[CVS] OpenPKG: OPENPKG_2_2_SOLID: openpkg-src/sasl/ sasl.patch sasl.sp...

Tue, 25 Jan 2005 06:18:48 -0800 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Michael Schloh
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src                      Date:   25-Jan-2005 15:18:14
  Branch: OPENPKG_2_2_SOLID                Handle: 2005012514181400

  Modified files:           (Branch: OPENPKG_2_2_SOLID)
    openpkg-src/sasl        sasl.patch sasl.spec

  Log:
    introduce gentoo-derived patch code to solve SASL_PATH security problems
    associated with OpenPKG-SA-2005.004-sasl (CAN-2004-0884)

  Summary:
    Revision    Changes     Path
    1.13.2.1    +21 -0      openpkg-src/sasl/sasl.patch
    1.121.2.2   +1  -1      openpkg-src/sasl/sasl.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/sasl/sasl.patch
  ============================================================================
  $ cvs diff -u -r1.13 -r1.13.2.1 sasl.patch
  --- openpkg-src/sasl/sasl.patch       14 Jul 2004 17:41:33 -0000      1.13
  +++ openpkg-src/sasl/sasl.patch       25 Jan 2005 14:18:14 -0000      1.13.2.1
  @@ -40,3 +40,24 @@
    #include "lak.h"
    
    typedef struct lak_auth_method {
  +
  +OpenPKG-SA-2005.004-sasl (CAN-2004-0884):
  +This patch is derived from:
  +  
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/lib/common.c.diff?r1=1.103&r2=1.104
  +Prior to this patch libsasl would read the SASL_PATH environment variable
  +to find all available SASL plugins, which allowed local users to execute
  +arbitrary code by modifying the SASL_PATH to point to malicious programs.
  +Index: lib/common.c
  +--- lib/common.c.orig        2005-01-25 14:15:04 +0100
  ++++ lib/common.c     2005-01-25 14:15:07 +0100
  +@@ -1838,7 +1838,9 @@
  +   if (! path)
  +     return SASL_BADPARAM;
  + 
  +-  *path = getenv(SASL_PATH_ENV_VAR);
  ++  /* CAN-2004-0884: Honor external variable only in a safe environment */
  ++  if (getuid() == geteuid() && getgid() == getegid())
  ++    *path = getenv(SASL_PATH_ENV_VAR);
  +   if (! *path)
  +     *path = PLUGINDIR;
  + 
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/sasl/sasl.spec
  ============================================================================
  $ cvs diff -u -r1.121.2.1 -r1.121.2.2 sasl.spec
  --- openpkg-src/sasl/sasl.spec        11 Oct 2004 18:58:52 -0000      
1.121.2.1
  +++ openpkg-src/sasl/sasl.spec        25 Jan 2005 14:18:14 -0000      
1.121.2.2
  @@ -34,7 +34,7 @@
   Group:        Cryptography
   License:      BSD
   Version:      2.1.19
  -Release:      2.2.0
  +Release:      2.2.1
   
   #   package options
   %option       with_fsl    yes
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     openpkg-cvs@openpkg.org

Reply via email to