pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mail/dovecot Fix a possible security hole with LDAP au...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/30188d99ec9e
branches:  trunk
changeset: 536801:30188d99ec9e
user:      ghen <ghen%pkgsrc.org@localhost>
date:      Sat Dec 22 23:12:04 2007 +0000

description:
Fix a possible security hole with LDAP authentication and variables in the LDAP
search base, see http://www.dovecot.org/list/dovecot-news/2007-December/000057.html

diffstat:

 mail/dovecot/Makefile         |   3 ++-
 mail/dovecot/distinfo         |   3 ++-
 mail/dovecot/patches/patch-al |  33 +++++++++++++++++++++++++++++++++
 3 files changed, 37 insertions(+), 2 deletions(-)

diffs (63 lines):

diff -r f7a60034bf4f -r 30188d99ec9e mail/dovecot/Makefile
--- a/mail/dovecot/Makefile     Sat Dec 22 23:07:37 2007 +0000
+++ b/mail/dovecot/Makefile     Sat Dec 22 23:12:04 2007 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.108 2007/12/12 13:15:48 ghen Exp $
+# $NetBSD: Makefile,v 1.109 2007/12/22 23:12:04 ghen Exp $
 
 DISTNAME=              dovecot-1.0.9
+PKGREVISION=           1
 CATEGORIES=            mail
 MASTER_SITES=          http://www.dovecot.org/releases/1.0/
 
diff -r f7a60034bf4f -r 30188d99ec9e mail/dovecot/distinfo
--- a/mail/dovecot/distinfo     Sat Dec 22 23:07:37 2007 +0000
+++ b/mail/dovecot/distinfo     Sat Dec 22 23:12:04 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.75 2007/12/12 13:15:49 ghen Exp $
+$NetBSD: distinfo,v 1.76 2007/12/22 23:12:04 ghen Exp $
 
 SHA1 (dovecot-1.0.9.tar.gz) = 87d89ff79d967c95ab8e59a1c1b3f710caffc290
 RMD160 (dovecot-1.0.9.tar.gz) = 535cf4c9672c8e44e751f5ffad911440707fc7d4
@@ -7,3 +7,4 @@
 SHA1 (patch-ab) = 5d45a1617dd5ee7ce07fe89b526a6fb273057bb5
 SHA1 (patch-ac) = 377da4719b5dca91a0b2fa7b3e11170cd2ea8d59
 SHA1 (patch-ag) = bd180441a0983ceccc898024370a3bdefdc11b1f
+SHA1 (patch-al) = 1a6151b7952360e2625a634ff3cbb30e09ef87c6
diff -r f7a60034bf4f -r 30188d99ec9e mail/dovecot/patches/patch-al
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/dovecot/patches/patch-al     Sat Dec 22 23:12:04 2007 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-al,v 1.1 2007/12/22 23:12:04 ghen Exp $
+
+If LDAP base contained variables, auth cache should have included
+them in the cache key.
+
+http://www.dovecot.org/list/dovecot-news/2007-December/000057.html
+
+--- src/auth/passdb-ldap.c.orig        2007-12-11 19:52:08.000000000 +0100
++++ src/auth/passdb-ldap.c
+@@ -519,7 +519,8 @@ passdb_ldap_preinit(struct auth_passdb *
+                         conn->set.auth_bind ? "password" : NULL);
+       module->module.cache_key =
+               auth_cache_parse_key(auth_passdb->auth->pool,
+-                                   conn->set.pass_filter);
++                                   t_strconcat(conn->set.base,
++                                               conn->set.pass_filter, NULL));
+       module->module.default_pass_scheme = conn->set.default_pass_scheme;
+       return &module->module;
+ }
+$NetBSD: patch-al,v 1.1 2007/12/22 23:12:04 ghen Exp $
+
+--- src/auth/userdb-ldap.c.orig        2007-12-11 19:52:08.000000000 +0100
++++ src/auth/userdb-ldap.c
+@@ -231,7 +231,8 @@ userdb_ldap_preinit(struct auth_userdb *
+                         conn->user_attr_map, default_attr_map, NULL);
+       module->module.cache_key =
+               auth_cache_parse_key(auth_userdb->auth->pool,
+-                                   conn->set.user_filter);
++                                   t_strconcat(conn->set.base,
++                                               conn->set.user_filter, NULL));
+       return &module->module;
+ }
+ 



Home | Main Index | Thread Index | Old Index