Branch '2.3-stable' - 3 commits - imapd/imapd.spec imapd/Makefile imapd/patches

Christoph Wickert wickert at kolabsys.com
Fri Apr 29 09:56:03 CEST 2011


 imapd/Makefile                                                                                    |    4 
 imapd/imapd.spec                                                                                  |    8 
 imapd/patches/cyrus-imapd-2.3.16/KOLAB_cyrus-imapd-2.3.16_flush-buffer-after-TLS-initiation.patch |  140 ++++++++++
 imapd/patches/cyrus-imapd-2.3.16/series                                                           |    2 
 4 files changed, 153 insertions(+), 1 deletion(-)

New commits:
commit 5df60be92fa55fb689d13fd2d281289f2f326770
Author: Christoph Wickert <wickert at kolabsys.com>
Date:   Fri Apr 29 09:55:49 2011 +0200

    imapd: Workaround for missing user_deny.db (bugzilla.kolabsys.com #72)

diff --git a/imapd/Makefile b/imapd/Makefile
index ef13033..a35fa85 100644
--- a/imapd/Makefile
+++ b/imapd/Makefile
@@ -14,7 +14,8 @@ PATCHES=patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_Cyradm_Annot
         patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_timsieved_starttls-sendcaps.patch \
         patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_UID.patch \
         patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_cross-domain-acls.patch \
-        patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_flush-buffer-after-TLS-initiation.patch
+        patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_flush-buffer-after-TLS-initiation.patch \
+        patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_workaround-for-missing-user_deny.db.patch
 
 EXTRA=$(PATCHES) cyrus.conf fsl.imapd imapd.conf imapd.patch rc.imapd
 
diff --git a/imapd/imapd.spec b/imapd/imapd.spec
index 3323e6c..b5bb1c5 100644
--- a/imapd/imapd.spec
+++ b/imapd/imapd.spec
@@ -77,6 +77,7 @@ Patch5:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_UID.pa
 Patch6:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_Folder-names.patch
 Patch7:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_timsieved_starttls-sendcaps.patch
 Patch8:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_flush-buffer-after-TLS-initiation.patch
+Patch9:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_workaround-for-missing-user_deny.db.patch
 
 #   build information
 Prefix:       %{l_prefix}
@@ -164,6 +165,9 @@ AutoReqProv:  no
     #   https://bugzilla.kolabsys.com/show_bug.cgi?id=81
 %patch -p1 -P 8
 
+    #   https://bugzilla.kolabsys.com/show_bug.cgi?id=72
+%patch -p1 -P 9
+
     #   add optional DRAC file support
 %if "%{with_drac}" == "yes"
     %{l_shtool} subst -e 's;@DRACLIBS@;-ldrac;g' contrib/drac_auth.patch
diff --git a/imapd/patches/cyrus-imapd-2.3.16/series b/imapd/patches/cyrus-imapd-2.3.16/series
index 8b14641..fbb1d64 100644
--- a/imapd/patches/cyrus-imapd-2.3.16/series
+++ b/imapd/patches/cyrus-imapd-2.3.16/series
@@ -6,3 +6,4 @@ KOLAB_UID.patch
 KOLAB_Cyradm_Annotations.patch
 KOLAB_timsieved_starttls-sendcaps.patch
 KOLAB_flush-buffer-after-TLS-initiation.patch
+KOLAB_workaround-for-missing-user_deny.db.patch


commit fb080177f4967010ff42fc4a9c5cdb0eda655c7a
Author: Christoph Wickert <wickert at kolabsys.com>
Date:   Fri Apr 29 09:53:36 2011 +0200

    imapd: Add the patch for bugzilla.kolabsys.com #81 actually

diff --git a/imapd/imapd.spec b/imapd/imapd.spec
index 6bc01aa..3323e6c 100644
--- a/imapd/imapd.spec
+++ b/imapd/imapd.spec
@@ -76,6 +76,7 @@ Patch4:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_Loggin
 Patch5:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_UID.patch
 Patch6:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_Folder-names.patch
 Patch7:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_timsieved_starttls-sendcaps.patch
+Patch8:       patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_flush-buffer-after-TLS-initiation.patch
 
 #   build information
 Prefix:       %{l_prefix}


commit 833aa54f516d862f001b6ad0943957b3f4278c92
Author: Christoph Wickert <wickert at kolabsys.com>
Date:   Fri Apr 29 09:48:47 2011 +0200

    imapd: Apply fixes for not flushing buffer after TLS initiation (bugzilla.kolabsys.com #81)

diff --git a/imapd/Makefile b/imapd/Makefile
index 5c23ec8..ef13033 100644
--- a/imapd/Makefile
+++ b/imapd/Makefile
@@ -13,7 +13,8 @@ PATCHES=patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_Cyradm_Annot
         patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_Logging.patch \
         patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_timsieved_starttls-sendcaps.patch \
         patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_UID.patch \
-        patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_cross-domain-acls.patch
+        patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_cross-domain-acls.patch \
+        patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_flush-buffer-after-TLS-initiation.patch
 
 EXTRA=$(PATCHES) cyrus.conf fsl.imapd imapd.conf imapd.patch rc.imapd
 
diff --git a/imapd/imapd.spec b/imapd/imapd.spec
index 751db6a..6bc01aa 100644
--- a/imapd/imapd.spec
+++ b/imapd/imapd.spec
@@ -160,6 +160,9 @@ AutoReqProv:  no
      %patch -p1 -P 7
 %endif
 
+    #   https://bugzilla.kolabsys.com/show_bug.cgi?id=81
+%patch -p1 -P 8
+
     #   add optional DRAC file support
 %if "%{with_drac}" == "yes"
     %{l_shtool} subst -e 's;@DRACLIBS@;-ldrac;g' contrib/drac_auth.patch
diff --git a/imapd/patches/cyrus-imapd-2.3.16/KOLAB_cyrus-imapd-2.3.16_flush-buffer-after-TLS-initiation.patch b/imapd/patches/cyrus-imapd-2.3.16/KOLAB_cyrus-imapd-2.3.16_flush-buffer-after-TLS-initiation.patch
new file mode 100644
index 0000000..3a3ce3e
--- /dev/null
+++ b/imapd/patches/cyrus-imapd-2.3.16/KOLAB_cyrus-imapd-2.3.16_flush-buffer-after-TLS-initiation.patch
@@ -0,0 +1,140 @@
+From 99e184a903e4f973c7358bc0c7e26fabb2237fd2 Mon Sep 17 00:00:00 2001
+From: Ken Murchison <murch at andrew.cmu.edu>
+Date: Fri, 25 Mar 2011 15:50:18 +0000
+Subject: Fixed bug #3423 - STARTTLS plaintext command injection vulnerability
+
+---
+diff --git a/imap/imapd.c b/imap/imapd.c
+index 4227d6e..f9905ae 100644
+--- a/imap/imapd.c
++++ b/imap/imapd.c
+@@ -1688,6 +1688,9 @@ void cmdloop()
+ 		if (c == '\r') c = prot_getc(imapd_in);
+ 		if (c != '\n') goto extraargs;
+ 
++		/* XXX  discard any input pipelined after STARTTLS */
++		prot_flush(imapd_in);
++
+ 		/* if we've already done SASL fail */
+ 		if (imapd_userid != NULL) {
+ 		    prot_printf(imapd_out, 
+diff --git a/imap/lmtpengine.c b/imap/lmtpengine.c
+index eff3e50..16ccc54 100644
+--- a/imap/lmtpengine.c
++++ b/imap/lmtpengine.c
+@@ -1562,6 +1562,9 @@ void lmtpmode(struct lmtp_func *func,
+ 		sasl_ssf_t ssf;
+ 		char *auth_id;
+ 
++		/* XXX  discard any input pipelined after STARTTLS */
++		prot_flush(pin);
++
+ 		/* SASL and openssl have different ideas
+ 		   about whether ssf is signed */
+ 		layerp = (int *) &ssf;
+diff --git a/imap/mupdate.c b/imap/mupdate.c
+index b6cc1cb..a4f6509 100644
+--- a/imap/mupdate.c
++++ b/imap/mupdate.c
+@@ -927,6 +927,9 @@ mupdate_docmd_result_t docmd(struct conn *c)
+ 	if (!strcmp(c->cmd.s, "Starttls")) {
+ 	    CHECKNEWLINE(c, ch);
+ 	    
++	    /* XXX  discard any input pipelined after STARTTLS */
++	    prot_flush(c->pin);
++
+ 	    if (!tls_enabled()) {
+ 		/* we don't support starttls */
+ 		goto badcmd;
+diff --git a/imap/nntpd.c b/imap/nntpd.c
+index 1c9dbb1..105fa4b 100644
+--- a/imap/nntpd.c
++++ b/imap/nntpd.c
+@@ -1428,6 +1428,9 @@ static void cmdloop(void)
+ 		if (c == '\r') c = prot_getc(nntp_in);
+ 		if (c != '\n') goto extraargs;
+ 
++		/* XXX  discard any input pipelined after STARTTLS */
++		prot_flush(nntp_in);
++
+ 		cmd_starttls(0);
+ 	    }
+ 	    else if (!strcmp(cmd.s, "Stat")) {
+diff --git a/imap/pop3d.c b/imap/pop3d.c
+index b84ca2e..7303771 100644
+--- a/imap/pop3d.c
++++ b/imap/pop3d.c
+@@ -930,6 +930,9 @@ static void cmdloop(void)
+ 		if (arg) {
+ 		    prot_printf(popd_out, "-ERR Unexpected extra argument\r\n");
+ 		} else {
++		    /* XXX  discard any input pipelined after STLS */
++		    prot_flush(popd_in);
++
+ 		    cmd_starttls(0);
+ 		}
+ 	    }
+diff --git a/imap/sync_server.c b/imap/sync_server.c
+index b2f0a7b..b8b4263 100644
+--- a/imap/sync_server.c
++++ b/imap/sync_server.c
+@@ -904,6 +904,9 @@ static void cmdloop(void)
+ 		if (c == '\r') c = prot_getc(sync_in);
+ 		if (c != '\n') goto extraargs;
+ 
++		/* XXX  discard any input pipelined after STARTTLS */
++		prot_flush(sync_in);
++
+ 		/* if we've already done SASL fail */
+ 		if (sync_userid != NULL) {
+ 		    prot_printf(sync_out, 
+diff --git a/lib/prot.c b/lib/prot.c
+index 4fef8e3..c2bb1a9 100644
+--- a/lib/prot.c
++++ b/lib/prot.c
+@@ -728,10 +728,29 @@ int prot_fill(struct protstream *s)
+ }
+ 
+ /*
++ * If 's' is an input stream, discard any pending/buffered data.  Otherwise,
+  * Write out any buffered data in the stream 's'
+  */
+ int prot_flush(struct protstream *s) 
+ {
++    if (!s->write) {
++	int c, save_dontblock = s->dontblock;
++
++	/* Set stream to nonblocking mode */
++	if (!save_dontblock) nonblock(s->fd, (s->dontblock = 1));
++
++	/* Ingest any pending input */
++	while ((c = prot_fill(s)) != EOF);
++
++	/* Reset stream to previous blocking mode */
++	if (!save_dontblock) nonblock(s->fd, (s->dontblock = 0));
++
++	/* Discard any buffered input */
++	s->cnt = 0;
++
++	return 0;
++    }
++
+     return prot_flush_internal(s, 1);
+ }
+ 
+diff --git a/timsieved/parser.c b/timsieved/parser.c
+index 49b2881..dc710c0 100644
+--- a/timsieved/parser.c
++++ b/timsieved/parser.c
+@@ -443,6 +443,9 @@ int parser(struct protstream *sieved_out, struct protstream *sieved_in)
+       goto error;
+     }
+ 
++    /* XXX  discard any input pipelined after STARTTLS */
++    prot_flush(sieved_in);
++
+     if(referral_host)
+ 	goto do_referral;
+ 
+--
+cgit v0.8.2.1
diff --git a/imapd/patches/cyrus-imapd-2.3.16/series b/imapd/patches/cyrus-imapd-2.3.16/series
index 164cba2..8b14641 100644
--- a/imapd/patches/cyrus-imapd-2.3.16/series
+++ b/imapd/patches/cyrus-imapd-2.3.16/series
@@ -5,3 +5,4 @@ KOLAB_Folder-names.patch
 KOLAB_UID.patch
 KOLAB_Cyradm_Annotations.patch
 KOLAB_timsieved_starttls-sendcaps.patch
+KOLAB_flush-buffer-after-TLS-initiation.patch





More information about the commits mailing list