CVS commit: [netbsd-4] src/gnu/dist/postfix

Wed, 22 Aug 2012 12:43:48 -0700 

Module Name:    src
Committed By:   bouyer
Date:           Wed Aug 22 19:43:38 UTC 2012

Modified Files:
        src/gnu/dist/postfix/README_FILES [netbsd-4]: RELEASE_NOTES
        src/gnu/dist/postfix/src/smtpd [netbsd-4]: smtpd_sasl_proto.c

Log Message:
Apply patch, requested by reed in ticket #1452:
        src/gnu/dist/postfix/src/smtpd/smtpd_sasl_proto.c:      patch
        src/gnu/dist/postfix/README_FILES/RELEASE_NOTES:        patch

Apply patch from upstream, fixing CVE-2011-1720


To generate a diff of this commit:
cvs rdiff -u -r1.9.2.2 -r1.9.2.3 \
    src/gnu/dist/postfix/README_FILES/RELEASE_NOTES
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.4.1 \
    src/gnu/dist/postfix/src/smtpd/smtpd_sasl_proto.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/gnu/dist/postfix/README_FILES/RELEASE_NOTES
diff -u src/gnu/dist/postfix/README_FILES/RELEASE_NOTES:1.9.2.2 src/gnu/dist/postfix/README_FILES/RELEASE_NOTES:1.9.2.3
--- src/gnu/dist/postfix/README_FILES/RELEASE_NOTES:1.9.2.2	Mon Aug  6 11:06:13 2007
+++ src/gnu/dist/postfix/README_FILES/RELEASE_NOTES	Wed Aug 22 19:43:38 2012
@@ -210,3 +210,11 @@ on/off configurable.  This introduces ne
 (default: disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
 (workarounds indexed by server IP address).  The default settings
 are backwards compatible.
+
+----------------
+NetBSD addition:
+
+This includes the bugfix for CVE-2011-1720 (Memory corruption in
+Postfix SMTP server Cyrus SASL support).
+http://www.postfix.org/CVE-2011-1720.html
+ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3-2.5-cve-2011-1720-patch

Index: src/gnu/dist/postfix/src/smtpd/smtpd_sasl_proto.c
diff -u src/gnu/dist/postfix/src/smtpd/smtpd_sasl_proto.c:1.1.1.5 src/gnu/dist/postfix/src/smtpd/smtpd_sasl_proto.c:1.1.1.5.4.1
--- src/gnu/dist/postfix/src/smtpd/smtpd_sasl_proto.c:1.1.1.5	Wed Jul 19 01:17:47 2006
+++ src/gnu/dist/postfix/src/smtpd/smtpd_sasl_proto.c	Wed Aug 22 19:43:38 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: smtpd_sasl_proto.c,v 1.1.1.5 2006/07/19 01:17:47 rpaulo Exp $	*/
+/*	$NetBSD: smtpd_sasl_proto.c,v 1.1.1.5.4.1 2012/08/22 19:43:38 bouyer Exp $	*/
 
 /*++
 /* NAME
@@ -185,6 +185,27 @@ int     smtpd_sasl_auth_cmd(SMTPD_STATE 
 	return (-1);
     }
 
+    /* Don't reuse the SASL handle after authentication failure. */
+#ifndef SMTPD_FLAG_AUTH_USED
+#define SMTPD_FLAG_AUTH_USED	(1<<15)
+#endif
+#ifndef XSASL_TYPE_CYRUS
+#define XSASL_TYPE_CYRUS	"cyrus"
+#endif
+    if (state->flags & SMTPD_FLAG_AUTH_USED) {
+	smtpd_sasl_disconnect(state);
+#ifdef USE_TLS
+	if (state->tls_context != 0)
+	    smtpd_sasl_connect(state, VAR_SMTPD_SASL_TLS_OPTS,
+			       var_smtpd_sasl_tls_opts);
+	else
+#endif
+	    smtpd_sasl_connect(state, VAR_SMTPD_SASL_OPTS,
+			       var_smtpd_sasl_opts);
+    } else if (strcmp(var_smtpd_sasl_type, XSASL_TYPE_CYRUS) == 0) {
+	state->flags |= SMTPD_FLAG_AUTH_USED;
+    }
+
     /*
      * All authentication failures shall be logged. The 5xx reply code from
      * the SASL authentication routine triggers tar-pit delays, which help to

Reply via email to