pkgsrc-bugs: pkg/26184: security/cyrus-sasl2 should be patched (again)

Subject: pkg/26184: security/cyrus-sasl2 should be patched (again)
To: None <gnats-bugs@gnats.netbsd.org>
From: None <j+nbsd@2004.salmi.ch>
List: pkgsrc-bugs
Date: 07/07/2004 14:35:58

>Number:         26184
>Category:       pkg
>Synopsis:       security/cyrus-sasl2 should be patched (again)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 07 13:46:01 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Jukka Salmi
>Release:        NetBSD 1.6.2_STABLE
>Organization:
>Environment:
System: NetBSD bart.stasoft.ch 1.6.2_STABLE NetBSD 1.6.2_STABLE (GENERIC) #0: Fri May 28 14:57:42 CEST 2004 root@bart.stasoft.ch:/opt/obj/usr/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
In pkg/26165 I informed about a bug in security/cyrus-sasl2 which prevents
a GSSAPI authenticated user from uploading sieve scripts larger than 4000
bytes; the workaround I mentioned was added as patches/patch-ap.
In the meantime that bug was fixed The Right Way (for details see comments
in CVS commits for plugins/gssapi.c[1]), so pkgsrc should use that fix
instead.

[1] https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/gssapi.c
>How-To-Repeat:
see pkg/26165
>Fix:
Two possible approaches:

1) Patch plugins/gssapi.c to rev. 1.90[2]; that revision includes the fix
   but also contains changes to support passing of GSSAPI credentials (wich
   will be in SASL 2.1.19). To compile successfully we'd also need to
   patch include/saslplug.h to rev. 1.38[3] and delete patches/patch-ap.

2) Use a "backported" version of plugins/gssapi.c which includes the fix
   but not the GSSAPI credential passing changes (patching include/saslplug.h
   would not be needed then). This could be achieved by continuing to use
   patches/patch-ap and adding a patch containing the diff[4] between
   revisions 1.86 and 1.90 and some minor manual changes to make it apply
   cleanly. I'll send such a patch in a minute.

[2] https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/gssapi.c.diff?r1=text&tr1=1.84&r2=text&tr2=1.90&f=u
[3] https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/include/saslplug.h.diff?r1=text&tr1=1.37&r2=text&tr2=1.38&f=u
[4] https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/gssapi.c.diff?r1=text&tr1=1.86&r2=text&tr2=1.90&f=u
>Release-Note:
>Audit-Trail:
>Unformatted: