diff --git a/0001-saslauthd-fix-checking-for-malformed-HTTP-responses.patch b/0001-saslauthd-fix-checking-for-malformed-HTTP-responses.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b51488e374b06c3b72fedc2e97b671ce76cb981 --- /dev/null +++ b/0001-saslauthd-fix-checking-for-malformed-HTTP-responses.patch @@ -0,0 +1,42 @@ +From a9256a55ef99d3cc0a08915e5c9143d73134fa04 Mon Sep 17 00:00:00 2001 +From: yixiangzhike +Date: Mon, 17 Nov 2025 18:29:11 +0800 +Subject: [PATCH] saslauthd: fix checking for malformed HTTP responses + +The checking for http_response_code and http_response_string +should be before pointing to the next position. +--- + saslauthd/auth_httpform.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/saslauthd/auth_httpform.c b/saslauthd/auth_httpform.c +index 563fed0..895a4c7 100644 +--- a/saslauthd/auth_httpform.c ++++ b/saslauthd/auth_httpform.c +@@ -370,19 +370,21 @@ static char *build_sasl_response( + } + + /* isolate the HTTP response code and string */ +- http_response_code = strpbrk(http_response, SPACE) + 1; ++ http_response_code = strpbrk(http_response, SPACE); + if (!http_response_code) { + logger(LOG_ERR, "auth_httpform", "invalid response to auth request: %s", + http_response); + goto fail; + } ++ http_response_code += 1; + +- http_response_string = strpbrk(http_response_code, SPACE) + 1; ++ http_response_string = strpbrk(http_response_code, SPACE); + if (!http_response_string) { + logger(LOG_ERR, "auth_httpform", "invalid response to auth request: %s", + http_response); + goto fail; + } ++ http_response_string += 1; + + *(http_response_string-1) = '\0'; /* replace space after code with 0 */ + +-- +2.43.0 + diff --git a/backport-saslauthd-check-for-malformed-HTTP-responses.patch b/backport-saslauthd-check-for-malformed-HTTP-responses.patch new file mode 100644 index 0000000000000000000000000000000000000000..5532752eca09189c57fa8bc5dd525da50a1b8025 --- /dev/null +++ b/backport-saslauthd-check-for-malformed-HTTP-responses.patch @@ -0,0 +1,49 @@ +From cfb31560c4dca75c378b1dfd56c27b9d40eff2d0 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Tue, 23 Jul 2024 19:07:37 +0100 +Subject: [PATCH] saslauthd: check for malformed HTTP responses + +In auth_httpform.c. Fix #821 + +Signed-off-by: Howard Chu + +Signed-off-by: Howard Chu +--- + saslauthd/auth_httpform.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/saslauthd/auth_httpform.c b/saslauthd/auth_httpform.c +index 1d36979f..656c41d1 100644 +--- a/saslauthd/auth_httpform.c ++++ b/saslauthd/auth_httpform.c +@@ -371,7 +371,19 @@ static char *build_sasl_response( + + /* isolate the HTTP response code and string */ + http_response_code = strpbrk(http_response, SPACE) + 1; ++ if (!http_response_code) { ++ logger(LOG_ERR, "auth_httpform", "invalid response to auth request: %s", ++ http_response); ++ goto fail; ++ } ++ + http_response_string = strpbrk(http_response_code, SPACE) + 1; ++ if (!http_response_string) { ++ logger(LOG_ERR, "auth_httpform", "invalid response to auth request: %s", ++ http_response); ++ goto fail; ++ } ++ + *(http_response_string-1) = '\0'; /* replace space after code with 0 */ + + if (!strcmp(http_response_code, HTTP_STATUS_SUCCESS) || +@@ -392,6 +404,7 @@ static char *build_sasl_response( + logger(L_INFO, "auth_httpform", "unexpected response to auth request: %s %s", + http_response_code, http_response_string); + ++fail: + return strdup(RESP_UNEXPECTED); + } + +-- +2.43.0 + diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index 6c32906a744407130bcf157bfdfa75e609bf0642..31b82d9a7dddfa0c1201ce524c8493815e0aa5b6 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -6,7 +6,7 @@ Name: cyrus-sasl Version: 2.1.27 -Release: 18 +Release: 19 Summary: The Cyrus SASL API Implementation License: BSD with advertising @@ -22,6 +22,8 @@ Patch3: backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch Patch4: backport-Use-int-instead-of-char-for-variable-c.patch Patch5: backport-Fix-heap-corruption.patch Patch6: backport-Fix-_sasl_add_string.patch +Patch7: backport-saslauthd-check-for-malformed-HTTP-responses.patch +Patch8: 0001-saslauthd-fix-checking-for-malformed-HTTP-responses.patch BuildRequires: autoconf, automake, libtool, gdbm-devel, groff BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig @@ -329,6 +331,9 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %changelog +* Tue Nov 18 2025 yixiangzhike - 2.1.27-19 +- fix saslauthd coredump with httpform + * Fri Apr 11 2025 yixiangzhike - 2.1.27-18 - backport upstream patch to fix _sasl_add_string