Ubuntu
gsasl package

important fixes in 1.4.4

Bug #548480 reported by Simon Josefsson
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gsasl (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Ubuntu ubuntu-10.04

Bug Description

Binary package hint: gsasl

Hi!

I'm upstream GNU SASL maintainer. Ubuntu has GNU SASL version 1.4.0 and I just released 1.4.4 with some minor but important bug fixes in it. While doing a 'diff' between the two packages will result in a lot of autoconf/automake/gnulib-changes, the essential code has not been modified a lot. Any chance of getting 1.4.4 into 10.04? The strlen vs strnlen change fixes a potential remote denial of service attack, so it is important. The rest fixes support for authorization identities, a typo in the error messages, and an optimization for the command line tool. I'm attaching the essential differences between 1.4.0 and 1.4.4 as a patch, for review purposes.

Thanks,
/Simon

Related branches

lp:ubuntu/lucid/gsasl
Revision history for this message
Simon Josefsson (simon-josefsson) wrote :
visibility: private → public
Marc Deslauriers (mdeslaur)
Changed in gsasl (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Since these are only bug fixes, there is no problem getting it in. It would be best to get 1.4.4 into Debian unstable from where we can then sync.

Revision history for this message
Simon Josefsson (simon-josefsson) wrote :

I've uploaded 1.4.4 to Debian unstable now. Please sync!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Download full text (20.9 KiB)

There is actually an Ubuntu delta, so this can't be a merge:
    - debian/rules: Include clean-la.mk from cdbs to clean up the dependency_libs field in libgsasl.la.

Also, we still have libgcrypt11 1.4.4-5ubuntu2, so the libgsasl7 Depends needs to be dropped to 1.4.4-5. Beyond that, it compiles and testing shows it works fine. Bug fix only release doesn't require FFe.

Merge builds, installs and runs fine on Lucid using the following:
$ dpkg -l|grep gsasl | awk '{print $2, $3}'
gsasl 1.4.4-1ubuntu1
libgsasl7 1.4.4-1ubuntu1

$ msmtp --version
...
Authentication library: GNU SASL
Supported authentication methods:
plain cram-md5 digest-md5 gssapi external login ntlm

$ gsasl --client-mechanisms
This client supports the following mechanisms:
ANONYMOUS EXTERNAL LOGIN PLAIN SECURID NTLM DIGEST-MD5 CRAM-MD5 SCRAM-SHA-1 GSSAPI

From the upstream ChangeLog since 1.4.0:

2010-03-25 Simon Josefsson <email address hidden>

 * lib/ChangeLog: Generated.

2010-03-25 Simon Josefsson <email address hidden>

 * NEWS, lib/NEWS: Version 1.4.4.

2010-03-25 Simon Josefsson <email address hidden>

 * NEWS, configure.ac, lib/NEWS, lib/configure.ac, lib/src/gsasl.h:
 Bump versions.

2010-03-25 Simon Josefsson <email address hidden>

 * lib/gl/Makefile.am, lib/gl/m4/gnulib-cache.m4,
 lib/gl/m4/gnulib-comp.m4, lib/gl/m4/strnlen.m4, lib/gl/strnlen.c:
 Add strnlen for portability.

2010-03-25 Simon Josefsson <email address hidden>

 * ChangeLog: Generated.

2010-03-25 Simon Josefsson <email address hidden>

 * lib/ChangeLog: Generated.

2010-03-25 Simon Josefsson <email address hidden>

 * NEWS, lib/NEWS: Version 1.4.3.

2010-03-25 Simon Josefsson <email address hidden>

 * lib/NEWS, lib/scram/parser.c: SCRAM: Don't read out of bounds when
 parsing tokens.

2010-03-15 Simon Josefsson <email address hidden>

 * NEWS, configure.ac, lib/NEWS, lib/configure.ac, lib/src/gsasl.h:
 Bump versions.

2010-03-15 Simon Josefsson <email address hidden>

 * ChangeLog: Generated.

2010-03-15 Simon Josefsson <email address hidden>

 * lib/ChangeLog: Generated.

2010-03-15 Simon Josefsson <email address hidden>

 * NEWS, lib/NEWS: Version 1.4.2.

2010-03-15 Simon Josefsson <email address hidden>

 * .gitignore: Update.

2010-03-15 Simon Josefsson <email address hidden>

 * NEWS, lib/NEWS: Add.

2010-03-15 Simon Josefsson <email address hidden>

 * cfg.mk: Fix update-po rule.

2010-03-15 Simon Josefsson <email address hidden>

 * po/LINGUAS, po/fi.po.in, po/fr.po.in, po/id.po.in, po/it.po.in,
 po/nl.po.in, po/pl.po.in, po/sk.po.in, po/sv.po.in, po/vi.po.in,
 po/zh_CN.po.in: Sync with TP.

2010-03-15 Simon Josefsson <email address hidden>

 * lib/po/LINGUAS, lib/po/it.po.in, lib/po/vi.po.in,
 lib/po/zh_CN.po.in: Sync with TP.

2010-03-15 Simon Josefsson <email address hidden>

 * .gitignore: Don't ignore po/.

2010-03-15 Simon Josefsson <email address hidden>

 * lib/NEWS: Add.

2010-03-08 Simon Josefsson <email address hidden>

 * lib/src/error.c: Fix typo.

2010-03-15 Simon Josefsson <email address hidden>

 * NEWS, lib/NEWS: Fix NEWS entry.

2010-03-15 Simon Josefsson <email address hidden>

 * NEWS: Add.

2010-03-10 Simon Josefsson <email address hidden>

 * lib/scram/parser.c, tes...

Jamie Strandboge (jdstrand)
Changed in gsasl (Ubuntu):
status: Confirmed → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → ubuntu-10.04
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gsasl - 1.4.4-1ubuntu1

---------------
gsasl (1.4.4-1ubuntu1) lucid; urgency=low

  * Merge from Debian experimental (LP: #548480). Bugfix only release.
    Remaining changes:
    - debian/rules: Include clean-la.mk from cdbs to clean up the
      dependency_libs field in libgsasl.la.
  * debian/control: drop libgsasl7 Depends on libgcrypt to what we have in
    Lucid (1.4.4-5). See Debian bug #564661.

gsasl (1.4.4-1) experimental; urgency=low

  [Simon Josefsson]
  * New upstream version.
  * Improve copyright file information.
  * Switch to dpkg-source 3.0 (quilt) format.

gsasl (1.4.2-1) unstable; urgency=low

  [Simon Josefsson]
  * New upstream version.
  * Disable self checks on mips(el) due to #519006.

gsasl (1.4.1-1) unstable; urgency=low

  [Simon Josefsson]
  * New upstream version.
  * Add a symbols file (and drop libgsasl7.shlibs).

gsasl (1.4.0-2) unstable; urgency=low

  [Simon Josefsson]

  * libgsasl7: Bump shlibs to 1.1 because later versions introduced symbol
    versioning; closes: #542512.
  * libgsasl7-dev: Depend on libgcrypt11-dev in order to make
    libgcrypt.la available; closes: #564378.
  * libgsasl7: Make it depend on libgcrypt 1.4.5-1, because libgsasl7
    will not work with any older libgcrypt than the version it was
    built with. See #564661.
  * gsasl-dbg: New debug package for gsasl and libgsasl7.
  * Invoke 'make check' during builds, and build-depend on valgrind on
    platforms that have it, for better checking.
  * Upgrade to standards version 3.8.4.
 -- Jamie Strandboge <email address hidden> Wed, 14 Apr 2010 07:26:51 -0500

Changed in gsasl (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I meant to say 'this can't be a sync'. Anyway, uploaded. Since there is a new gsasl-dbg package, this will need to be binary deNEWd.

Revision history for this message
Simon Josefsson (simon-josefsson) wrote :

Thanks!

The libgcrypt version dependency is just to make sure that libgsasl7 uses the same (or newer) libgcrypt that libgsasl was built with. If you build libgsasl against libgcrypt 1.4.4, lowering the depends to that version is fine. The libgcrypt version number gets hard coded into libgsasl, and if the libgsasl binary is used against an older libgcrypt, it will refuse to work.

Possibly all version handling is just a bad idea that causes breakage and should be reverted upstream... I'll fix that for the next libgsasl development series.

/Simon

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.