diff mbox series

[meta-networking] cyrus-sasl: upgrade 2.1.27 -> 2.1.28

Message ID 1646057348-36134-1-git-send-email-wangmy@fujitsu.com
State New
Headers show
Series [meta-networking] cyrus-sasl: upgrade 2.1.27 -> 2.1.28 | expand

Commit Message

Mingyu Wang (Fujitsu) Feb. 28, 2022, 2:09 p.m. UTC 
0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch
0001-makeinit.sh-fix-parallel-build-issue.patch
0004-configure.ac-fix-condition-for-suppliment-snprintf-i.patch
deleted since they're included in 2.1.28

CVE-2019-19906.patch
avoid-to-call-AC_TRY_RUN.patch
refreshed for new version

Changelog:
=========
build:
------
configure - Restore LIBS after checking gss_inquire_sec_context_by_oid
makemd5.c - Fix potential out of bound writes
fix build with –disable-shared –enable-static
Dozens of fixes for Windows specific builds
Fix cross platform builds with SPNEGO
Do not try to build broken java subtree
Fix build error with –enable-auth-sasldb

common:
-------
plugin_common.c:
Ensure size is always checked if called repeatedly (#617)

documentation:
--------------
Fixed generation of saslauthd(8) man page
Fixed installation of saslauthd(8) and testsaslauthd(8) man pages (#373)
Updates for additional SCRAM mechanisms
Fix sasl_decode64 and sasl_encode64 man pages
Tons of fixes for Sphinx

include:
--------
sasl.h:
Allow up to 16 bits for security flags

lib:
----
checkpw.c:
Skip one call to strcat
Disable auxprop-hashed (#374)
client.c:
Use proper length for fully qualified domain names
common.c:
CVE-2019-19906 Fix off by one error (#587)
external.c:
fix EXTERNAL with non-terminated input (#689)
saslutil.c:
fix index_64 to be a signed char (#619)

plugins:
--------
gssapi.c:
Emit debug log only in case of errors
ntlm.c:
Fail compile if MD4 is not available (#632)
sql.c:
Finish reading residual return data (#639)
CVE-2022-24407 Escape password for SQL insert/update commands.

sasldb:
-------
db_gdbm.c:
fix gdbm_errno overlay from gdbm_close

DIGEST-MD5 plugin:
------------------
Prevent double free of RC4 context
Use OpenSSL RC4 implementation if available

SCRAM plugin:
------------
Return BADAUTH on incorrect password (#545)
Add -224, -384, -512 (#552)
Remove SCRAM_HASH_SIZE
Add function to return SCRAM auth method name
Allocate enough memory in scam_setpass()
Add function to sort SCRAM methods by hash strength
Update windows build for newer SCRAM options

saslauthd:
---------
auth_httpform.c:
Avoid signed overflow with non-ascii characters (#576)
auth_krb5.c:
support setting an explicit auth_krb5 server name
support setting an explicit servername with Heimdal
unify the MIT and Heimdal auth_krb5 implementations
Remove call to krbtf
auth_rimap.c:
provide native memmem implementation if missing
lak.c:
Allow LDAP_OPT_X_TLS_REQUIRE_CERT to be 0 (no certificate verification)
lak.h:
Increase supported DN length to 4096 (#626)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 ...to-be-built-outside-of-source-tree-w.patch | 41 --------
 ...makeinit.sh-fix-parallel-build-issue.patch | 95 -------------------
 ...-condition-for-suppliment-snprintf-i.patch | 28 ------
 .../cyrus-sasl/CVE-2019-19906.patch           |  6 +-
 .../cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch | 53 ++++++-----
 ...us-sasl_2.1.27.bb => cyrus-sasl_2.1.28.bb} |  8 +-
 6 files changed, 32 insertions(+), 199 deletions(-)
 delete mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch
 delete mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0001-makeinit.sh-fix-parallel-build-issue.patch
 delete mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0004-configure.ac-fix-condition-for-suppliment-snprintf-i.patch
 rename meta-networking/recipes-daemons/cyrus-sasl/{cyrus-sasl_2.1.27.bb => cyrus-sasl_2.1.28.bb} (91%)
diff mbox series

Patch

diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch
deleted file mode 100644
index c89822c36b..0000000000
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch
+++ /dev/null
@@ -1,41 +0,0 @@ 
-From 6515f3e7656d97d40a6a1cf4eb3ada193a698309 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Wed, 12 Sep 2018 23:18:12 +0800
-Subject: [PATCH] Allow saslauthd to be built outside of source tree while
- configuring with `--enable-ldapdb'
-
-[snip]
-| powerpc-wrs-linux-gcc [snip] -I../common
-|../../git/saslauthd/lak.c:58:10: fatal error: crypto-compat.h:
-No such file or directory
-[snip]
-
-The crypto-compat.h locates in git/common/, it should be                                                                                                                           |
-`-I../../git/common'
-
-Remove useless `-I$(top_srcdir)/../include' which was incorrectly
-added by commit `faae590 cleanup misc INCLUDES for different build paths'
-
-Upstream-Status: Submitted [https://github.com/cyrusimap/cyrus-sasl]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- saslauthd/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/saslauthd/Makefile.am b/saslauthd/Makefile.am
-index d7244be..864b29b 100644
---- a/saslauthd/Makefile.am
-+++ b/saslauthd/Makefile.am
-@@ -34,7 +34,7 @@ saslcache_SOURCES = saslcache.c
- 
- EXTRA_DIST	= saslauthd.8 saslauthd.mdoc include \
- 		  getnameinfo.c getaddrinfo.c LDAP_SASLAUTHD
--AM_CPPFLAGS	= -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_srcdir)/../include -I$(top_builddir)/common
-+AM_CPPFLAGS	= -I$(top_srcdir)/include -I$(top_builddir)/include -I$(top_builddir)/common -I$(top_srcdir)/common
- DEFS            = @DEFS@ -DSASLAUTHD_CONF_FILE_DEFAULT=\"@sysconfdir@/saslauthd.conf\" -I. -I$(srcdir) -I..
- 
- 
--- 
-2.7.4
-
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0001-makeinit.sh-fix-parallel-build-issue.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0001-makeinit.sh-fix-parallel-build-issue.patch
deleted file mode 100644
index bf232ac272..0000000000
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0001-makeinit.sh-fix-parallel-build-issue.patch
+++ /dev/null
@@ -1,95 +0,0 @@ 
-From bb693db0e1d1d693e8ca31fcbc4f46d1674eeca1 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Thu, 13 Sep 2018 14:20:57 +0800
-Subject: [PATCH] makeinit.sh: fix parallel build issue
-
-While building plugins, each <plugin>.c requires a <plugin>_init.c,
-and the <plugin>_init.c is dynamically generated by makeinit.sh.
-
-But the makeinit.sh generates all *_init.c (13 mechanism plugins,
-3 auxprop plugins) at one time, if there are multiple plugins,
-there will be multiple makeinit.sh invoking.
-
-It caused a parallel issue, the *_init.c files will be generated
-repeatedly.
-
-It occasionally generate dapdb_init.c incorrectly
-[snip plugins/ldapdb_init.c]
-SASL_CANONUSER_PLUG_INIT( ldapdb )
-SASL_CANONUSER_PLUG_INIT( ldapdb )
-SASL_CANONUSER_PLUG_INIT( ldapdb )
-[snip plugins/ldapdb_init.c]
-
-Let makeinit.sh generate the expected <plugin>_init.c which
-is exactly required by <plugin>.c.
-
-Upstream-Status: Submitted [https://github.com/cyrusimap/cyrus-sasl/pull/532]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- plugins/Makefile.am |  2 +-
- plugins/makeinit.sh | 19 ++++++++++++++-----
- 2 files changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/plugins/Makefile.am b/plugins/Makefile.am
-index 929f6a4..81e7f0b 100644
---- a/plugins/Makefile.am
-+++ b/plugins/Makefile.am
-@@ -149,4 +149,4 @@ passdss_init.c sasldb_init.c sql_init.c ldapdb_init.c
- CLEANFILES=$(init_src)
- 
- ${init_src}: $(srcdir)/makeinit.sh
--	$(SHELL) $(srcdir)/makeinit.sh
-+	$(SHELL) $(srcdir)/makeinit.sh $@
-diff --git a/plugins/makeinit.sh b/plugins/makeinit.sh
-index cc65f7d..3131877 100644
---- a/plugins/makeinit.sh
-+++ b/plugins/makeinit.sh
-@@ -1,7 +1,9 @@
-+plugin_init="$1"
- # mechanism plugins
- for mech in anonymous crammd5 digestmd5 scram gssapiv2 kerberos4 login ntlm otp passdss plain srp gs2; do
-+    if [ ${plugin_init} = "${mech}_init.c" ];then
- 
--echo "
-+        echo "
- #include <config.h>
- 
- #include <string.h>
-@@ -43,13 +45,16 @@ BOOL APIENTRY DllMain( HANDLE hModule,
- 
- SASL_CLIENT_PLUG_INIT( $mech )
- SASL_SERVER_PLUG_INIT( $mech )
--" > ${mech}_init.c
-+"       > ${mech}_init.c
-+        echo "generating $1"
-+    fi # End of `if [ ${plugin_init} = "${mech}_init.c" ];then'
- done
- 
- # auxprop plugins
- for auxprop in sasldb sql ldapdb; do
-+    if [ ${plugin_init} = "${auxprop}_init.c" ];then
- 
--echo "
-+        echo "
- #include <config.h>
- 
- #include <string.h>
-@@ -86,8 +91,12 @@ BOOL APIENTRY DllMain( HANDLE hModule,
- #endif
- 
- SASL_AUXPROP_PLUG_INIT( $auxprop )
--" > ${auxprop}_init.c
-+"       > ${auxprop}_init.c
-+        echo "generating $1"
-+    fi # End of `if [ ${plugin_init} = "${auxprop}_init.c" ];then'
- done
- 
- # ldapdb is also a canon_user plugin
--echo "SASL_CANONUSER_PLUG_INIT( ldapdb )" >> ldapdb_init.c
-+if [ ${plugin_init} = "ldapdb_init.c" ];then
-+    echo "SASL_CANONUSER_PLUG_INIT( ldapdb )" >> ldapdb_init.c
-+fi
--- 
-2.7.4
-
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0004-configure.ac-fix-condition-for-suppliment-snprintf-i.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0004-configure.ac-fix-condition-for-suppliment-snprintf-i.patch
deleted file mode 100644
index 68d09c385b..0000000000
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/0004-configure.ac-fix-condition-for-suppliment-snprintf-i.patch
+++ /dev/null
@@ -1,28 +0,0 @@ 
-From 98082f81da1b49876081ff1ab340e952755f985a Mon Sep 17 00:00:00 2001
-From: OBATA Akio <obache@users.noreply.github.com>
-Date: Fri, 11 May 2018 18:36:26 +0900
-Subject: [PATCH] configure.ac: fix condition for suppliment snprintf
- implementation
-
-$sasl_cv_snprintf means requremnt of suppliment snprintf
-implementation, not existence of system snprintf implementation,
-
-Upstream-Status: Submitted [https://github.com/cyrusimap/cyrus-sasl/pull/512]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index ac59f14..9804e98 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1264,7 +1264,7 @@ SNPRINTFOBJS=""
- LTSNPRINTFOBJS=""
- AC_CHECK_FUNC(snprintf, [AC_DEFINE(HAVE_SNPRINTF,[],[Does the system have snprintf()?])], [sasl_cv_snprintf=yes])
- AC_CHECK_FUNC(vsnprintf, [AC_DEFINE(HAVE_VSNPRINTF,[],[Does the system have vsnprintf()?])], [sasl_cv_snprintf=yes])
--if test $sasl_cv_snprintf = no; then
-+if test $sasl_cv_snprintf = yes; then
-        AC_LIBOBJ(snprintf)
-        SNPRINTFOBJS="snprintf.o"
-        LTSNPRINTFOBJS="snprintf.lo"
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2019-19906.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2019-19906.patch
index b94780f302..33a9e3f6e6 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2019-19906.patch
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2019-19906.patch
@@ -18,7 +18,7 @@  Signed-off-by: Changqing Li <changqing.li@windriver.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/lib/common.c b/lib/common.c
-index 305311d..445c5d5 100644
+index d9104c8..fef82db 100644
 --- a/lib/common.c
 +++ b/lib/common.c
 @@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
@@ -27,9 +27,9 @@  index 305311d..445c5d5 100644
  
 -  addlen=strlen(add); /* only compute once */
 +  addlen=strlen(add)+1; /* only compute once */
-   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen+1)!=SASL_OK)
      return SASL_NOMEM;
  
 -- 
-2.7.4
+2.25.1
 
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch
index aa271b8fb0..1e6f99603c 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch
@@ -9,41 +9,42 @@  Avoid to call AC_TRY_RUN to check if GSSAPI libraries support SPNEGO
 on cross-compile environment by definition AC_ARG_ENABLE enable-spnego
 
 Signed-off-by: Roy.Li <rongqing.li@windriver.com>
-
 ---
- m4/sasl2.m4 | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
+ m4/sasl2.m4 | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
 
 diff --git a/m4/sasl2.m4 b/m4/sasl2.m4
-index 56e0504..cf62607 100644
+index 80371ef..ff70083 100644
 --- a/m4/sasl2.m4
 +++ b/m4/sasl2.m4
-@@ -314,7 +314,18 @@ if test "$gssapi" != no; then
-   cmu_save_LIBS="$LIBS"
-   LIBS="$LIBS $GSSAPIBASE_LIBS"
- 
--  AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries])
-+  AC_ARG_ENABLE([spnego],
-+              [AC_HELP_STRING([--enable-spnego=<DIR>],
-+                              [enable SPNEGO support in GSSAPI libraries [no]])],
-+              [spnego=$enableval],
-+              [spnego=no])
-+
-+  if test "$spnego" = no; then
-+       echo "no"
-+  elif test "$spnego" = yes; then
-+       AC_DEFINE(HAVE_GSS_SPNEGO,,[Define if your GSSAPI implementation supports SPNEGO])
-+  else
-+       AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries])
-   AC_TRY_RUN([
+@@ -316,6 +316,18 @@ if test "$gssapi" != no; then
+   AC_CACHE_CHECK([for SPNEGO support in GSSAPI libraries],[ac_cv_gssapi_supports_spnego],[
+     cmu_save_LIBS="$LIBS"
+     LIBS="$LIBS $GSSAPIBASE_LIBS"
++    AC_ARG_ENABLE([spnego],
++                [AC_HELP_STRING([--enable-spnego=<DIR>],
++                                [enable SPNEGO support in GSSAPI libraries [no]])],
++                [spnego=$enableval],
++                [spnego=no])
++  
++    if test "$spnego" = no; then
++         echo "no"
++    elif test "$spnego" = yes; then
++         AC_DEFINE(HAVE_GSS_SPNEGO,,[Define if your GSSAPI implementation supports SPNEGO])
++    else
++         AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries])
+     AC_TRY_RUN([
  #ifdef HAVE_GSSAPI_H
  #include <gssapi.h>
-@@ -341,7 +352,7 @@ int main(void)
- 	AC_MSG_RESULT(yes) ],
- 	AC_MSG_RESULT(no))
-   LIBS="$cmu_save_LIBS"
+@@ -343,7 +355,7 @@ int main(void)
+   AS_IF([test "$ac_cv_gssapi_supports_spnego" = yes],[
+     AC_DEFINE(HAVE_GSS_SPNEGO,,[Define if your GSSAPI implementation supports SPNEGO])
+   ])
 -
 +   fi
  else
    AC_MSG_RESULT([disabled])
  fi
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
similarity index 91%
rename from meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
rename to meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
index 43b69f7a21..95a093cd11 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
@@ -5,17 +5,13 @@  DEPENDS = "openssl db groff-native"
 LICENSE = "BSD-4-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=3f55e0974e3d6db00ca6f57f2d206396"
 
-SRCREV = "e41cfb986c1b1935770de554872247453fdbb079"
+SRCREV = "7a6b45b177070198fed0682bea5fa87c18abb084"
 
-SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \
+SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sasl-2.1 \
            file://avoid-to-call-AC_TRY_RUN.patch \
-           file://Fix-hardcoded-libdir.patch \
            file://debian_patches_0014_avoid_pic_overwrite.diff \
            file://saslauthd.service \
            file://saslauthd.conf \
-           file://0004-configure.ac-fix-condition-for-suppliment-snprintf-i.patch \
-           file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \
-           file://0001-makeinit.sh-fix-parallel-build-issue.patch \
            file://CVE-2019-19906.patch \
            "