Message-ID: <email address hidden> Date: Fri, 15 Oct 2004 21:55:46 +0200 From: Andreas Barth <email address hidden> To: <email address hidden> Subject: NMU uploaded
Hi,
I uploaded a package with this patch. Please see this as a part to help your package to be in good shape for debians next stable release.
Cheers, Andi
diff -ur cyrus-sasl2-2.1.19-prev/debian/changelog cyrus-sasl2-2.1.19/debian/changelog --- cyrus-sasl2-2.1.19-prev/debian/changelog Fri Oct 15 20:06:25 2004 +++ cyrus-sasl2-2.1.19/debian/changelog Fri Oct 15 20:29:07 2004 @@ -1,3 +1,11 @@ +cyrus-sasl2 (2.1.19-1.4) unstable; urgency=low + + * NMU + * fix the security fix: Initialize *path with 0. + Closes: #276637. + + -- Andreas Barth <aba@amd> Fri, 15 Oct 2004 20:26:41 +0200 + cyrus-sasl2 (2.1.19-1.3) unstable; urgency=high
* NMU diff -ur cyrus-sasl2-2.1.19-prev/debian/patches/21_237x_3_sasl_upstream_cvs.diff cyrus-sasl2-2.1.19/debian/patches/21_237x_3_sasl_upstream_cvs.diff --- cyrus-sasl2-2.1.19-prev/debian/patches/21_237x_3_sasl_upstream_cvs.diff Fri Oct 15 20:06:25 2004 +++ cyrus-sasl2-2.1.19/debian/patches/21_237x_3_sasl_upstream_cvs.diff Fri Oct 15 20:26:30 2004 @@ -1,23 +1,6 @@ ---------------------- -PatchSet 2377 -Date: 2004/09/22 20:35:34 -Author: shadow -Branch: HEAD -Tag: (none) -Log: -don't honor SASL_PATH in setuid environment. from Gentoo. - -Members: - lib/common.c:1.103->1.104 - -Index: cyrus-sasl-2.1.19/lib/common.c -=================================================================== -RCS file: /cvs/src/sasl/lib/common.c,v -retrieving revision 1.103 -retrieving revision 1.104 -diff -u -r1.103 -r1.104 ---- cyrus-sasl-2.1.19/lib/common.c 6 Jul 2004 16:03:05 -0000 1.103 -+++ cyrus-sasl-2.1.19/lib/common.c 22 Sep 2004 21:35:34 -0000 1.104 +diff -ur cyrus-sasl-2.1.19.orig/lib/common.c cyrus-sasl-2.1.19/lib/common.c +--- cyrus-sasl-2.1.19.orig/lib/common.c Fri Oct 15 20:25:42 2004 ++++ cyrus-sasl-2.1.19/lib/common.c Fri Oct 15 20:26:04 2004 @@ -1,7 +1,7 @@ /* common.c - Functions that are common to server and clinet * Rob Siemborski @@ -27,11 +10,12 @@ */ /* * Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved. -@@ -1838,7 +1838,10 @@ +@@ -1846,7 +1846,11 @@ if (! path) return SASL_BADPARAM;
- *path = getenv(SASL_PATH_ENV_VAR); ++ *path = 0; + /* Honor external variable only in a safe environment */ + if (getuid() == geteuid() && getgid() == getegid()) + *path = getenv(SASL_PATH_ENV_VAR); @@ -39,3 +23,4 @@ if (! *path) *path = PLUGINDIR;
-- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Message-ID: <email address hidden>
Date: Fri, 15 Oct 2004 21:55:46 +0200
From: Andreas Barth <email address hidden>
To: <email address hidden>
Subject: NMU uploaded
Hi,
I uploaded a package with this patch. Please see this as a part to
help your package to be in good shape for debians next stable release.
Cheers,
Andi
diff -ur cyrus-sasl2- 2.1.19- prev/debian/ changelog cyrus-sasl2- 2.1.19/ debian/ changelog 2.1.19- prev/debian/ changelog Fri Oct 15 20:06:25 2004 2.1.19/ debian/ changelog Fri Oct 15 20:29:07 2004
--- cyrus-sasl2-
+++ cyrus-sasl2-
@@ -1,3 +1,11 @@
+cyrus-sasl2 (2.1.19-1.4) unstable; urgency=low
+
+ * NMU
+ * fix the security fix: Initialize *path with 0.
+ Closes: #276637.
+
+ -- Andreas Barth <aba@amd> Fri, 15 Oct 2004 20:26:41 +0200
+
cyrus-sasl2 (2.1.19-1.3) unstable; urgency=high
* NMU 2.1.19- prev/debian/ patches/ 21_237x_ 3_sasl_ upstream_ cvs.diff cyrus-sasl2- 2.1.19/ debian/ patches/ 21_237x_ 3_sasl_ upstream_ cvs.diff 2.1.19- prev/debian/ patches/ 21_237x_ 3_sasl_ upstream_ cvs.diff Fri Oct 15 20:06:25 2004 2.1.19/ debian/ patches/ 21_237x_ 3_sasl_ upstream_ cvs.diff Fri Oct 15 20:26:30 2004 ------- ------- - c:1.103- >1.104 2.1.19/ lib/common. c ======= ======= ======= ======= ======= ======= ======= ======= ===== sasl/lib/ common. c,v 2.1.19/ lib/common. c 6 Jul 2004 16:03:05 -0000 1.103 2.1.19/ lib/common. c 22 Sep 2004 21:35:34 -0000 1.104 2.1.19. orig/lib/ common. c cyrus-sasl- 2.1.19/ lib/common. c 2.1.19. orig/lib/ common. c Fri Oct 15 20:25:42 2004 2.1.19/ lib/common. c Fri Oct 15 20:26:04 2004
diff -ur cyrus-sasl2-
--- cyrus-sasl2-
+++ cyrus-sasl2-
@@ -1,23 +1,6 @@
-------
-PatchSet 2377
-Date: 2004/09/22 20:35:34
-Author: shadow
-Branch: HEAD
-Tag: (none)
-Log:
-don't honor SASL_PATH in setuid environment. from Gentoo.
-
-Members:
- lib/common.
-
-Index: cyrus-sasl-
-======
-RCS file: /cvs/src/
-retrieving revision 1.103
-retrieving revision 1.104
-diff -u -r1.103 -r1.104
---- cyrus-sasl-
-+++ cyrus-sasl-
+diff -ur cyrus-sasl-
+--- cyrus-sasl-
++++ cyrus-sasl-
@@ -1,7 +1,7 @@
/* common.c - Functions that are common to server and clinet
* Rob Siemborski
@@ -27,11 +10,12 @@
*/
/*
* Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved.
-@@ -1838,7 +1838,10 @@
+@@ -1846,7 +1846,11 @@
if (! path)
return SASL_BADPARAM;
- *path = getenv( SASL_PATH_ ENV_VAR) ; SASL_PATH_ ENV_VAR) ;
++ *path = 0;
+ /* Honor external variable only in a safe environment */
+ if (getuid() == geteuid() && getgid() == getegid())
+ *path = getenv(
@@ -39,3 +23,4 @@
if (! *path)
*path = PLUGINDIR;
-- home.arcor. de/andreas- barth/
http://
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C