Hi, [ccing Brong since my last attempt to send this was rejected by mailman]
I was adapting Debian packaging for 3.0.0-beta1 and I have encountered several patches that really belong to upstream git. You can find them here (rebased on top of the latest master): https://github.com/oerdnj/cyrus-imapd or attached to this email (using git format-patch, so you can feed them to git am) Some of those are really old, so perhaps they doesn't have to be applied, but I picked only those that looked sane and still make sense. Most of those patches are small fixes, nothing huge, and I tried to keep the original author in the commit if known. The Debian packaging is under the same license as the original Cyrus, so no license worries here. 0011 and 0012 only apply to master branch (as they are bugs only in 3.0.0), but the rest of the patches could be applied on 2.4.x and perhaps 2.5.x (I decided to skip 2.5.x packaging in favour of 3.0.0). If you need more explanation for any of those patches, I will be happy to provide an explanation. Cheers, -- Ondřej Surý <[email protected]> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
From b6ef6139e9a37075cfefb3358028546f7b87e2ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <[email protected]> Date: Tue, 22 Sep 2015 14:56:01 +0200 Subject: [PATCH 13/13] Change the configure check for PS_STRINGS to COMPILE instead of CPP fix GNU/kFreeBSD builds --- configure.ac | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index e8c4ad2..a706c31 100644 --- a/configure.ac +++ b/configure.ac @@ -537,16 +537,15 @@ if test "$spt_type" = ""; then fi if test "$spt_type" = ""; then AC_MSG_CHECKING(for PS_STRINGS) - AC_CACHE_VAL(cyrus_cv_sys_psstrings, AC_TRY_CPP([ + AC_CACHE_VAL(cyrus_cv_sys_psstrings, AC_COMPILE_IFELSE([AC_LANG_SOURCE([ #include <machine/vmparam.h> #include <sys/exec.h> -#ifndef PS_STRINGS -#include </nonexistent> -#endif],cyrus_cv_sys_psstrings=yes,cyrus_cv_sys_psstrings=no)) - if test $cyrus_cv_sys_psstrings = yes; then - spt_type=SPT_PSSTRINGS - fi - AC_MSG_RESULT($cyrus_cv_sys_psstrings) +void *p = PS_STRINGS; +])],cyrus_cv_sys_psstrings=yes,cyrus_cv_sys_psstrings=no)) + if test $cyrus_cv_sys_psstrings = yes; then + spt_type=SPT_PSSTRINGS + fi + AC_MSG_RESULT($cyrus_cv_sys_psstrings) fi if test "$spt_type" = ""; then AC_MSG_CHECKING(for SCO) -- 2.1.4
From 9a896094648d2ae1e7d5a5424cbd6885d111b9ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <[email protected]> Date: Tue, 22 Sep 2015 13:38:04 +0200 Subject: [PATCH 12/13] Fix typo in sphinx that disabled squat --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 816cd50..e8c4ad2 100644 --- a/configure.ac +++ b/configure.ac @@ -377,7 +377,7 @@ dnl dnl Search engines - Sphinx dnl -enable_squat=no +enable_sphinx=no AC_ARG_ENABLE(sphinx, [ --enable-sphinx disable Sphinx support],[ enable_sphinx=$enableval -- 2.1.4
From 1c4d79ab342ba4460a371ac4431f3955fede1170 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <[email protected]> Date: Tue, 22 Sep 2015 11:47:11 +0200 Subject: [PATCH 11/13] libisieve has to be noinst_LTLIBRARY for PIC code to compile --- Makefile.am | 4 ++-- perl/sieve/managesieve/Makefile.PL.in | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 6cb2cc3..97f4d79 100644 --- a/Makefile.am +++ b/Makefile.am @@ -288,7 +288,7 @@ if SIEVE if PERL SUBDIRS += perl/sieve/managesieve -noinst_LIBRARIES = perl/sieve/lib/libisieve.a +noinst_LTLIBRARIES += perl/sieve/lib/libisieve.la endif # PERL BUILT_SOURCES += sieve/addr.c sieve/sieve.c sieve/sieve_err.c @@ -1540,7 +1540,7 @@ perl_libcyrus_la_LIBADD = $(lib_libcyrus_la_LIBADD) perl_libcyrus_min_la_SOURCES = $(lib_libcyrus_min_la_SOURCES) perl_libcyrus_min_la_LIBADD = $(lib_libcyrus_min_la_LIBADD) -perl_sieve_lib_libisieve_a_SOURCES = \ +perl_sieve_lib_libisieve_la_SOURCES = \ perl/sieve/lib/codes.h \ perl/sieve/lib/isieve.c \ perl/sieve/lib/isieve.h \ diff --git a/perl/sieve/managesieve/Makefile.PL.in b/perl/sieve/managesieve/Makefile.PL.in index 0b7c513..45ae8ea 100644 --- a/perl/sieve/managesieve/Makefile.PL.in +++ b/perl/sieve/managesieve/Makefile.PL.in @@ -68,7 +68,7 @@ WriteMakefile( 'NAME' => 'Cyrus::SIEVE::managesieve', 'ABSTRACT' => 'Cyrus Sieve management interface', 'VERSION_FROM' => "@top_srcdir@/perl/sieve/managesieve/managesieve.pm", # finds $VERSION - 'MYEXTLIB' => '../lib/libisieve.a @top_builddir@/perl/.libs/libcyrus.a @top_builddir@/perl/.libs/libcyrus_min.a', + 'MYEXTLIB' => '../lib/.libs/libisieve.a @top_builddir@/perl/.libs/libcyrus.a @top_builddir@/perl/.libs/libcyrus_min.a', 'LIBS' => ["$LIB_SASL @SSL_LIBS@ @LIB_RT@ @LIB_UUID@ @ZLIB@"], 'CCFLAGS' => '@GCOV_CFLAGS@', 'DEFINE' => '-DPERL_POLLUTE', # e.g., '-DHAVE_SOMETHING' -- 2.1.4
From 8c965ee686d1991e827a37b16f42bda7af14da7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <[email protected]> Date: Tue, 4 Aug 2015 10:38:07 +0200 Subject: [PATCH 10/13] Disable SSLv2, SSLv3 and TLS compression, use TLS_*_method when available --- imap/tls.c | 34 +++++++++++++++++----------------- imtest/imtest.c | 9 ++++++++- lib/imclient.c | 11 +++++++++-- 3 files changed, 34 insertions(+), 20 deletions(-) diff --git a/imap/tls.c b/imap/tls.c index 156a18a..007f2af 100644 --- a/imap/tls.c +++ b/imap/tls.c @@ -674,20 +674,23 @@ EXPORTED int tls_init_serverengine(const char *ident, return -1; } - /* even if we want TLS only, we use SSLv23 server method so we can - deal with a client sending an SSLv2 greeting message */ +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + s_ctx = SSL_CTX_new(TLS_server_method()); +#else s_ctx = SSL_CTX_new(SSLv23_server_method()); +#endif + if (s_ctx == NULL) { return (-1); }; - off |= SSL_OP_ALL; /* Work around all known bugs */ + off |= SSL_OP_ALL; /* Work around all known bugs */ + off |= SSL_OP_NO_SSLv2; /* Disable insecure SSLv2 */ + off |= SSL_OP_NO_SSLv3; /* Disable insecure SSLv3 */ + off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ const char *tls_versions = config_getstring(IMAPOPT_TLS_VERSIONS); - off |= SSL_OP_NO_SSLv2; - off |= SSL_OP_NO_SSLv3; - if (strstr(tls_versions, "tls1_2") == NULL) { #if (OPENSSL_VERSION_NUMBER >= 0x1000105fL) //syslog(LOG_DEBUG, "TLS server engine: Disabled TLSv1.2"); @@ -715,13 +718,6 @@ EXPORTED int tls_init_serverengine(const char *ident, if (server_cipher_order) off |= SSL_OP_CIPHER_SERVER_PREFERENCE; -#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL) - if (!config_getswitch(IMAPOPT_TLS_COMPRESSION)) { - off |= SSL_OP_NO_COMPRESSION; - syslog(LOG_DEBUG, "TLS client engine: Setting SSL_OP_NO_COMPRESSION"); - } -#endif // (OPENSSL_VERSION_NUMBER >= 0x1000000fL) - SSL_CTX_set_options(s_ctx, off); SSL_CTX_set_info_callback(s_ctx, apps_ssl_info_callback); @@ -1402,15 +1398,19 @@ HIDDEN int tls_init_clientengine(int verifydepth, return -1; } - /* XXX May need to use only SSLv3 for iSchedule */ +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + c_ctx = SSL_CTX_new(TLS_client_method()); +#else c_ctx = SSL_CTX_new(SSLv23_client_method()); +#endif if (c_ctx == NULL) { return (-1); }; - off |= SSL_OP_ALL; /* Work around all known bugs */ - off |= SSL_OP_NO_SSLv2; - off |= SSL_OP_NO_SSLv3; + off |= SSL_OP_ALL; /* Work around all known bugs */ + off |= SSL_OP_NO_SSLv2; /* Disable insecure SSLv2 */ + off |= SSL_OP_NO_SSLv3; /* Disable insecure SSLv3 */ + off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ SSL_CTX_set_options(c_ctx, off); SSL_CTX_set_info_callback(c_ctx, apps_ssl_info_callback); diff --git a/imtest/imtest.c b/imtest/imtest.c index b56061e..27d375a 100644 --- a/imtest/imtest.c +++ b/imtest/imtest.c @@ -491,12 +491,19 @@ static int tls_init_clientengine(int verifydepth, char *var_tls_cert_file, char return IMTEST_FAIL; } +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + tls_ctx = SSL_CTX_new(TLS_client_method()); +#else tls_ctx = SSL_CTX_new(SSLv23_client_method()); +#endif if (tls_ctx == NULL) { return IMTEST_FAIL; }; - off |= SSL_OP_ALL; /* Work around all known bugs */ + off |= SSL_OP_ALL; /* Work around all known bugs */ + off |= SSL_OP_NO_SSLv2; /* Disable insecure SSLv2 */ + off |= SSL_OP_NO_SSLv3; /* Disable insecure SSLv3 */ + off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ SSL_CTX_set_options(tls_ctx, off); SSL_CTX_set_info_callback(tls_ctx, apps_ssl_info_callback); diff --git a/lib/imclient.c b/lib/imclient.c index 6ade532..85fcf3c 100644 --- a/lib/imclient.c +++ b/lib/imclient.c @@ -1631,12 +1631,19 @@ static int tls_init_clientengine(struct imclient *imclient, return -1; } - imclient->tls_ctx = SSL_CTX_new(TLSv1_client_method()); +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + imclient->tls_ctx = SSL_CTX_new(TLS_client_method()); +#else + imclient->tls_ctx = SSL_CTX_new(SSLv23_client_method()); +#endif if (imclient->tls_ctx == NULL) { return -1; }; - off |= SSL_OP_ALL; /* Work around all known bugs */ + off |= SSL_OP_ALL; /* Work around all known bugs */ + off |= SSL_OP_NO_SSLv2; /* Disable insecure SSLv2 */ + off |= SSL_OP_NO_SSLv3; /* Disable insecure SSLv3 */ + off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ SSL_CTX_set_options(imclient->tls_ctx, off); /* debugging SSL_CTX_set_info_callback(imclient->tls_ctx, apps_ssl_info_callback); */ -- 2.1.4
From fe603caa11d33e2c714b8dd38a254c6cd47de01e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <[email protected]> Date: Tue, 4 Aug 2015 10:38:07 +0200 Subject: [PATCH 09/13] Fix PATH_MAX on GNU/Hurd --- imap/pop3d.c | 4 ++++ master/master.c | 4 ++++ master/service.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/imap/pop3d.c b/imap/pop3d.c index bdb9fed..eed3b9e 100644 --- a/imap/pop3d.c +++ b/imap/pop3d.c @@ -96,6 +96,10 @@ #include "iostat.h" +#ifndef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN +#endif + #ifdef HAVE_KRB /* kerberos des is purported to conflict with OpenSSL DES */ #define DES_DEFS diff --git a/master/master.c b/master/master.c index a73c956..327a37c 100644 --- a/master/master.c +++ b/master/master.c @@ -71,6 +71,10 @@ #include <math.h> #include <inttypes.h> +#ifndef PATH_MAX +#define PATH_MAX 4096 +#endif + #ifndef INADDR_NONE #define INADDR_NONE 0xffffffff #endif diff --git a/master/service.c b/master/service.c index c923736..a510cf2 100644 --- a/master/service.c +++ b/master/service.c @@ -72,6 +72,10 @@ #include "strarray.h" #include "signals.h" +#ifndef PATH_MAX +#define PATH_MAX 4096 +#endif + extern int optind, opterr; extern char *optarg; -- 2.1.4
From d296d040a440837f62d41e842fffaba444c2aa55 Mon Sep 17 00:00:00 2001 From: Sven Mueller <[email protected]> Date: Tue, 4 Aug 2015 10:38:06 +0200 Subject: [PATCH 08/13] Change the wording of sieved's notice when a user's default sieve script is missing --- sieve/script.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sieve/script.c b/sieve/script.c index 7babef6..6ec838a 100644 --- a/sieve/script.c +++ b/sieve/script.c @@ -51,6 +51,7 @@ #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> +#include <errno.h> #include "assert.h" #include "charset.h" @@ -431,7 +432,11 @@ EXPORTED int sieve_script_load(const char *fname, sieve_execute_t **ret) if (!fname || !ret) return SIEVE_FAIL; if (stat(fname, &sbuf) == -1) { - syslog(LOG_DEBUG, "IOERROR: fstating sieve script %s: %m", fname); + if (errno == ENOENT) { + syslog(LOG_DEBUG, "WARNING: sieve script %s doesn't exist: %m", fname); + } else { + syslog(LOG_DEBUG, "IOERROR: fstating sieve script %s: %m", fname); + } return SIEVE_FAIL; } -- 2.1.4
From ca18668da52c3250bb60a7b48b191c6748778de0 Mon Sep 17 00:00:00 2001 From: Sven Mueller <[email protected]> Date: Tue, 4 Aug 2015 10:38:06 +0200 Subject: [PATCH 07/13] Fix formatting of imclient manpage --- man/imclient.3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/imclient.3 b/man/imclient.3 index 859f2a0..6a0520f 100644 --- a/man/imclient.3 +++ b/man/imclient.3 @@ -39,7 +39,7 @@ .\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING .\" OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .SH NAME -imclient library - authenticating callback interface to IMAP/IMSP servers +imclient \- (library) authenticating callback interface to IMAP/IMSP servers .SH SYNOPSIS .ad l .ft B -- 2.1.4
From 2203a5ce1be8951c99bbfbf8db3e8cb8ada9d66e Mon Sep 17 00:00:00 2001 From: Sven Mueller <[email protected]> Date: Tue, 4 Aug 2015 10:38:05 +0200 Subject: [PATCH 06/13] Minor fixes of master.conf parsing to be more verbose --- master/masterconf.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/master/masterconf.c b/master/masterconf.c index 766219a..10b4c29 100644 --- a/master/masterconf.c +++ b/master/masterconf.c @@ -151,7 +151,12 @@ int masterconf_getint(struct entry *e, if (!val) return def; if (!Uisdigit(*val) && - (*val != '-' || !Uisdigit(val[1]))) return def; + (*val != '-' || !Uisdigit(val[1]))) { + syslog(LOG_DEBUG, + "value '%s' for '%s' does not look like a number.", + val, key); + return def; + } return atoi(val); } @@ -169,6 +174,10 @@ int masterconf_getswitch(struct entry *e, const char *key, int def) (val[0] == 'o' && val[1] == 'n') || val[0] == 't') { return 1; } + + syslog(LOG_DEBUG, "cannot interpret value '%s' for key '%s'. use y/n.", + val, key); + return def; } -- 2.1.4
From 48c0b555b406e7477d2b729aa28f09df7bfec584 Mon Sep 17 00:00:00 2001 From: Sven Mueller <[email protected]> Date: Tue, 4 Aug 2015 10:38:05 +0200 Subject: [PATCH 05/13] Make TLS/SSL error message more informative --- imap/tls.c | 4 ++-- imtest/imtest.c | 3 ++- lib/imclient.c | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/imap/tls.c b/imap/tls.c index f1f0be2..156a18a 100644 --- a/imap/tls.c +++ b/imap/tls.c @@ -840,7 +840,7 @@ EXPORTED int tls_init_serverengine(const char *ident, } if (!set_cert_stuff(s_ctx, server_cert_file, server_key_file)) { - syslog(LOG_ERR, "TLS server engine: cannot load server cert/key data."); + syslog(LOG_ERR, "TLS server engine: cannot load cert/key data, may be a cert/key mismatch?"); return (-1); } @@ -1452,7 +1452,7 @@ HIDDEN int tls_init_clientengine(int verifydepth, if (client_cert || client_key) { if (!set_cert_stuff(c_ctx, client_cert, client_key)) { - syslog(LOG_ERR,"TLS client engine: cannot load client cert/key data"); + syslog(LOG_ERR,"TLS client engine: cannot load cert/key data, may be a cert/key mismatch?"); return (-1); } } diff --git a/imtest/imtest.c b/imtest/imtest.c index 34ea2ba..b56061e 100644 --- a/imtest/imtest.c +++ b/imtest/imtest.c @@ -63,6 +63,7 @@ #include <sys/types.h> #include <sys/un.h> #include <unistd.h> +#include <ctype.h> #include <sasl/sasl.h> #include <sasl/saslutil.h> @@ -525,7 +526,7 @@ static int tls_init_clientengine(int verifydepth, char *var_tls_cert_file, char if (c_cert_file || c_key_file) if (!set_cert_stuff(tls_ctx, c_cert_file, c_key_file)) { - printf("TLS engine: cannot load cert/key data\n"); + printf("TLS engine: cannot load cert/key data, maybe a cert/key mismatch?\n"); return IMTEST_FAIL; } SSL_CTX_set_tmp_rsa_callback(tls_ctx, tmp_rsa_cb); diff --git a/lib/imclient.c b/lib/imclient.c index b84ad65..6ade532 100644 --- a/lib/imclient.c +++ b/lib/imclient.c @@ -1667,7 +1667,7 @@ static int tls_init_clientengine(struct imclient *imclient, if (c_cert_file || c_key_file) if (!set_cert_stuff(imclient->tls_ctx, c_cert_file, c_key_file)) { - printf("[ TLS engine: cannot load cert/key data ]\n"); + printf("[ TLS engine: cannot load cert/key data, might be a cert/key mismatch]\n"); return -1; } SSL_CTX_set_tmp_rsa_callback(imclient->tls_ctx, tmp_rsa_cb); -- 2.1.4
From 3e99879fe9de185ea692370161b541fcde405d16 Mon Sep 17 00:00:00 2001 From: Sven Mueller <[email protected]> Date: Tue, 4 Aug 2015 10:38:05 +0200 Subject: [PATCH 04/13] Fix xmalloc usage --- lib/map_stupidshared.c | 1 + lib/xmalloc.h | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/map_stupidshared.c b/lib/map_stupidshared.c index c97cd64..cd5f1d9 100644 --- a/lib/map_stupidshared.c +++ b/lib/map_stupidshared.c @@ -47,6 +47,7 @@ #include <sys/stat.h> #include <syslog.h> +#include "xmalloc.h" #include "map.h" #include "exitcodes.h" #include "xmalloc.h" diff --git a/lib/xmalloc.h b/lib/xmalloc.h index 9deaf6f..4f7b508 100644 --- a/lib/xmalloc.h +++ b/lib/xmalloc.h @@ -60,7 +60,7 @@ extern void *xmemdup (const void *ptr, unsigned size); /* Functions using xmalloc.h must provide a function called fatal() conforming to the following: */ -extern void fatal(const char *fatal_message, int fatal_code); -/* __attribute__ ((noreturn));*/ +extern void fatal(const char *fatal_message, int fatal_code) + __attribute__ ((noreturn)); #endif /* INCLUDED_XMALLOC_H */ -- 2.1.4
From 28f62ea2fb248f6e71e6c1a576c2182f8c099599 Mon Sep 17 00:00:00 2001 From: Henrique de Moraes Holschuh <[email protected]> Date: Tue, 4 Aug 2015 10:38:05 +0200 Subject: [PATCH 03/13] Silence erroneous RLIMIT_NUMFDS-related log messages Fixes setrlimit(RLIMIT_NUMFDS) handling to be less obnoxious and not barf error messages to syslog incorrectly, nor log nonsense if getrlimit(RLIMIT_NUMFDS) failed. --- master/master.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/master/master.c b/master/master.c index 3f9942a..a73c956 100644 --- a/master/master.c +++ b/master/master.c @@ -1891,7 +1891,7 @@ static void limit_fds(rlim_t x) struct rlimit rl; #ifdef HAVE_GETRLIMIT - if (!getrlimit(RLIMIT_NUMFDS, &rl)) { + if (getrlimit(RLIMIT_NUMFDS, &rl) >= 0) { if (x != RLIM_INFINITY && rl.rlim_max != RLIM_INFINITY && x > rl.rlim_max) { syslog(LOG_WARNING, "limit_fds: requested %" PRIu64 ", but capped to %" PRIu64, @@ -1910,7 +1910,7 @@ static void limit_fds(rlim_t x) rl.rlim_cur, rl.rlim_max); } - if (setrlimit(RLIMIT_NUMFDS, &rl) < 0) { + if (setrlimit(RLIMIT_NUMFDS, &rl) < 0 && x != RLIM_INFINITY) { syslog(LOG_ERR, "setrlimit: Unable to set file descriptors limit to %ld: %m", rl.rlim_cur); -- 2.1.4
From 2f0192566a56c27800320fd1999c483acc3281c6 Mon Sep 17 00:00:00 2001 From: Henrique de Moraes Holschuh <[email protected]> Date: Tue, 4 Aug 2015 10:38:05 +0200 Subject: [PATCH 02/13] Use proper types (uid_t and gid_t) instead of int for UIDs and GIDs --- lib/util.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/util.c b/lib/util.c index 3ee922a..e89035a 100644 --- a/lib/util.c +++ b/lib/util.c @@ -590,9 +590,10 @@ static int cap_setuid(int uid, int is_master) EXPORTED int become_cyrus(int is_master) { struct passwd *p; - int newuid, newgid; + uid_t newuid; + gid_t newgid; int result; - static int uid = 0; + static uid_t uid = 0; if (uid) return cap_setuid(uid, is_master); -- 2.1.4
From 5cccdc4accc05dee364d3d242ae062ae6a2a1842 Mon Sep 17 00:00:00 2001 From: Sven Mueller <[email protected]> Date: Tue, 4 Aug 2015 10:38:04 +0200 Subject: [PATCH 01/13] Fix potential buffer overflows --- imtest/imtest.c | 2 +- master/master.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/imtest/imtest.c b/imtest/imtest.c index 888fd84..34ea2ba 100644 --- a/imtest/imtest.c +++ b/imtest/imtest.c @@ -1227,7 +1227,7 @@ static void interactive(struct protocol_t *protocol, char *filename) /* can't have this and a file for input */ sunsock.sun_family = AF_UNIX; - strcpy(sunsock.sun_path, output_socket); + strlcpy(sunsock.sun_path, output_socket, sizeof(sunsock.sun_path)); unlink(output_socket); listen_sock = socket(AF_UNIX, SOCK_STREAM, 0); diff --git a/master/master.c b/master/master.c index da7d789..3f9942a 100644 --- a/master/master.c +++ b/master/master.c @@ -233,13 +233,14 @@ static void get_daemon(char *path, unsigned size, const strarray_t *cmd) else snprintf(path, size, "%s/%s", LIBEXEC_DIR, cmd->data[0]); } -static void get_prog(char *path, unsigned size, const strarray_t *cmd) +static void get_prog(char *path, unsigned int size, const strarray_t *cmd) { if (cmd->data[0][0] == '/') { /* master lacks strlcpy, due to no libcyrus */ snprintf(path, size, "%s", cmd->data[0]); } else snprintf(path, size, "%s/%s", SBIN_DIR, cmd->data[0]); + path[size-1] = '\0'; } static void get_statsock(int filedes[2]) -- 2.1.4
