From 1bcbec677a6925ce415841f3a50ffc48915e4363 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 22 Feb 2022 20:37:00 +0100 Subject: [PATCH 1/2] cyrus_sasl: 2.1.27 -> 2.1.28 https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 Fixes: CVE-2022-24407 ("Escape password for SQL insert/update commands.") Co-Authored-By: illustris --- .../cyrus-sasl-ac-try-run-fix.patch | 23 ++++++++++--------- .../libraries/cyrus-sasl/default.nix | 21 +++++++---------- .../libraries/cyrus-sasl/missing-size_t.patch | 13 ----------- 3 files changed, 20 insertions(+), 37 deletions(-) delete mode 100644 pkgs/development/libraries/cyrus-sasl/missing-size_t.patch diff --git a/pkgs/development/libraries/cyrus-sasl/cyrus-sasl-ac-try-run-fix.patch b/pkgs/development/libraries/cyrus-sasl/cyrus-sasl-ac-try-run-fix.patch index 8662e812e995..f0376792e002 100644 --- a/pkgs/development/libraries/cyrus-sasl/cyrus-sasl-ac-try-run-fix.patch +++ b/pkgs/development/libraries/cyrus-sasl/cyrus-sasl-ac-try-run-fix.patch @@ -1,12 +1,13 @@ ---- a/m4/sasl2.m4 2018-11-18 22:33:29.902625600 +0300 -+++ b/m4/sasl2.m4 2018-11-18 22:33:59.828746176 +0300 -@@ -339,7 +339,8 @@ - ], - [ AC_DEFINE(HAVE_GSS_SPNEGO,,[Define if your GSSAPI implementation supports SPNEGO]) - AC_MSG_RESULT(yes) ], -- AC_MSG_RESULT(no)) -+ AC_MSG_RESULT(no), -+ AC_MSG_RESULT(no)) - LIBS="$cmu_save_LIBS" +diff --git a/m4/sasl2.m4 b/m4/sasl2.m4 +index 098c853a..91d98def 100644 +--- a/m4/sasl2.m4 ++++ b/m4/sasl2.m4 +@@ -350,7 +350,7 @@ int main(void) - else + return (!have_spnego); // 0 = success, 1 = failure + } +-],[ac_cv_gssapi_supports_spnego=yes],[ac_cv_gssapi_supports_spnego=no]) ++],[ac_cv_gssapi_supports_spnego=yes],[ac_cv_gssapi_supports_spnego=no],[ac_cv_gssapi_supports_spnego=no]) + LIBS="$cmu_save_LIBS" + ]) + AS_IF([test "$ac_cv_gssapi_supports_spnego" = yes],[ diff --git a/pkgs/development/libraries/cyrus-sasl/default.nix b/pkgs/development/libraries/cyrus-sasl/default.nix index 6e97c61a6a5e..24cd2a7ebc5e 100644 --- a/pkgs/development/libraries/cyrus-sasl/default.nix +++ b/pkgs/development/libraries/cyrus-sasl/default.nix @@ -1,11 +1,11 @@ { lib, stdenv, fetchurl, openssl, openldap, libkrb5, db, gettext , pam, fixDarwinDylibNames, autoreconfHook, enableLdap ? false -, buildPackages, pruneLibtoolFiles, fetchpatch }: +, buildPackages, pruneLibtoolFiles }: with lib; stdenv.mkDerivation rec { pname = "cyrus-sasl"; - version = "2.1.27"; + version = "2.1.28"; src = fetchurl { urls = @@ -13,9 +13,14 @@ stdenv.mkDerivation rec { "http://www.cyrusimap.org/releases/${pname}-${version}.tar.gz" "http://www.cyrusimap.org/releases/old/${pname}-${version}.tar.gz" ]; - sha256 = "1m85zcpgfdhm43cavpdkhb1s2zq1b31472hq1w1gs3xh94anp1i6"; + sha256 = "sha256-fM/Gq9Ae1nwaCSSzU+Um8bdmsh9C1FYu5jWo6/xbs4w="; }; + patches = [ + # Fix cross-compilation + ./cyrus-sasl-ac-try-run-fix.patch + ]; + outputs = [ "bin" "dev" "out" "man" "devdoc" ]; depsBuildBuild = [ buildPackages.stdenv.cc ]; @@ -26,16 +31,6 @@ stdenv.mkDerivation rec { ++ lib.optional enableLdap openldap ++ lib.optional stdenv.isLinux pam; - patches = [ - ./missing-size_t.patch # https://bugzilla.redhat.com/show_bug.cgi?id=906519 - ./cyrus-sasl-ac-try-run-fix.patch - (fetchpatch { - name = "CVE-2019-19906.patch"; - url = "https://sources.debian.org/data/main/c/cyrus-sasl2/2.1.27+dfsg-1+deb10u1/debian/patches/0021-CVE-2019-19906.patch"; - sha256 = "1n4c5wg7l9j8rlbvx8i605j5d39xmj5wm618k8acxl4fmglcmfls"; - }) - ]; - configureFlags = [ "--with-openssl=${openssl.dev}" "--with-plugindir=${placeholder "out"}/lib/sasl2" diff --git a/pkgs/development/libraries/cyrus-sasl/missing-size_t.patch b/pkgs/development/libraries/cyrus-sasl/missing-size_t.patch deleted file mode 100644 index da96818ca267..000000000000 --- a/pkgs/development/libraries/cyrus-sasl/missing-size_t.patch +++ /dev/null @@ -1,13 +0,0 @@ -Gentoo bug #458790 ---- a/include/sasl.h 2012-10-12 17:05:48.000000000 +0300 -+++ b/include/sasl.h 2013-02-23 16:56:44.648786268 +0200 -@@ -121,6 +121,9 @@ - #ifndef SASL_H - #define SASL_H 1 - -+/* stddef.h to get size_t defined */ -+#include -+ - /* Keep in sync with win32/common.mak */ - #define SASL_VERSION_MAJOR 2 - #define SASL_VERSION_MINOR 1 From 7cc08a32e1b043abe26fdf306c228fd5413095d7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 23 Feb 2022 11:54:17 +0100 Subject: [PATCH 2/2] cyrus_sasl: set up passthru tests --- pkgs/development/libraries/cyrus-sasl/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/cyrus-sasl/default.nix b/pkgs/development/libraries/cyrus-sasl/default.nix index 24cd2a7ebc5e..be20a9b1678d 100644 --- a/pkgs/development/libraries/cyrus-sasl/default.nix +++ b/pkgs/development/libraries/cyrus-sasl/default.nix @@ -1,6 +1,6 @@ { lib, stdenv, fetchurl, openssl, openldap, libkrb5, db, gettext , pam, fixDarwinDylibNames, autoreconfHook, enableLdap ? false -, buildPackages, pruneLibtoolFiles }: +, buildPackages, pruneLibtoolFiles, nixosTests }: with lib; stdenv.mkDerivation rec { @@ -41,6 +41,10 @@ stdenv.mkDerivation rec { installFlags = lib.optional stdenv.isDarwin [ "framedir=$(out)/Library/Frameworks/SASL2.framework" ]; + passthru.tests = { + inherit (nixosTests) parsedmarc postfix; + }; + meta = { homepage = "https://www.cyrusimap.org/sasl"; description = "Library for adding authentication support to connection-based protocols";