diff --git a/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch new file mode 100644 index 0000000..939c4c9 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch @@ -0,0 +1,46 @@ +diff --git a/include/sasl.h b/include/sasl.h +index 8b8a63f..6ae153f 100755 +--- a/include/sasl.h ++++ b/include/sasl.h +@@ -179,6 +179,7 @@ + because of some constrains/policy violation */ + + #define SASL_BADBINDING -32 /* channel binding failure */ ++#define SASL_CONFIGERR -33 /* error when parsing configuration file */ + + /* max size of a sasl mechanism name */ + #define SASL_MECHNAMEMAX 20 +diff --git a/lib/common.c b/lib/common.c +index 672fe2f..de0adfd 100644 +--- a/lib/common.c ++++ b/lib/common.c +@@ -1362,6 +1362,7 @@ const char *sasl_errstring(int saslerr, + case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because " + "of a constraint violation"; + case SASL_BADBINDING: return "channel binding failure"; ++ case SASL_CONFIGERR: return "error when parsing configuration file"; + + default: return "undefined error!"; + } +diff --git a/lib/config.c b/lib/config.c +index 7cae302..fde3757 100644 +--- a/lib/config.c ++++ b/lib/config.c +@@ -91,7 +91,7 @@ int sasl_config_init(const char *filename) + } + if (*p != ':') { + fclose(infile); +- return SASL_FAIL; ++ return SASL_CONFIGERR; + } + *p++ = '\0'; + +@@ -99,7 +99,7 @@ int sasl_config_init(const char *filename) + + if (!*p) { + fclose(infile); +- return SASL_FAIL; ++ return SASL_CONFIGERR; + } + + /* Now strip trailing spaces, if any */ diff --git a/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch new file mode 100644 index 0000000..b066258 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch @@ -0,0 +1,28 @@ +diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt cyrus-sasl-2.1.26/plugins/gssapi.c +--- cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt 2015-05-19 14:57:57.091212254 +0200 ++++ cyrus-sasl-2.1.26/plugins/gssapi.c 2015-05-19 15:01:41.681011361 +0200 +@@ -1159,19 +1159,18 @@ gssapi_server_mech_ssfreq(context_t *tex + } + + layerchoice = (int)(((char *)(output_token->value))[0]); +- if (layerchoice == LAYER_NONE && +- (text->qop & LAYER_NONE)) { /* no encryption */ ++ if (!(layerchoice & (LAYER_INTEGRITY | LAYER_CONFIDENTIALITY)) && ++ (text->qop & LAYER_NONE)) { /* no encryption */ + oparams->encode = NULL; + oparams->decode = NULL; + oparams->mech_ssf = 0; +- } else if (layerchoice == LAYER_INTEGRITY && ++ } else if ((layerchoice & LAYER_INTEGRITY) && + (text->qop & LAYER_INTEGRITY)) { /* integrity */ + oparams->encode = &gssapi_integrity_encode; + oparams->decode = &gssapi_decode; + oparams->mech_ssf = 1; +- } else if ((layerchoice == LAYER_CONFIDENTIALITY || +- /* For compatibility with broken clients setting both bits */ +- layerchoice == (LAYER_CONFIDENTIALITY|LAYER_INTEGRITY)) && ++ } else if (/* For compatibility with broken clients setting both bits */ ++ (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) && + (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */ + oparams->encode = &gssapi_privacy_encode; + oparams->decode = &gssapi_decode; diff --git a/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch new file mode 100644 index 0000000..6931d4d --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch @@ -0,0 +1,29 @@ +From 7739268e775e6ed91509727b014cc1d367ad386d Mon Sep 17 00:00:00 2001 +From: Alexey Melnikov +Date: Sun, 30 Mar 2014 15:13:34 +0100 +Subject: When processing a list of mechanism names, we shouldn't allow a short + prefix match the whole mechanism name + +"A", "AN", etc where matching "ANONYMOUS". This patch fixes that. + +As reported by plautrba@redhat.com + +diff --git a/lib/common.c b/lib/common.c +index e0f59eb..672fe2f 100644 +--- a/lib/common.c ++++ b/lib/common.c +@@ -2428,6 +2428,11 @@ int _sasl_is_equal_mech(const char *req_mech, + *plus = 0; + } + ++ if (n < strlen(plug_mech)) { ++ /* Don't allow arbitrary prefix match */ ++ return 0; ++ } ++ + return (strncasecmp(req_mech, plug_mech, n) == 0); + } + +-- +cgit v0.10.2 + diff --git a/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch new file mode 100644 index 0000000..9deee8b --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch @@ -0,0 +1,66 @@ +From 3d48a475054911856b736ca2720b82f529dd68cf Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Wed, 1 Oct 2014 14:20:27 -0700 +Subject: [PATCH] Bug 1147659 - cyrus-sasl client library (client.c) is not + thread safe + +Description: client_dispose (lib/clinet.c) which closes a connection +of a sasl client frees mech_list if the head of the list differs +from the head of the global cmechlist->mech_list. But there was a +possibility that the list appears in the middle of the global mech +list. By freeing the mech, it crashed a multi-threaded sasl client. + +This patch checks each mech if it is in the global mech list or not. +Only if it is not, the mech is freed. +--- + lib/client.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/lib/client.c b/lib/client.c +index 31fe346..3f76483 100644 +--- a/lib/client.c ++++ b/lib/client.c +@@ -324,6 +324,26 @@ int sasl_client_init(const sasl_callback_t *callbacks) + return ret; + } + ++/* ++ * If mech is in cmechlist->mech_list, return 1 ++ * Otherwise, return 0 ++ */ ++static int mech_is_in_cmechlist(cmechanism_t *mech) ++{ ++ cmechanism_t *m = cmechlist->mech_list; ++ if (NULL == mech) { ++ return 0; ++ } ++ ++ while (m && mech) { ++ if (m == mech) { ++ return 1; ++ } ++ m = m->next; ++ } ++ return 0; ++} ++ + static void client_dispose(sasl_conn_t *pconn) + { + sasl_client_conn_t *c_conn=(sasl_client_conn_t *) pconn; +@@ -352,6 +372,13 @@ static void client_dispose(sasl_conn_t *pconn) + while (m) { + prevm = m; + m = m->next; ++ if (mech_is_in_cmechlist(prevm)) { ++ /* ++ * If prevm exists in the global mech_list cmechlist->mech_list, ++ * we should not free it as well as the rest of the list. ++ */ ++ break; ++ } + sasl_FREE(prevm); + } + } +-- +1.9.3 + diff --git a/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch new file mode 100644 index 0000000..1a1d259 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch @@ -0,0 +1,16 @@ +--- cyrus-sasl2.orig/plugins/gssapi.c ++++ cyrus-sasl2/plugins/gssapi.c +@@ -1583,10 +1583,10 @@ static int gssapi_client_mech_step(void + } + + /* Setup req_flags properly */ +- req_flags = GSS_C_INTEG_FLAG; ++ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; + if (params->props.max_ssf > params->external_ssf) { + /* We are requesting a security layer */ +- req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; ++ req_flags |= GSS_C_INTEG_FLAG; + /* Any SSF bigger than 1 is confidentiality. */ + /* Let's check if the client of the API requires confidentiality, + and it wasn't already provided by an external layer */ + diff --git a/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch new file mode 100644 index 0000000..cace375 --- /dev/null +++ b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch @@ -0,0 +1,33 @@ +diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc +index 37c6f6e..5b635ab 100644 +--- a/saslauthd/saslauthd.mdoc ++++ b/saslauthd/saslauthd.mdoc +@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication + database (e.g. the + .Li shadow + mechanism), +-it must be run as the superuser. ++it must be run as the superuser. Otherwise it is recommended to run ++daemon unprivileged as saslauth:saslauth. You can do so by following ++these steps: ++.Bl -enum -compact ++.It ++create directory ++.Pa /etc/systemd/system/saslauthd.service.d/ ++.It ++create file ++.Pa /etc/systemd/system/saslauthd.service.d/user.conf ++with content ++.Bd -literal ++[Service] ++User=saslauth ++Group=saslauth ++ ++.Ed ++.It ++Reload systemd service file: run ++.Dq systemctl daemon-reload ++.El + .Ss Options + Options named by lower\-case letters configure the server itself. + Upper\-case options control the behavior of specific authentication diff --git a/SOURCES/saslauthd.service b/SOURCES/saslauthd.service index 1dca862..f59ab3e 100644 --- a/SOURCES/saslauthd.service +++ b/SOURCES/saslauthd.service @@ -7,6 +7,7 @@ Type=forking PIDFile=/run/saslauthd/saslauthd.pid EnvironmentFile=/etc/sysconfig/saslauthd ExecStart=/usr/sbin/saslauthd -m $SOCKETDIR -a $MECH $FLAGS +RuntimeDirectory=saslauthd [Install] WantedBy=multi-user.target diff --git a/SOURCES/saslauthd.tmpfiles b/SOURCES/saslauthd.tmpfiles deleted file mode 100644 index d4809f7..0000000 --- a/SOURCES/saslauthd.tmpfiles +++ /dev/null @@ -1 +0,0 @@ -d /run/saslauthd 0755 root root - diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec index 9727469..62f90f6 100644 --- a/SPECS/cyrus-sasl.spec +++ b/SPECS/cyrus-sasl.spec @@ -1,5 +1,5 @@ %define username saslauth -%define hint "Saslauthd user" +%define hint Saslauthd user %define homedir /run/saslauthd %define _plugindir2 %{_libdir}/sasl2 @@ -10,7 +10,7 @@ Summary: The Cyrus SASL library Name: cyrus-sasl Version: 2.1.26 -Release: 17%{?dist} +Release: 19.2%{?dist} License: BSD with advertising Group: System Environment/Libraries # Source0 originally comes from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/; @@ -22,7 +22,6 @@ Source7: sasl-mechlist.c Source8: sasl-checkpass.c Source9: saslauthd.sysconfig Source10: make-no-dlcompatorsrp-tarball.sh -Source11: saslauthd.tmpfiles URL: http://asg.web.cmu.edu/sasl/sasl-library.html Requires: %{name}-lib%{?_isa} = %{version}-%{release} Patch11: cyrus-sasl-2.1.25-no_rpath.patch @@ -51,6 +50,18 @@ Patch49: cyrus-sasl-2.1.26-md5global.patch Patch50: cyrus-sasl-2.1.26-sql.patch # Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718) Patch51: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch +# Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566) +Patch52: cyrus-sasl-2.1.26-revert-gssapi-flags.patch +# Document ability to run saslauthd unprivileged (#1188065) +Patch53: cyrus-sasl-2.1.26-saslauthd-user.patch +# Support non-confidentiality/non-integrity requests from AIX SASL GSSAPI implementation (#1174322) +Patch54: cyrus-sasl-2.1.26-gssapi-non-encrypt.patch +# Update client library to be thread safe (#1147659) +Patch55: cyrus-sasl-2.1.26-make-client-thread-sage.patch +# Parsing short prefix matches the whole mechanism name (#1089267) +Patch56: cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch +# Fix confusing message when config file has typo (#1022479) +Patch57: cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, automake, libtool, gdbm-devel, groff @@ -64,6 +75,7 @@ Requires(post): chkconfig, /sbin/service systemd-units Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd systemd-units Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel systemd-units Requires: /sbin/nologin +Requires: systemd >= 219 Provides: user(%username) Provides: group(%username) @@ -193,6 +205,12 @@ chmod -x include/*.h %patch49 -p1 -b .md5global.h %patch50 -p1 -b .sql %patch51 -p1 -b .sha1vsplain +%patch52 -p1 -b .revert +%patch53 -p1 -b .man-unprivileged +%patch54 -p1 -b .gssapi_non_encrypt +%patch55 -p1 -b .threads +%patch56 -p1 -b .prefix +%patch57 -p1 -b .typo %build @@ -300,16 +318,11 @@ install -m755 -d $RPM_BUILD_ROOT%{_mandir}/man8/ install -m644 -p saslauthd/saslauthd.mdoc $RPM_BUILD_ROOT%{_mandir}/man8/saslauthd.8 install -m644 -p saslauthd/testsaslauthd.8 $RPM_BUILD_ROOT%{_mandir}/man8/testsaslauthd.8 -# Create the saslauthd listening directory. -install -m755 -d $RPM_BUILD_ROOT/run/saslauthd - # Install the init script for saslauthd and the init script's config file. install -m755 -d $RPM_BUILD_ROOT/etc/rc.d/init.d $RPM_BUILD_ROOT/etc/sysconfig install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -m644 -p %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/saslauthd.service install -m644 -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/saslauthd -install -m755 -d $RPM_BUILD_ROOT/%{_prefix}/lib/tmpfiles.d -install -m644 -p %{SOURCE11} $RPM_BUILD_ROOT/%{_prefix}/lib/tmpfiles.d/saslauthd.conf # Install the config dirs if they're not already there. install -m755 -d $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 @@ -332,7 +345,7 @@ test "$RPM_BUILD_ROOT" != "/" && rm -rf $RPM_BUILD_ROOT %pre getent group %{username} >/dev/null || groupadd -g 76 -r %{username} -getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} -s /sbin/nologin -c \"%{hint}\" %{username} +getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} -s /sbin/nologin -c "%{hint}" %{username} %post %systemd_post saslauthd.service @@ -360,8 +373,7 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %{_sbindir}/testsaslauthd %config(noreplace) /etc/sysconfig/saslauthd %{_unitdir}/saslauthd.service -%{_prefix}/lib/tmpfiles.d/saslauthd.conf -%dir /run/saslauthd +%ghost /run/saslauthd %files lib %defattr(-,root,root) @@ -422,6 +434,18 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %{_sbindir}/sasl2-shared-mechlist %changelog +* Thu Jul 16 2015 Jakub Jelen 2.1.26-19.2 +- Revert tmpfiles.d and use new systemd feature RuntimeDirectory (#1188065) + +* Wed May 20 2015 Jakub Jelen 2.1.26-18 +- Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566) +- Add and document ability to run saslauth as non-root user (#1188065) +- Support AIX SASL GSSAPI (#1174322) +- Update client library to be thread safe (#1147659) +- Fix problem, that parsing short prefix matches the whole mechanism name (#1089267) +- Don't use unnecessary quotes around user description (#1082564) +- Fix confusing message when config file has typo (#1022479) + * Fri Jan 24 2014 Daniel Mach - 2.1.26-17 - Mass rebuild 2014-01-24