Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Aug 2009 17:32:26 +1000 (AEST)
From:      John Marshall <john.marshall@riverwillow.com.au>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/138300: [PATCH] mail/dovecot 1.2.4 breaks GSSAPI Authentication
Message-ID:  <200908290732.n7T7WQWM013278@rwsrv03.mby.riverwillow.net.au>
Resent-Message-ID: <200908290750.n7T7o1TR028628@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         138300
>Category:       ports
>Synopsis:       [PATCH] mail/dovecot 1.2.4 breaks GSSAPI Authentication
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 29 07:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     John Marshall
>Release:        FreeBSD 7.2-RELEASE-p2 i386
>Organization:
Riverwillow Pty Ltd
>Environment:
System: FreeBSD rwsrv03.mby.riverwillow.net.au 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: Thu Jun 25 15:36:52 AEST 2009 root@rwsrv03.mby.riverwillow.net.au:/build/obj/usr/src/sys/RWSRV03 i386


>Description:

Dovecot 1.2.4 introduced some checking for NUL characters in usernames.
The test was picking up the NUL string-terminator on the user principal
name returned by GSSAPI and forcing authentication failure.  The Dovecot
author has provided a patch which I have incorporated into the
mail/dovecot port.

http://hg.dovecot.org/dovecot-1.2/rev/a37fa30b0072 

I have not incremented PORTREVISION because this will only affect sites
which use GSSAPI authentication.

This was discussed on the Dovecot mailing list:

http://dovecot.org/pipermail/dovecot/2009-August/042468.html

>How-To-Repeat:

 - Attempt to authenticate to Dovecot 1.2.4 via GSSAPI
 - auth_debug log shows:
    auth(default): gssapi(john@EXAMPLE.COM,192.0.2.168): authz_name has NULs
    auth(default): client out: FAIL 1 user=john@EXAMPLE.COM
 - Mail client reports login failure

>Fix:

	

--- dovecot_1-2-4_gssapi_patch.diff begins here ---
diff -urN dovecot.orig/files/patch-src-auth-mech-gssapi.c dovecot/files/patch-src-auth-mech-gssapi.c
--- dovecot.orig/files/patch-src-auth-mech-gssapi.c	1970-01-01 10:00:00.000000000 +1000
+++ dovecot/files/patch-src-auth-mech-gssapi.c	2009-08-29 07:05:32.000000000 +1000
@@ -0,0 +1,13 @@
+--- src/auth/mech-gssapi.c.orig	2009-08-15 03:14:11.000000000 +1000
++++ src/auth/mech-gssapi.c	2009-08-29 07:02:43.000000000 +1000
+@@ -218,6 +218,10 @@
+ 	const unsigned char *c = data;
+ 	unsigned int i;
+ 
++	/* apparently all names end with NUL? */
++	if (len > 0 && c[len-1] == '\0')
++		len--;
++
+ 	for (i = 0; i < len; i++) {
+ 		if (c[i] == '\0')
+ 			return TRUE;
--- dovecot_1-2-4_gssapi_patch.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908290732.n7T7WQWM013278>