OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 25-Jan-2005 15:18:14 Branch: OPENPKG_2_2_SOLID Handle: 2005012514181400 Modified files: (Branch: OPENPKG_2_2_SOLID) openpkg-src/sasl sasl.patch sasl.spec Log: introduce gentoo-derived patch code to solve SASL_PATH security problems associated with OpenPKG-SA-2005.004-sasl (CAN-2004-0884) Summary: Revision Changes Path 1.13.2.1 +21 -0 openpkg-src/sasl/sasl.patch 1.121.2.2 +1 -1 openpkg-src/sasl/sasl.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/sasl/sasl.patch ============================================================================ $ cvs diff -u -r1.13 -r1.13.2.1 sasl.patch --- openpkg-src/sasl/sasl.patch 14 Jul 2004 17:41:33 -0000 1.13 +++ openpkg-src/sasl/sasl.patch 25 Jan 2005 14:18:14 -0000 1.13.2.1 @@ -40,3 +40,24 @@ #include "lak.h" typedef struct lak_auth_method { + +OpenPKG-SA-2005.004-sasl (CAN-2004-0884): +This patch is derived from: + https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/lib/common.c.diff?r1=1.103&r2=1.104 +Prior to this patch libsasl would read the SASL_PATH environment variable +to find all available SASL plugins, which allowed local users to execute +arbitrary code by modifying the SASL_PATH to point to malicious programs. +Index: lib/common.c +--- lib/common.c.orig 2005-01-25 14:15:04 +0100 ++++ lib/common.c 2005-01-25 14:15:07 +0100 +@@ -1838,7 +1838,9 @@ + if (! path) + return SASL_BADPARAM; + +- *path = getenv(SASL_PATH_ENV_VAR); ++ /* CAN-2004-0884: Honor external variable only in a safe environment */ ++ if (getuid() == geteuid() && getgid() == getegid()) ++ *path = getenv(SASL_PATH_ENV_VAR); + if (! *path) + *path = PLUGINDIR; + @@ . patch -p0 <<'@@ .' Index: openpkg-src/sasl/sasl.spec ============================================================================ $ cvs diff -u -r1.121.2.1 -r1.121.2.2 sasl.spec --- openpkg-src/sasl/sasl.spec 11 Oct 2004 18:58:52 -0000 1.121.2.1 +++ openpkg-src/sasl/sasl.spec 25 Jan 2005 14:18:14 -0000 1.121.2.2 @@ -34,7 +34,7 @@ Group: Cryptography License: BSD Version: 2.1.19 -Release: 2.2.0 +Release: 2.2.1 # package options %option with_fsl yes @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org