[pkgsrc/pkgsrc-2006Q1]: pkgsrc/security Pullup ticket 1407 - requested by jlam

[salo <salo%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/90b8fe2949ea
branches:  pkgsrc-2006Q1
changeset: 510220:90b8fe2949ea
user:      salo <salo%pkgsrc.org@localhost>
date:      Tue Apr 18 23:25:03 2006 +0000

description:
Pullup ticket 1407 - requested by jlam
security fix for cy2-digestmd5

Updated via patch provided by the submitter.

Fixes denial of service vulnerability described in CVE-2006-1721.

diffstat:

 security/cy2-digestmd5/Makefile       |   4 ++--
 security/cyrus-sasl2/distinfo         |   3 ++-
 security/cyrus-sasl2/patches/patch-za |  14 ++++++++++++++
 3 files changed, 18 insertions(+), 3 deletions(-)

diffs (45 lines):

diff -r 96d561d453a5 -r 90b8fe2949ea security/cy2-digestmd5/Makefile
--- a/security/cy2-digestmd5/Makefile   Tue Apr 18 22:52:55 2006 +0000
+++ b/security/cy2-digestmd5/Makefile   Tue Apr 18 23:25:03 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.7 2006/02/05 23:10:42 joerg Exp $
+# $NetBSD: Makefile,v 1.7.2.1 2006/04/18 23:25:03 salo Exp $
 
 PKGNAME=       ${DISTNAME:S/cyrus-sasl/cy2-digestmd5/}
-PKGREVISION=   1
+PKGREVISION=   2
 COMMENT=       Cyrus SASL DIGEST-MD5 authentication plugin
 SASL_PLUGIN=   yes
 
diff -r 96d561d453a5 -r 90b8fe2949ea security/cyrus-sasl2/distinfo
--- a/security/cyrus-sasl2/distinfo     Tue Apr 18 22:52:55 2006 +0000
+++ b/security/cyrus-sasl2/distinfo     Tue Apr 18 23:25:03 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.27 2006/01/27 17:48:22 joerg Exp $
+$NetBSD: distinfo,v 1.27.2.1 2006/04/18 23:25:03 salo Exp $
 
 SHA1 (cyrus-sasl-2.1.20.tar.gz) = d1eec5644c4e87edb95fa5ab8bf124cfdf277eb6
 RMD160 (cyrus-sasl-2.1.20.tar.gz) = 45f8d9e91e5ba4840f57d2f0526b8f41f90bbb8c
@@ -19,3 +19,4 @@
 SHA1 (patch-ar) = f03a9bddfeb7aeb8af19c2bde315a630ce03f331
 SHA1 (patch-as) = c8cebac879afda69b282f5c334ffb2c8b5eee6cd
 SHA1 (patch-at) = cf35ac66873a5bc18216e13a1240019da99563ca
+SHA1 (patch-za) = 43a0444362894040fc42cc16ff9bb1eecf153a6e
diff -r 96d561d453a5 -r 90b8fe2949ea security/cyrus-sasl2/patches/patch-za
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/cyrus-sasl2/patches/patch-za     Tue Apr 18 23:25:03 2006 +0000
@@ -0,0 +1,14 @@
+$NetBSD: patch-za,v 1.1.2.1 2006/04/18 23:25:03 salo Exp $
+
+--- plugins/digestmd5.c.orig   2004-07-29 15:21:57.000000000 -0400
++++ plugins/digestmd5.c
+@@ -2242,7 +2242,8 @@ static int digestmd5_server_mech_step2(s
+     }
+ 
+     /* Sanity check the parameters */
+-    if (strcmp(realm, text->realm) != 0) {
++    if (((realm != NULL) && (strcmp(realm, text->realm) != 0)) &&
++      (text->realm[0] != 0)) {
+       SETERROR(sparams->utils,
+                "realm changed: authentication aborted");
+       result = SASL_BADAUTH;