CVS commit: [pkgsrc-2025Q2] pkgsrc/security/p5-Authen-SASL

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2025Q2] pkgsrc/security/p5-Authen-SASL
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Thu, 24 Jul 2025 22:21:07 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Thu Jul 24 22:21:07 UTC 2025

Modified Files:
        pkgsrc/security/p5-Authen-SASL [pkgsrc-2025Q2]: Makefile distinfo
Added Files:
        pkgsrc/security/p5-Authen-SASL/patches [pkgsrc-2025Q2]:
            patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm

Log Message:
Pullup ticket #6997 - requested by taca
security/p5-Authen-SASL: Security fix

Revisions pulled up:
- security/p5-Authen-SASL/Makefile                              1.42
- security/p5-Authen-SASL/distinfo                              1.16
- security/p5-Authen-SASL/patches/patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm 1.1

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Wed Jul 16 21:45:29 UTC 2025

   Modified Files:
        pkgsrc/security/p5-Authen-SASL: Makefile distinfo
   Added Files:
        pkgsrc/security/p5-Authen-SASL/patches:
            patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm

   Log Message:
   p5-Authen-SASL: update to 2.1800nb2.

   Fix CVE-2025-40918 using upstream patch.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.40.2.1 pkgsrc/security/p5-Authen-SASL/Makefile
cvs rdiff -u -r1.15 -r1.15.2.1 pkgsrc/security/p5-Authen-SASL/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/security/p5-Authen-SASL/patches/patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/p5-Authen-SASL/Makefile
diff -u pkgsrc/security/p5-Authen-SASL/Makefile:1.40 pkgsrc/security/p5-Authen-SASL/Makefile:1.40.2.1
--- pkgsrc/security/p5-Authen-SASL/Makefile:1.40        Sun Apr 27 05:04:31 2025
+++ pkgsrc/security/p5-Authen-SASL/Makefile     Thu Jul 24 22:21:07 2025
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.40 2025/04/27 05:04:31 wiz Exp $
+# $NetBSD: Makefile,v 1.40.2.1 2025/07/24 22:21:07 maya Exp $
 
 DISTNAME=      Authen-SASL-2.1800
 PKGNAME=       p5-${DISTNAME}
@@ -11,6 +11,7 @@ COMMENT=      Perl module to handle SASL auth
 LICENSE=       ${PERL5_LICENSE}
 
 DEPENDS+=      p5-Digest-HMAC-[0-9]*:../../security/p5-Digest-HMAC
+DEPENDS+=      p5-Crypt-URandom-[0-9]*:../../security/p5-Crypt-URandom
 
 PERL5_PACKLIST=                auto/Authen/SASL/.packlist
 

Index: pkgsrc/security/p5-Authen-SASL/distinfo
diff -u pkgsrc/security/p5-Authen-SASL/distinfo:1.15 pkgsrc/security/p5-Authen-SASL/distinfo:1.15.2.1
--- pkgsrc/security/p5-Authen-SASL/distinfo:1.15        Sun Apr 27 05:04:31 2025
+++ pkgsrc/security/p5-Authen-SASL/distinfo     Thu Jul 24 22:21:07 2025
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.15 2025/04/27 05:04:31 wiz Exp $
+$NetBSD: distinfo,v 1.15.2.1 2025/07/24 22:21:07 maya Exp $
 
 BLAKE2s (Authen-SASL-2.1800.tar.gz) = a49089c4d2fe9765df3a938472ce587c69fd3a9b53d86dd2f0cc8281c089007d
 SHA512 (Authen-SASL-2.1800.tar.gz) = feedfe2f65a531cb6f7c740404681f0f1a2ebe9308efb5e33cf225a3b84e5e958f53cd68ae0a9949089fd52a71ee5bed1b9a1ebe9024953f6868723a12102deb
 Size (Authen-SASL-2.1800.tar.gz) = 39499 bytes
+SHA1 (patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm) = 121a2218ff2c34cae350e9fd50dceddb29dbb66e

Added files:

Index: pkgsrc/security/p5-Authen-SASL/patches/patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm
diff -u /dev/null pkgsrc/security/p5-Authen-SASL/patches/patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm:1.1.2.2
--- /dev/null   Thu Jul 24 22:21:07 2025
+++ pkgsrc/security/p5-Authen-SASL/patches/patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm    Thu Jul 24 22:21:07 2025
@@ -0,0 +1,32 @@
+$NetBSD: patch-lib_Authen_SASL_Perl_DIGEST__MD5.pm,v 1.1.2.2 2025/07/24 22:21:07 maya Exp $
+
+https://security.metacpan.org/patches/A/Authen-SASL/2.1800/CVE-2025-40918-r1.patch
+
+--- lib/Authen/SASL/Perl/DIGEST_MD5.pm.orig    2025-04-25 16:09:30.000000000 +0000
++++ lib/Authen/SASL/Perl/DIGEST_MD5.pm
+@@ -10,6 +10,7 @@ $Authen::SASL::Perl::DIGEST_MD5::VERSION
+ use strict;
+ use warnings;
+ use vars qw(@ISA $CNONCE $NONCE);
++use Crypt::URandom qw(urandom);
+ use Digest::MD5 qw(md5_hex md5);
+ use Digest::HMAC_MD5 qw(hmac_md5);
+ 
+@@ -201,7 +202,7 @@ sub server_start {
+ 
+   $self->{need_step} = 1;
+   $self->{error}     = undef;
+-  $self->{nonce}     = md5_hex($NONCE || join (":", $$, time, rand));
++  $self->{nonce}     = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
+ 
+   $self->init_sec_layer;
+ 
+@@ -260,7 +261,7 @@ sub client_step {   # $self, $server_sas
+ 
+   my %response = (
+     nonce        => $sparams{'nonce'},
+-    cnonce       => md5_hex($CNONCE || join (":", $$, time, rand)),
++    cnonce       => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
+     'digest-uri' => $self->service . '/' . $self->host,
+     # calc how often the server nonce has been seen; server expects "00000001"
+     nc           => sprintf("%08d",     ++$self->{nonce_counts}{$sparams{'nonce'}}),

Prev by Date: CVS commit: [pkgsrc-2025Q2] pkgsrc/www/apache24
Next by Date: CVS commit: [pkgsrc-2025Q2] pkgsrc/security/p5-Authen-SASL
Previous by Thread: CVS commit: [pkgsrc-2025Q2] pkgsrc/www/apache24
Next by Thread: CVS commit: [pkgsrc-2025Q2] pkgsrc/security/p5-Authen-SASL
Indexes:

Home | Main Index | Thread Index | Old Index