[SVN] r381 - in /trunk/cyrus-imapd-2.2.13/debian: changelog
patches/0003-upstream_disallow_userprobes.dpatch
patches/0004-upstream-fetchnews-timezone-dst-fix.dpatch patches/00list
debian at incase.de
debian at incase.de
Wed May 3 14:13:40 UTC 2006
Author: sven
Date: Wed May 3 16:13:39 2006
New Revision: 381
URL: https://mail.incase.de/viewcvs?rev=381&root=cyrus22&view=rev
Log:
Add two more upstream fixes, one is a security (information disclosure) related patch
Added:
trunk/cyrus-imapd-2.2.13/debian/patches/0003-upstream_disallow_userprobes.dpatch (with props)
trunk/cyrus-imapd-2.2.13/debian/patches/0004-upstream-fetchnews-timezone-dst-fix.dpatch (with props)
Modified:
trunk/cyrus-imapd-2.2.13/debian/changelog
trunk/cyrus-imapd-2.2.13/debian/patches/00list
Modified: trunk/cyrus-imapd-2.2.13/debian/changelog
URL: https://mail.incase.de/viewcvs/trunk/cyrus-imapd-2.2.13/debian/changelog?rev=381&root=cyrus22&r1=380&r2=381&view=diff
==============================================================================
--- trunk/cyrus-imapd-2.2.13/debian/changelog (original)
+++ trunk/cyrus-imapd-2.2.13/debian/changelog Wed May 3 16:13:39 2006
@@ -1,5 +1,8 @@
cyrus-imapd-2.2 (2.2.13-3) UNRELEASED; urgency=low
+ [ Sven Mueller ]
+ * Add upstream patch to disallow user probes
+ * Add upstream patch to properly handle timezones and DST in fetchnews
* Add upstream patch to allow ACL removal for invalid IDs
-- Sven Mueller <debian at incase.de> Wed, 3 May 2006 15:30:51 +0200
Added: trunk/cyrus-imapd-2.2.13/debian/patches/0003-upstream_disallow_userprobes.dpatch
URL: https://mail.incase.de/viewcvs/trunk/cyrus-imapd-2.2.13/debian/patches/0003-upstream_disallow_userprobes.dpatch?rev=381&root=cyrus22&view=auto
==============================================================================
--- trunk/cyrus-imapd-2.2.13/debian/patches/0003-upstream_disallow_userprobes.dpatch (added)
+++ trunk/cyrus-imapd-2.2.13/debian/patches/0003-upstream_disallow_userprobes.dpatch Wed May 3 16:13:39 2006
@@ -1,0 +1,205 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## filetu535I.dpatch by Sven Mueller <debian at incase.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad cyrus-imapd-2.2.13/imap/imapd.c /tmp/dpep.556KMT/cyrus-imapd-2.2.13/imap/imapd.c
+--- cyrus-imapd-2.2.13/imap/imapd.c 2006-03-31 20:18:13.000000000 +0200
++++ /tmp/dpep.556KMT/cyrus-imapd-2.2.13/imap/imapd.c 2006-05-03 16:02:02.685827405 +0200
+@@ -1785,6 +1785,9 @@
+
+ sleep(3);
+
++ /* Don't allow user probing */
++ if (r == SASL_NOUSER) r = SASL_BADAUTH;
++
+ if ((reply = sasl_errstring(r, NULL, NULL)) != NULL) {
+ prot_printf(imapd_out, "%s NO Login failed: %s\r\n", tag, reply);
+ } else {
+@@ -1898,8 +1901,6 @@
+ break;
+ default:
+ /* failed authentication */
+- errorstring = sasl_errstring(sasl_result, NULL, NULL);
+-
+ syslog(LOG_NOTICE, "badlogin: %s %s [%s]",
+ imapd_clienthost, authtype, sasl_errdetail(imapd_saslconn));
+
+@@ -1908,6 +1909,10 @@
+ VARIABLE_LISTEND);
+ sleep(3);
+
++ /* Don't allow user probing */
++ if (sasl_result == SASL_NOUSER) sasl_result = SASL_BADAUTH;
++
++ errorstring = sasl_errstring(sasl_result, NULL, NULL);
+ if (errorstring) {
+ prot_printf(imapd_out, "%s NO %s\r\n", tag, errorstring);
+ } else {
+diff -urNad cyrus-imapd-2.2.13/imap/nntpd.c /tmp/dpep.556KMT/cyrus-imapd-2.2.13/imap/nntpd.c
+--- cyrus-imapd-2.2.13/imap/nntpd.c 2006-03-31 20:18:13.000000000 +0200
++++ /tmp/dpep.556KMT/cyrus-imapd-2.2.13/imap/nntpd.c 2006-05-03 16:02:02.678828066 +0200
+@@ -2140,13 +2140,16 @@
+ default:
+ code = 481;
+ }
+- errorstring = sasl_errstring(sasl_result, NULL, NULL);
+
+ syslog(LOG_NOTICE, "badlogin: %s %s [%s]",
+ nntp_clienthost, mech, sasl_errdetail(nntp_saslconn));
+
+ sleep(3);
+
++ /* Don't allow user probing */
++ if (sasl_result == SASL_NOUSER) sasl_result = SASL_BADAUTH;
++
++ errorstring = sasl_errstring(sasl_result, NULL, NULL);
+ if (errorstring) {
+ prot_printf(nntp_out, "%d %s\r\n", code, errorstring);
+ } else {
+diff -urNad cyrus-imapd-2.2.13/imap/pop3d.c /tmp/dpep.556KMT/cyrus-imapd-2.2.13/imap/pop3d.c
+--- cyrus-imapd-2.2.13/imap/pop3d.c 2006-03-31 20:18:13.000000000 +0200
++++ /tmp/dpep.556KMT/cyrus-imapd-2.2.13/imap/pop3d.c 2006-05-03 16:02:02.679827971 +0200
+@@ -1027,15 +1027,18 @@
+ /* failed authentication */
+ if (sasl_result != SASL_OK)
+ {
++ syslog(LOG_NOTICE, "badlogin: %s APOP (%s) %s",
++ popd_clienthost, popd_apop_chal,
++ sasl_errdetail(popd_saslconn));
++
+ sleep(3);
+
++ /* Don't allow user probing */
++ if (sasl_result == SASL_NOUSER) sasl_result = SASL_BADAUTH;
++
+ prot_printf(popd_out, "-ERR [AUTH] authenticating: %s\r\n",
+ sasl_errstring(sasl_result, NULL, NULL));
+
+- syslog(LOG_NOTICE, "badlogin: %s APOP (%s) %s",
+- popd_clienthost, popd_apop_chal,
+- sasl_errdetail(popd_saslconn));
+-
+ return;
+ }
+
+@@ -1292,11 +1295,6 @@
+ break;
+ default:
+ /* failed authentication */
+- sleep(3);
+-
+- prot_printf(popd_out, "-ERR [AUTH] authenticating: %s\r\n",
+- sasl_errstring(sasl_result, NULL, NULL));
+-
+ if (authtype) {
+ syslog(LOG_NOTICE, "badlogin: %s %s %s",
+ popd_clienthost, authtype,
+@@ -1305,6 +1303,14 @@
+ syslog(LOG_NOTICE, "badlogin: %s %s",
+ popd_clienthost, authtype);
+ }
++
++ sleep(3);
++
++ /* Don't allow user probing */
++ if (sasl_result == SASL_NOUSER) sasl_result = SASL_BADAUTH;
++
++ prot_printf(popd_out, "-ERR [AUTH] authenticating: %s\r\n",
++ sasl_errstring(sasl_result, NULL, NULL));
+ }
+
+ reset_saslconn(&popd_saslconn);
+diff -urNad cyrus-imapd-2.2.13/imap/proxyd.c /tmp/dpep.556KMT/cyrus-imapd-2.2.13/imap/proxyd.c
+--- cyrus-imapd-2.2.13/imap/proxyd.c 2006-03-31 20:18:13.000000000 +0200
++++ /tmp/dpep.556KMT/cyrus-imapd-2.2.13/imap/proxyd.c 2006-05-03 16:02:02.681827782 +0200
+@@ -2106,7 +2106,7 @@
+ char c;
+ struct buf passwdbuf;
+ char *passwd;
+- char *reply = 0;
++ const char *reply = 0;
+ int r;
+
+ if (proxyd_userid) {
+@@ -2180,17 +2180,19 @@
+ strlen(canon_user),
+ passwd,
+ strlen(passwd)))!=SASL_OK) {
+- const char *errorstring = sasl_errstring(r, NULL, NULL);
+- if (reply) {
+- syslog(LOG_NOTICE, "badlogin: %s plaintext %s %s",
+- proxyd_clienthost, canon_user, reply);
+- }
++ syslog(LOG_NOTICE, "badlogin: %s plaintext %s %s",
++ proxyd_clienthost, canon_user, sasl_errdetail(proxyd_saslconn));
++
+ /* Apply penalty only if not under layer */
+ if (proxyd_starttls_done == 0)
+ sleep(3);
+- if (errorstring) {
++
++ /* Don't allow user probing */
++ if (r == SASL_NOUSER) r = SASL_BADAUTH;
++
++ if ((reply = sasl_errstring(r, NULL, NULL)) != NULL) {
+ prot_printf(proxyd_out, "%s NO Login failed: %s\r\n",
+- tag, errorstring);
++ tag, reply);
+ } else {
+ prot_printf(proxyd_out, "%s NO Login failed.", tag);
+ }
+@@ -2276,8 +2278,6 @@
+ break;
+ default:
+ /* failed authentication */
+- errorstring = sasl_errstring(sasl_result, NULL, NULL);
+-
+ syslog(LOG_NOTICE, "badlogin: %s %s [%s]",
+ proxyd_clienthost, authtype, sasl_errdetail(proxyd_saslconn));
+
+@@ -2286,6 +2286,10 @@
+ VARIABLE_LISTEND);
+ sleep(3);
+
++ /* Don't allow user probing */
++ if (sasl_result == SASL_NOUSER) sasl_result = SASL_BADAUTH;
++
++ errorstring = sasl_errstring(sasl_result, NULL, NULL);
+ if (errorstring) {
+ prot_printf(proxyd_out, "%s NO %s\r\n", tag, errorstring);
+ } else {
+@@ -4253,13 +4257,13 @@
+ proxyd_userid, mailboxname);
+ if (!r) r = mlookup(mailboxname, &server, NULL, NULL);
+
+- if(proxyd_userisadmin) {
++ if(!r && proxyd_userisadmin) {
+ /* If they are an admin, they won't retain that privledge if we
+ * proxy for them, so we need to refer them -- even if they haven't
+ * told us they're able to handle it. */
+ proxyd_refer(tag, server, name);
+- } else {
+- if (!r) s = proxyd_findserver(server);
++ } else if (!r) {
++ s = proxyd_findserver(server);
+
+ if (s) {
+ prot_printf(s->out, "%s Getquotaroot {%d+}\r\n%s\r\n",
+@@ -4268,11 +4272,10 @@
+ } else {
+ r = IMAP_SERVER_UNAVAILABLE;
+ }
++ }
+
+- if (r) {
+- prot_printf(proxyd_out, "%s NO %s\r\n", tag, error_message(r));
+- return;
+- }
++ if (r) {
++ prot_printf(proxyd_out, "%s NO %s\r\n", tag, error_message(r));
+ }
+ }
+
Propchange: trunk/cyrus-imapd-2.2.13/debian/patches/0003-upstream_disallow_userprobes.dpatch
------------------------------------------------------------------------------
svn:executable = *
Added: trunk/cyrus-imapd-2.2.13/debian/patches/0004-upstream-fetchnews-timezone-dst-fix.dpatch
URL: https://mail.incase.de/viewcvs/trunk/cyrus-imapd-2.2.13/debian/patches/0004-upstream-fetchnews-timezone-dst-fix.dpatch?rev=381&root=cyrus22&view=auto
==============================================================================
--- trunk/cyrus-imapd-2.2.13/debian/patches/0004-upstream-fetchnews-timezone-dst-fix.dpatch (added)
+++ trunk/cyrus-imapd-2.2.13/debian/patches/0004-upstream-fetchnews-timezone-dst-fix.dpatch Wed May 3 16:13:39 2006
@@ -1,0 +1,43 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fileQDLDMd.dpatch by Sven Mueller <debian at incase.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad cyrus-imapd-2.2.13/imap/fetchnews.c /tmp/dpep.KgQkoe/cyrus-imapd-2.2.13/imap/fetchnews.c
+--- cyrus-imapd-2.2.13/imap/fetchnews.c 2006-03-31 20:18:13.000000000 +0200
++++ /tmp/dpep.KgQkoe/cyrus-imapd-2.2.13/imap/fetchnews.c 2006-05-03 16:07:42.020785607 +0200
+@@ -60,6 +60,7 @@
+ #include "cyrusdb.h"
+ #include "exitcodes.h"
+ #include "global.h"
++#include "gmtoff.h"
+ #include "lock.h"
+ #include "prot.h"
+ #include "xmalloc.h"
+@@ -388,6 +389,7 @@
+ &ctime.tm_hour, &ctime.tm_min, &ctime.tm_sec);
+ ctime.tm_year -= 1900;
+ ctime.tm_mon--;
++ ctime.tm_isdst = -1;
+
+ /* read the previous timestamp */
+ if (!sfile[0]) {
+@@ -417,6 +419,7 @@
+ /* ask for new articles */
+ if (stamp) stamp -= 180; /* adjust back 3 minutes */
+ ptime = gmtime(&stamp);
++ ptime->tm_isdst = -1;
+ strftime(buf, sizeof(buf), datefmt, ptime);
+ prot_printf(pout, "NEWNEWS %s %s GMT\r\n", wildmat, buf);
+
+@@ -433,7 +436,7 @@
+ We can't change this, otherwise we'd be incompatible
+ with an old localtime timestamp.
+ */
+- stamp -= timezone;
++ stamp += gmtoff_of(&ctime, stamp);
+ }
+
+ if (!newnews) {
Propchange: trunk/cyrus-imapd-2.2.13/debian/patches/0004-upstream-fetchnews-timezone-dst-fix.dpatch
------------------------------------------------------------------------------
svn:executable = *
Modified: trunk/cyrus-imapd-2.2.13/debian/patches/00list
URL: https://mail.incase.de/viewcvs/trunk/cyrus-imapd-2.2.13/debian/patches/00list?rev=381&root=cyrus22&r1=380&r2=381&view=diff
==============================================================================
--- trunk/cyrus-imapd-2.2.13/debian/patches/00list (original)
+++ trunk/cyrus-imapd-2.2.13/debian/patches/00list Wed May 3 16:13:39 2006
@@ -1,5 +1,7 @@
0001-upstream-fix-segfault.dpatch
0002-allow_invalid_id_acl_removal.dpatch
+0003-upstream_disallow_userprobes.dpatch
+0004-upstream-fetchnews-timezone-dst-fix.dpatch
01-fix_Makefile.in.dpatch
02-add_mkinstalldirs.dpatch
03-fix_docs.dpatch
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list