CVS commit: [pkgsrc-2020Q1] pkgsrc/security/cyrus-sasl

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri May 15 16:38:30 UTC 2020

Modified Files:
        pkgsrc/security/cyrus-sasl [pkgsrc-2020Q1]: Makefile distinfo
Added Files:
        pkgsrc/security/cyrus-sasl/patches [pkgsrc-2020Q1]:
            patch-CVE-2019-19906

Log Message:
Pullup ticket #6196 - requested by nia
security/cyrus-sasl: security fix

Revisions pulled up:
- security/cyrus-sasl/Makefile                                  1.77
- security/cyrus-sasl/distinfo                                  1.38
- security/cyrus-sasl/patches/patch-CVE-2019-19906              1.1

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Thu May 14 14:27:32 UTC 2020

   Modified Files:
        pkgsrc/security/cyrus-sasl: Makefile distinfo
   Added Files:
        pkgsrc/security/cyrus-sasl/patches: patch-CVE-2019-19906

   Log Message:
   cyrus-sasl: Fix CVE-2019-19906


To generate a diff of this commit:
cvs rdiff -u -r1.76 -r1.76.2.1 pkgsrc/security/cyrus-sasl/Makefile
cvs rdiff -u -r1.37 -r1.37.4.1 pkgsrc/security/cyrus-sasl/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/security/cyrus-sasl/patches/patch-CVE-2019-19906

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/cyrus-sasl/Makefile
diff -u pkgsrc/security/cyrus-sasl/Makefile:1.76 pkgsrc/security/cyrus-sasl/Makefile:1.76.2.1
--- pkgsrc/security/cyrus-sasl/Makefile:1.76    Mon Nov  4 21:12:52 2019
+++ pkgsrc/security/cyrus-sasl/Makefile Fri May 15 16:38:30 2020
@@ -1,5 +1,6 @@
-# $NetBSD: Makefile,v 1.76 2019/11/04 21:12:52 rillig Exp $
+# $NetBSD: Makefile,v 1.76.2.1 2020/05/15 16:38:30 bsiegert Exp $
 
+PKGREVISION=   1
 COMMENT=       Simple Authentication and Security Layer
 
 .include "Makefile.common"

Index: pkgsrc/security/cyrus-sasl/distinfo
diff -u pkgsrc/security/cyrus-sasl/distinfo:1.37 pkgsrc/security/cyrus-sasl/distinfo:1.37.4.1
--- pkgsrc/security/cyrus-sasl/distinfo:1.37    Tue Jul  9 11:55:56 2019
+++ pkgsrc/security/cyrus-sasl/distinfo Fri May 15 16:38:30 2020
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.37 2019/07/09 11:55:56 jperkin Exp $
+$NetBSD: distinfo,v 1.37.4.1 2020/05/15 16:38:30 bsiegert Exp $
 
 SHA1 (cyrus-sasl-2.1.27-rc7.tar.gz) = d4b72782975be980cc46ac9ccf176b8307bfcf67
 RMD160 (cyrus-sasl-2.1.27-rc7.tar.gz) = 6679c7b887f73da50a314dba97f676848d067684
@@ -8,6 +8,7 @@ SHA1 (cyrus-sasl-dedad73e5e7a75d01a5f3d5
 RMD160 (cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2) = c42b1b5c0b6c7322001fd506c44320a7f6eeee80
 SHA512 (cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2) = 
08964bc3ad713e137b8f05f9bac345d79676d14784bc37525f195e8e2a3e6740428237b64f7eeeacc0c71ed6cf1664c6e9c2267ac6df327761d92174a1853744
 Size (cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2) = 3836 bytes
+SHA1 (patch-CVE-2019-19906) = 752de2053696f13de098267f8605b4b7afb24a6c
 SHA1 (patch-common_crypto-compat) = ad8575c62648aba83983172ec8fef08d2c9f537e
 SHA1 (patch-configure) = 1afa4777f2cc2a24bb526fab9fb6d9265677fb9f
 SHA1 (patch-plugins_otp.c) = 1dd8763d5b14c2f2462349ce5f73353ae70313fa

Added files:

Index: pkgsrc/security/cyrus-sasl/patches/patch-CVE-2019-19906
diff -u /dev/null pkgsrc/security/cyrus-sasl/patches/patch-CVE-2019-19906:1.1.2.2
--- /dev/null   Fri May 15 16:38:30 2020
+++ pkgsrc/security/cyrus-sasl/patches/patch-CVE-2019-19906     Fri May 15 16:38:30 2020
@@ -0,0 +1,15 @@
+$NetBSD: patch-CVE-2019-19906,v 1.1.2.2 2020/05/15 16:38:30 bsiegert Exp $
+
+https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1.patch
+
+--- lib/common.c.orig  2018-01-19 14:13:40.000000000 +0000
++++ lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t 
+ 
+   if (add==NULL) add = "(null)";
+ 
+-  addlen=strlen(add); /* only compute once */
++  addlen=strlen(add)+1; /* only compute once */
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
+     return SASL_NOMEM;
+