Branch '2.3-stable' - 3 commits - imapd/imapd.spec imapd/Makefile imapd/patches
Christoph Wickert
wickert at kolabsys.com
Fri Apr 29 09:56:03 CEST 2011
imapd/Makefile | 4
imapd/imapd.spec | 8
imapd/patches/cyrus-imapd-2.3.16/KOLAB_cyrus-imapd-2.3.16_flush-buffer-after-TLS-initiation.patch | 140 ++++++++++
imapd/patches/cyrus-imapd-2.3.16/series | 2
4 files changed, 153 insertions(+), 1 deletion(-)
New commits:
commit 5df60be92fa55fb689d13fd2d281289f2f326770
Author: Christoph Wickert <wickert at kolabsys.com>
Date: Fri Apr 29 09:55:49 2011 +0200
imapd: Workaround for missing user_deny.db (bugzilla.kolabsys.com #72)
diff --git a/imapd/Makefile b/imapd/Makefile
index ef13033..a35fa85 100644
--- a/imapd/Makefile
+++ b/imapd/Makefile
@@ -14,7 +14,8 @@ PATCHES=patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_Cyradm_Annot
patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_timsieved_starttls-sendcaps.patch \
patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_UID.patch \
patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_cross-domain-acls.patch \
- patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_flush-buffer-after-TLS-initiation.patch
+ patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_flush-buffer-after-TLS-initiation.patch \
+ patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_workaround-for-missing-user_deny.db.patch
EXTRA=$(PATCHES) cyrus.conf fsl.imapd imapd.conf imapd.patch rc.imapd
diff --git a/imapd/imapd.spec b/imapd/imapd.spec
index 3323e6c..b5bb1c5 100644
--- a/imapd/imapd.spec
+++ b/imapd/imapd.spec
@@ -77,6 +77,7 @@ Patch5: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_UID.pa
Patch6: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_Folder-names.patch
Patch7: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_timsieved_starttls-sendcaps.patch
Patch8: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_flush-buffer-after-TLS-initiation.patch
+Patch9: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_workaround-for-missing-user_deny.db.patch
# build information
Prefix: %{l_prefix}
@@ -164,6 +165,9 @@ AutoReqProv: no
# https://bugzilla.kolabsys.com/show_bug.cgi?id=81
%patch -p1 -P 8
+ # https://bugzilla.kolabsys.com/show_bug.cgi?id=72
+%patch -p1 -P 9
+
# add optional DRAC file support
%if "%{with_drac}" == "yes"
%{l_shtool} subst -e 's;@DRACLIBS@;-ldrac;g' contrib/drac_auth.patch
diff --git a/imapd/patches/cyrus-imapd-2.3.16/series b/imapd/patches/cyrus-imapd-2.3.16/series
index 8b14641..fbb1d64 100644
--- a/imapd/patches/cyrus-imapd-2.3.16/series
+++ b/imapd/patches/cyrus-imapd-2.3.16/series
@@ -6,3 +6,4 @@ KOLAB_UID.patch
KOLAB_Cyradm_Annotations.patch
KOLAB_timsieved_starttls-sendcaps.patch
KOLAB_flush-buffer-after-TLS-initiation.patch
+KOLAB_workaround-for-missing-user_deny.db.patch
commit fb080177f4967010ff42fc4a9c5cdb0eda655c7a
Author: Christoph Wickert <wickert at kolabsys.com>
Date: Fri Apr 29 09:53:36 2011 +0200
imapd: Add the patch for bugzilla.kolabsys.com #81 actually
diff --git a/imapd/imapd.spec b/imapd/imapd.spec
index 6bc01aa..3323e6c 100644
--- a/imapd/imapd.spec
+++ b/imapd/imapd.spec
@@ -76,6 +76,7 @@ Patch4: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_Loggin
Patch5: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_UID.patch
Patch6: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_Folder-names.patch
Patch7: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_timsieved_starttls-sendcaps.patch
+Patch8: patches/cyrus-imapd-%{version}/KOLAB_cyrus-imapd-%{version}_flush-buffer-after-TLS-initiation.patch
# build information
Prefix: %{l_prefix}
commit 833aa54f516d862f001b6ad0943957b3f4278c92
Author: Christoph Wickert <wickert at kolabsys.com>
Date: Fri Apr 29 09:48:47 2011 +0200
imapd: Apply fixes for not flushing buffer after TLS initiation (bugzilla.kolabsys.com #81)
diff --git a/imapd/Makefile b/imapd/Makefile
index 5c23ec8..ef13033 100644
--- a/imapd/Makefile
+++ b/imapd/Makefile
@@ -13,7 +13,8 @@ PATCHES=patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_Cyradm_Annot
patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_Logging.patch \
patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_timsieved_starttls-sendcaps.patch \
patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_UID.patch \
- patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_cross-domain-acls.patch
+ patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_cross-domain-acls.patch \
+ patches/cyrus-imapd-$(VERSION)/KOLAB_cyrus-imapd-$(VERSION)_flush-buffer-after-TLS-initiation.patch
EXTRA=$(PATCHES) cyrus.conf fsl.imapd imapd.conf imapd.patch rc.imapd
diff --git a/imapd/imapd.spec b/imapd/imapd.spec
index 751db6a..6bc01aa 100644
--- a/imapd/imapd.spec
+++ b/imapd/imapd.spec
@@ -160,6 +160,9 @@ AutoReqProv: no
%patch -p1 -P 7
%endif
+ # https://bugzilla.kolabsys.com/show_bug.cgi?id=81
+%patch -p1 -P 8
+
# add optional DRAC file support
%if "%{with_drac}" == "yes"
%{l_shtool} subst -e 's;@DRACLIBS@;-ldrac;g' contrib/drac_auth.patch
diff --git a/imapd/patches/cyrus-imapd-2.3.16/KOLAB_cyrus-imapd-2.3.16_flush-buffer-after-TLS-initiation.patch b/imapd/patches/cyrus-imapd-2.3.16/KOLAB_cyrus-imapd-2.3.16_flush-buffer-after-TLS-initiation.patch
new file mode 100644
index 0000000..3a3ce3e
--- /dev/null
+++ b/imapd/patches/cyrus-imapd-2.3.16/KOLAB_cyrus-imapd-2.3.16_flush-buffer-after-TLS-initiation.patch
@@ -0,0 +1,140 @@
+From 99e184a903e4f973c7358bc0c7e26fabb2237fd2 Mon Sep 17 00:00:00 2001
+From: Ken Murchison <murch at andrew.cmu.edu>
+Date: Fri, 25 Mar 2011 15:50:18 +0000
+Subject: Fixed bug #3423 - STARTTLS plaintext command injection vulnerability
+
+---
+diff --git a/imap/imapd.c b/imap/imapd.c
+index 4227d6e..f9905ae 100644
+--- a/imap/imapd.c
++++ b/imap/imapd.c
+@@ -1688,6 +1688,9 @@ void cmdloop()
+ if (c == '\r') c = prot_getc(imapd_in);
+ if (c != '\n') goto extraargs;
+
++ /* XXX discard any input pipelined after STARTTLS */
++ prot_flush(imapd_in);
++
+ /* if we've already done SASL fail */
+ if (imapd_userid != NULL) {
+ prot_printf(imapd_out,
+diff --git a/imap/lmtpengine.c b/imap/lmtpengine.c
+index eff3e50..16ccc54 100644
+--- a/imap/lmtpengine.c
++++ b/imap/lmtpengine.c
+@@ -1562,6 +1562,9 @@ void lmtpmode(struct lmtp_func *func,
+ sasl_ssf_t ssf;
+ char *auth_id;
+
++ /* XXX discard any input pipelined after STARTTLS */
++ prot_flush(pin);
++
+ /* SASL and openssl have different ideas
+ about whether ssf is signed */
+ layerp = (int *) &ssf;
+diff --git a/imap/mupdate.c b/imap/mupdate.c
+index b6cc1cb..a4f6509 100644
+--- a/imap/mupdate.c
++++ b/imap/mupdate.c
+@@ -927,6 +927,9 @@ mupdate_docmd_result_t docmd(struct conn *c)
+ if (!strcmp(c->cmd.s, "Starttls")) {
+ CHECKNEWLINE(c, ch);
+
++ /* XXX discard any input pipelined after STARTTLS */
++ prot_flush(c->pin);
++
+ if (!tls_enabled()) {
+ /* we don't support starttls */
+ goto badcmd;
+diff --git a/imap/nntpd.c b/imap/nntpd.c
+index 1c9dbb1..105fa4b 100644
+--- a/imap/nntpd.c
++++ b/imap/nntpd.c
+@@ -1428,6 +1428,9 @@ static void cmdloop(void)
+ if (c == '\r') c = prot_getc(nntp_in);
+ if (c != '\n') goto extraargs;
+
++ /* XXX discard any input pipelined after STARTTLS */
++ prot_flush(nntp_in);
++
+ cmd_starttls(0);
+ }
+ else if (!strcmp(cmd.s, "Stat")) {
+diff --git a/imap/pop3d.c b/imap/pop3d.c
+index b84ca2e..7303771 100644
+--- a/imap/pop3d.c
++++ b/imap/pop3d.c
+@@ -930,6 +930,9 @@ static void cmdloop(void)
+ if (arg) {
+ prot_printf(popd_out, "-ERR Unexpected extra argument\r\n");
+ } else {
++ /* XXX discard any input pipelined after STLS */
++ prot_flush(popd_in);
++
+ cmd_starttls(0);
+ }
+ }
+diff --git a/imap/sync_server.c b/imap/sync_server.c
+index b2f0a7b..b8b4263 100644
+--- a/imap/sync_server.c
++++ b/imap/sync_server.c
+@@ -904,6 +904,9 @@ static void cmdloop(void)
+ if (c == '\r') c = prot_getc(sync_in);
+ if (c != '\n') goto extraargs;
+
++ /* XXX discard any input pipelined after STARTTLS */
++ prot_flush(sync_in);
++
+ /* if we've already done SASL fail */
+ if (sync_userid != NULL) {
+ prot_printf(sync_out,
+diff --git a/lib/prot.c b/lib/prot.c
+index 4fef8e3..c2bb1a9 100644
+--- a/lib/prot.c
++++ b/lib/prot.c
+@@ -728,10 +728,29 @@ int prot_fill(struct protstream *s)
+ }
+
+ /*
++ * If 's' is an input stream, discard any pending/buffered data. Otherwise,
+ * Write out any buffered data in the stream 's'
+ */
+ int prot_flush(struct protstream *s)
+ {
++ if (!s->write) {
++ int c, save_dontblock = s->dontblock;
++
++ /* Set stream to nonblocking mode */
++ if (!save_dontblock) nonblock(s->fd, (s->dontblock = 1));
++
++ /* Ingest any pending input */
++ while ((c = prot_fill(s)) != EOF);
++
++ /* Reset stream to previous blocking mode */
++ if (!save_dontblock) nonblock(s->fd, (s->dontblock = 0));
++
++ /* Discard any buffered input */
++ s->cnt = 0;
++
++ return 0;
++ }
++
+ return prot_flush_internal(s, 1);
+ }
+
+diff --git a/timsieved/parser.c b/timsieved/parser.c
+index 49b2881..dc710c0 100644
+--- a/timsieved/parser.c
++++ b/timsieved/parser.c
+@@ -443,6 +443,9 @@ int parser(struct protstream *sieved_out, struct protstream *sieved_in)
+ goto error;
+ }
+
++ /* XXX discard any input pipelined after STARTTLS */
++ prot_flush(sieved_in);
++
+ if(referral_host)
+ goto do_referral;
+
+--
+cgit v0.8.2.1
diff --git a/imapd/patches/cyrus-imapd-2.3.16/series b/imapd/patches/cyrus-imapd-2.3.16/series
index 164cba2..8b14641 100644
--- a/imapd/patches/cyrus-imapd-2.3.16/series
+++ b/imapd/patches/cyrus-imapd-2.3.16/series
@@ -5,3 +5,4 @@ KOLAB_Folder-names.patch
KOLAB_UID.patch
KOLAB_Cyradm_Annotations.patch
KOLAB_timsieved_starttls-sendcaps.patch
+KOLAB_flush-buffer-after-TLS-initiation.patch
More information about the commits
mailing list