head	1.2;
access;
symbols
	pkgsrc-2021Q4:1.1.0.16
	pkgsrc-2021Q4-base:1.1
	pkgsrc-2021Q3:1.1.0.14
	pkgsrc-2021Q3-base:1.1
	pkgsrc-2021Q2:1.1.0.12
	pkgsrc-2021Q2-base:1.1
	pkgsrc-2021Q1:1.1.0.10
	pkgsrc-2021Q1-base:1.1
	pkgsrc-2020Q4:1.1.0.8
	pkgsrc-2020Q4-base:1.1
	pkgsrc-2020Q3:1.1.0.6
	pkgsrc-2020Q3-base:1.1
	pkgsrc-2020Q2:1.1.0.4
	pkgsrc-2020Q2-base:1.1
	pkgsrc-2020Q1:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2022.02.24.11.00.03;	author wiz;	state dead;
branches;
next	1.1;
commitid	hE6Bmxzg0qnxpRtD;

1.1
date	2020.05.14.14.27.32;	author nia;	state Exp;
branches
	1.1.2.1;
next	;
commitid	21TAqNtmjOSaud8C;

1.1.2.1
date	2020.05.14.14.27.32;	author bsiegert;	state dead;
branches;
next	1.1.2.2;
commitid	KN9DEyZiI2jabm8C;

1.1.2.2
date	2020.05.15.16.38.30;	author bsiegert;	state Exp;
branches;
next	;
commitid	KN9DEyZiI2jabm8C;


desc
@@


1.2
log
@cyrus-sasl: update to 2.1.28

New in 2.1.28

    build:
        configure - Restore LIBS after checking gss_inquire_sec_context_by_oid
        makemd5.c - Fix potential out of bound writes
        fix build with –disable-shared –enable-static
        Dozens of fixes for Windows specific builds
        Fix cross platform builds with SPNEGO
        Do not try to build broken java subtree
        Fix build error with –enable-auth-sasldb
    common:
        plugin_common.c:
            Ensure size is always checked if called repeatedly (#617)
    documentation:
        Fixed generation of saslauthd(8) man page
        Fixed installation of saslauthd(8) and testsaslauthd(8) man pages (#373)
        Updates for additional SCRAM mechanisms
        Fix sasl_decode64 and sasl_encode64 man pages
        Tons of fixes for Sphinx
    include:
        sasl.h:
            Allow up to 16 bits for security flags
    lib:
        checkpw.c:
            Skip one call to strcat
            Disable auxprop-hashed (#374)
        client.c:
            Use proper length for fully qualified domain names
        common.c:
            CVE-2019-19906 Fix off by one error (#587)
        external.c:
            fix EXTERNAL with non-terminated input (#689)
        saslutil.c:
            fix index_64 to be a signed char (#619)
    plugins:
        gssapi.c:
            Emit debug log only in case of errors
        ntlm.c:
            Fail compile if MD4 is not available (#632)
        sql.c:
            Finish reading residual return data (#639)
            CVE-2022-24407 Escape password for SQL insert/update commands.
    sasldb:
        db_gdbm.c:
            fix gdbm_errno overlay from gdbm_close
    DIGEST-MD5 plugin:
        Prevent double free of RC4 context
        Use OpenSSL RC4 implementation if available
    SCRAM plugin:
        Return BADAUTH on incorrect password (#545)
        Add -224, -384, -512 (#552)
        Remove SCRAM_HASH_SIZE
        Add function to return SCRAM auth method name
        Allocate enough memory in scam_setpass()
        Add function to sort SCRAM methods by hash strength
        Update windows build for newer SCRAM options
    saslauthd:
        auth_httpform.c:
            Avoid signed overflow with non-ascii characters (#576)
        auth_krb5.c:
            support setting an explicit auth_krb5 server name
            support setting an explicit servername with Heimdal
            unify the MIT and Heimdal auth_krb5 implementations
            Remove call to krbtf
        auth_rimap.c:
            provide native memmem implementation if missing
        lak.c:
            Allow LDAP_OPT_X_TLS_REQUIRE_CERT to be 0 (no certificate verification)
        lak.h:
            Increase supported DN length to 4096 (#626)
@
text
@$NetBSD: patch-CVE-2019-19906,v 1.1 2020/05/14 14:27:32 nia Exp $

https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1.patch

--- lib/common.c.orig	2018-01-19 14:13:40.000000000 +0000
+++ lib/common.c
@@@@ -190,7 +190,7 @@@@ int _sasl_add_string(char **out, size_t 
 
   if (add==NULL) add = "(null)";
 
-  addlen=strlen(add); /* only compute once */
+  addlen=strlen(add)+1; /* only compute once */
   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
     return SASL_NOMEM;
 
@


1.1
log
@cyrus-sasl: Fix CVE-2019-19906
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-CVE-2019-19906 was added on branch pkgsrc-2020Q1 on 2020-05-15 16:38:30 +0000
@
text
@d1 15
@


1.1.2.2
log
@Pullup ticket #6196 - requested by nia
security/cyrus-sasl: security fix

Revisions pulled up:
- security/cyrus-sasl/Makefile                                  1.77
- security/cyrus-sasl/distinfo                                  1.38
- security/cyrus-sasl/patches/patch-CVE-2019-19906              1.1

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Thu May 14 14:27:32 UTC 2020

   Modified Files:
   	pkgsrc/security/cyrus-sasl: Makefile distinfo
   Added Files:
   	pkgsrc/security/cyrus-sasl/patches: patch-CVE-2019-19906

   Log Message:
   cyrus-sasl: Fix CVE-2019-19906
@
text
@a0 15
$NetBSD: patch-CVE-2019-19906,v 1.1 2020/05/14 14:27:32 nia Exp $

https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1.patch

--- lib/common.c.orig	2018-01-19 14:13:40.000000000 +0000
+++ lib/common.c
@@@@ -190,7 +190,7 @@@@ int _sasl_add_string(char **out, size_t 
 
   if (add==NULL) add = "(null)";
 
-  addlen=strlen(add); /* only compute once */
+  addlen=strlen(add)+1; /* only compute once */
   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
     return SASL_NOMEM;
 
@