Control: reassign -1 libsasl2-2 2.1.25.dfsg1-6+deb7u1

On Mi, 30 oct 13, 20:58:16, Christian Schwamborn wrote:
> Package: libsasl2
> Version: 2.1.25.dfsg1-6+deb7u1
> Severity: important
> 
> A quote from the upstream bugreport:
> 
> Formerly (as of 2.1.23) SASL library did not care if there was no
> auxprop plugin set up/present, current (2.1.25) library _requires_
> the presence of properly comfigured and working auxprop plugin,
> making SASL usesless as an auth provider in daily operations.
> 
> The following configuration works with cyrus-sasl 2.1.23 and fails
> miserably with "no mechs available" with cyrus-sasl 2.1.25:
> 
> - run saslauthd with pam as an auth mechanism
> - run postfix (or any other daemon) with pwcheck_method set to saslauthd
> 
> The root cause is the call to _sasl_auxprop_lookup_user_props that
> has been added to _sasl_canon_user(_lookup) which causes
> authentication to fail if no auxprop plugin in configured.
> <end of quote>
> 
> This issue is known in the cyrus-sasl and ubuntu bugtracker aswell:
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3590
> https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/875440
> 
> I attached the patch from revision d1b57852247641be30decc480b0719d322f0bc5c
> 
> I hope this can be applied to wheeze, since it really breaks an easy
> mailserver setup.
> 
> Cheers,
> Christian Schwamborn

> From d1b57852247641be30decc480b0719d322f0bc5c Mon Sep 17 00:00:00 2001
> From: Alexey Melnikov <alexey.melni...@isode.com>
> Date: Thu, 19 Apr 2012 14:41:12 +0100
> Subject: Fixed PLAIN/LOGIN authentication failure when using saslauthd with
>  no auxprop plugins
> 
> PLAIN/LOGIN plugins should be able to work with no auxprop plugins configured,
> for example if they are using saslauthd. This patch fixes them to work
> in such configurations. In order to achieve this the following changes were
> made
> 
>  1) SASL_NOMECH should be handled the same way as SASL_NOUSER while looking
>     up auxprop properties.
>  2) SASL PLAIN/LOGIN should pass "this identity was verified externally"
>     to auxprop lookup. This will prevent auxprop lookup from failing with
>     SASL_NOMECH. Note that they verify user accounts using checkpass interface
>     anyway.
> 
> Cyrus SASL Bug # 3590
> 
> Test-information:
>  The following SASL plugins were tested:
>   PLAIN, EXTERNAL, SCRAM-SHA-1, LOGIN (partially)
>  They were tested with missing auxprop plugins and with a present one.
> ---
>  include/sasl.h  |    4 +++-
>  lib/canonusr.c  |    8 +++++---
>  plugins/login.c |    6 ++++--
>  plugins/plain.c |    2 +-
>  4 files changed, 13 insertions(+), 7 deletions(-)
> 
> diff --git a/include/sasl.h b/include/sasl.h
> index 2ac5300..ed27104 100755
> --- a/include/sasl.h
> +++ b/include/sasl.h
> @@ -633,8 +633,10 @@ typedef int sasl_server_userdb_setpass_t(sasl_conn_t 
> *conn,
>  /* One of the following two is required */
>  #define SASL_CU_AUTHID  0x01
>  #define SASL_CU_AUTHZID 0x02
> +
>  /* Combine the following with SASL_CU_AUTHID, if you don't want
> -   to fail if auxprop returned SASL_NOUSER */
> +   to fail if auxprop returned SASL_NOUSER/SASL_NOMECH.
> +   This flag has no effect on SASL_CU_AUTHZID. */
>  #define SASL_CU_EXTERNALLY_VERIFIED 0x04
>  
>  #define SASL_CU_OVERRIDE         0x08    /* mapped to SASL_AUXPROP_OVERRIDE 
> */
> diff --git a/lib/canonusr.c b/lib/canonusr.c
> index 0049d13..faee103 100644
> --- a/lib/canonusr.c
> +++ b/lib/canonusr.c
> @@ -241,12 +241,14 @@ static int _sasl_auxprop_lookup_user_props (sasl_conn_t 
> *conn,
>           }
>       }
>  
> -     if (result == SASL_NOUSER && (flags & SASL_CU_EXTERNALLY_VERIFIED)) {
> +     if ((flags & SASL_CU_EXTERNALLY_VERIFIED) && (result == SASL_NOUSER || 
> result == SASL_NOMECH)) {
>           /* The called has explicitly told us that the authentication 
> identity
> -            was already verified. So a failure to retrieve any associated 
> properties
> +            was already verified or will be verified independently.
> +            So a failure to retrieve any associated properties
>              is not an error. For example the caller is using Kerberos to 
> verify user,
>              but the LDAPDB/SASLDB auxprop plugin doesn't contain any 
> auxprops for
> -            the user. */
> +            the user.
> +            Another case is PLAIN/LOGIN not using auxprop to verify user 
> passwords. */
>           result = SASL_OK;
>       }       
>      }
> diff --git a/plugins/login.c b/plugins/login.c
> index ee44be6..f2a05ac 100644
> --- a/plugins/login.c
> +++ b/plugins/login.c
> @@ -179,9 +179,11 @@ static int login_server_mech_step(void *conn_context,
>  
>       /* canonicalize username first, so that password verification is
>        * done against the canonical id */
> -     result = params->canon_user(params->utils->conn, text->username,
> +     result = params->canon_user(params->utils->conn,
> +                                 text->username,
>                                   text->username_len,
> -                                 SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
> +                                 SASL_CU_AUTHID | SASL_CU_AUTHZID | 
> SASL_CU_EXTERNALLY_VERIFIED,
> +                                 oparams);
>       if (result != SASL_OK) return result;
>       
>       /* verify_password - return sasl_ok on success */
> diff --git a/plugins/plain.c b/plugins/plain.c
> index ddbc1f8..e6180a1 100644
> --- a/plugins/plain.c
> +++ b/plugins/plain.c
> @@ -159,7 +159,7 @@ static int plain_server_mech_step(void *conn_context 
> __attribute__((unused)),
>      result = params->canon_user(params->utils->conn,
>                               authen,
>                               0,
> -                             SASL_CU_AUTHID | canon_flags,
> +                             SASL_CU_AUTHID | canon_flags | 
> SASL_CU_EXTERNALLY_VERIFIED,
>                               oparams);
>      if (result != SASL_OK) {
>       _plug_free_string(params->utils, &passcopy);
> 


-- 
http://wiki.debian.org/FAQsFromDebianUser
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
http://nuvreauspam.ro/gpg-transition.txt

Attachment: signature.asc
Description: Digital signature

Reply via email to