 15 20:26:30 2004
@@ -1,23 +1,6 @@
----------------------
-PatchSet 2377
-Date: 2004/09/22 20:35:34
-Author: shadow
-Branch: HEAD
-Tag: (none)
-Log:
-don't honor SASL_PATH in setuid environment. from Gentoo.
-
-Members:
- lib/common.c:1.103->1.104
-
-Index: cyrus-sasl-2.1.19/lib/common.c
-===================================================================
-RCS file: /cvs/src/sasl/lib/common.c,v
-retrieving revision 1.103
-retrieving revision 1.104
-diff -u -r1.103 -r1.104
---- cyrus-sasl-2.1.19/lib/common.c 6 Jul 2004 16:03:05 -0000 1.103
-+++ cyrus-sasl-2.1.19/lib/common.c 22 Sep 2004 21:35:34 -0000 1.104
+diff -ur cyrus-sasl-2.1.19.orig/lib/common.c cyrus-sasl-2.1.19/lib/common.c
+--- cyrus-sasl-2.1.19.orig/lib/common.c Fri Oct 15 20:25:42 2004
++++ cyrus-sasl-2.1.19/lib/common.c Fri Oct 15 20:26:04 2004
@@ -1,7 +1,7 @@
  /* common.c - Functions that are common to server and clinet
   * Rob Siemborski
@@ -27,11 +10,12 @@
   */
  /*
   * Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved.
-@@ -1838,7 +1838,10 @@
+@@ -1846,7 +1846,11 @@
    if (! path)
      return SASL_BADPARAM;

- *path = getenv(SASL_PATH_ENV_VAR);
++ *path = 0;
+ /* Honor external variable only in a safe environment */
+ if (getuid() == geteuid() && getgid() == getegid())
+ *path = getenv(SASL_PATH_ENV_VAR);
@@ -39,3 +23,4 @@
if (! *path)
*path = PLUGINDIR;

--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C

Message-ID: <20041015195546.GW29036@mails.so.argh.org>
Date: Fri, 15 Oct 2004 21:55:46 +0200
From: Andreas Barth <aba@not.so.argh.org>
To: 276637@bugs.debian.org
Subject: NMU uploaded

Hi,

I uploaded a package with this patch. Please see this as a part to
help your package to be in good shape for debians next stable release.

Cheers,
Andi

diff -ur cyrus-sasl2-2.1.19-prev/debian/changelog cyrus-sasl2-2.1.19/debian/changelog
--- cyrus-sasl2-2.1.19-prev/debian/changelog	Fri Oct 15 20:06:25 2004
+++ cyrus-sasl2-2.1.19/debian/changelog	Fri Oct 15 20:29:07 2004
@@ -1,3 +1,11 @@
+cyrus-sasl2 (2.1.19-1.4) unstable; urgency=low
+
+  * NMU
+  * fix the security fix: Initialize *path with 0.
+    Closes: #276637.
+
+ -- Andreas Barth <aba@amd>  Fri, 15 Oct 2004 20:26:41 +0200
+
 cyrus-sasl2 (2.1.19-1.3) unstable; urgency=high
 
   * NMU
diff -ur cyrus-sasl2-2.1.19-prev/debian/patches/21_237x_3_sasl_upstream_cvs.diff cyrus-sasl2-2.1.19/debian/patches/21_237x_3_sasl_upstream_cvs.diff
--- cyrus-sasl2-2.1.19-prev/debian/patches/21_237x_3_sasl_upstream_cvs.diff	Fri Oct 15 20:06:25 2004
+++ cyrus-sasl2-2.1.19/debian/patches/21_237x_3_sasl_upstream_cvs.diff	Fri Oct 15 20:26:30 2004
@@ -1,23 +1,6 @@
----------------------
-PatchSet 2377 
-Date: 2004/09/22 20:35:34
-Author: shadow
-Branch: HEAD
-Tag: (none) 
-Log:
-don't honor SASL_PATH in setuid environment. from Gentoo.
-
-Members: 
-	lib/common.c:1.103->1.104 
-
-Index: cyrus-sasl-2.1.19/lib/common.c
-===================================================================
-RCS file: /cvs/src/sasl/lib/common.c,v
-retrieving revision 1.103
-retrieving revision 1.104
-diff -u -r1.103 -r1.104
---- cyrus-sasl-2.1.19/lib/common.c	6 Jul 2004 16:03:05 -0000	1.103
-+++ cyrus-sasl-2.1.19/lib/common.c	22 Sep 2004 21:35:34 -0000	1.104
+diff -ur cyrus-sasl-2.1.19.orig/lib/common.c cyrus-sasl-2.1.19/lib/common.c
+--- cyrus-sasl-2.1.19.orig/lib/common.c	Fri Oct 15 20:25:42 2004
++++ cyrus-sasl-2.1.19/lib/common.c	Fri Oct 15 20:26:04 2004
 @@ -1,7 +1,7 @@
  /* common.c - Functions that are common to server and clinet
   * Rob Siemborski
@@ -27,11 +10,12 @@
   */
  /* 
   * Copyright (c) 1998-2003 Carnegie Mellon University.  All rights reserved.
-@@ -1838,7 +1838,10 @@
+@@ -1846,7 +1846,11 @@
    if (! path)
      return SASL_BADPARAM;
  
 -  *path = getenv(SASL_PATH_ENV_VAR);
++  *path = 0;
 +  /* Honor external variable only in a safe environment */
 +  if (getuid() == geteuid() && getgid() == getegid())
 +    *path = getenv(SASL_PATH_ENV_VAR);
@@ -39,3 +23,4 @@
    if (! *path)
      *path = PLUGINDIR;
  
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Ubuntucyrus-sasl2 package

Comment 6 for bug 9127

Ubuntu
cyrus-sasl2 package