Accepting request 1295283 from devel:languages:perl

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1295283
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/perl-Authen-SASL?expand=0&rev=30

Authen-SASL-2.1800.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0b03686bddbbf7d5c6548e468d079a4051c9b73851df740ae28cfd2db234e922
+size 39499

perl-Authen-SASL-CVE-2025-40918.patch

@@ -0,0 +1,74 @@
+From 82e12b25963bd9d156a9006c9a0929f459b8536a Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <rrwo@cpan.org>
+Date: Thu, 10 Jul 2025 21:05:29 +0100
+Subject: [PATCH 1/3] Generate cnonce and nonce from system randomness
+
+This fixes CVE-2025-40918.
+---
+ lib/Authen/SASL/Perl/DIGEST_MD5.pm | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+index f089849..44d2109 100644
+--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
++++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+@@ -10,6 +10,7 @@ package Authen::SASL::Perl::DIGEST_MD5;
+ use strict;
+ use warnings;
+ use vars qw(@ISA $CNONCE $NONCE);
++use Crypt::URandom qw(urandom);
+ use Digest::MD5 qw(md5_hex md5);
+ use Digest::HMAC_MD5 qw(hmac_md5);
+ 
+@@ -201,7 +202,7 @@ sub server_start {
+ 
+   $self->{need_step} = 1;
+   $self->{error}     = undef;
+-  $self->{nonce}     = md5_hex($NONCE || join (":", $$, time, rand));
++  $self->{nonce}     = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
+ 
+   $self->init_sec_layer;
+ 
+@@ -260,7 +261,7 @@ sub client_step {   # $self, $server_sasl_credentials
+ 
+   my %response = (
+     nonce        => $sparams{'nonce'},
+-    cnonce       => md5_hex($CNONCE || join (":", $$, time, rand)),
++    cnonce       => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
+     'digest-uri' => $self->service . '/' . $self->host,
+     # calc how often the server nonce has been seen; server expects "00000001"
+     nc           => sprintf("%08d",     ++$self->{nonce_counts}{$sparams{'nonce'}}),
+
+From 1284e47c1715ad7d0a8dc07d72d9524ca0da3f17 Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <rrwo@cpan.org>
+Date: Wed, 16 Jul 2025 19:59:42 +0100
+Subject: [PATCH 2/3] Add whitespace before conditional operator
+
+---
+ lib/Authen/SASL/Perl/DIGEST_MD5.pm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+index 44d2109..8c4a67a 100644
+--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
++++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+@@ -202,7 +202,7 @@ sub server_start {
+ 
+   $self->{need_step} = 1;
+   $self->{error}     = undef;
+-  $self->{nonce}     = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
++  $self->{nonce}     = $NONCE ? md5_hex($NONCE) : unpack('H32',urandom(16));
+ 
+   $self->init_sec_layer;
+ 
+@@ -261,7 +261,7 @@ sub client_step {   # $self, $server_sasl_credentials
+ 
+   my %response = (
+     nonce        => $sparams{'nonce'},
+-    cnonce       => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
++    cnonce       => $CNONCE ? md5_hex($CNONCE) : unpack('H32',urandom(16)),
+     'digest-uri' => $self->service . '/' . $self->host,
+     # calc how often the server nonce has been seen; server expects "00000001"
+     nc           => sprintf("%08d",     ++$self->{nonce_counts}{$sparams{'nonce'}}),
+
+

perl-Authen-SASL.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Mon Jul 21 10:03:21 UTC 2025 - pgajdos@suse.com
+
+- security update
+- added patches
+  CVE-2025-40918 [bsc#1246623], insecurely generated client nonce
+  + perl-Authen-SASL-CVE-2025-40918.patch
+
+-------------------------------------------------------------------
+Sat Apr 26 05:33:44 UTC 2025 - Tina Müller <timueller+perl@suse.de>
+
+- updated to 2.180.0 (2.1800)
+   see /usr/share/doc/packages/perl-Authen-SASL/Changes
+
+
+  2.1800  TO BE RELEASED
+    [Changed]
+      - Minimum required Perl version 5.14+ (from 5.6.0);
+        Digest::HMAC_MD5 was 5.8.1, making 5.8.1 the effective minimum
+      - Move example code to the eg/ directory
+
+    [Added]
+      - Mechanisms XOAUTH2 and OAUTHBEARER added
+      - Include mechanisms available on server when
+        negotiation fails on the client
+      - Add `_acceptable()` function to allow mechanism
+        implementation classes to decline selection based
+        on the callback values
+
 -------------------------------------------------------------------
 Fri Mar  8 21:59:55 UTC 2024 - Tina Müller <tina.mueller@suse.com>
 

perl-Authen-SASL.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-Authen-SASL
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,33 +18,40 @@
 
 %define cpan_name Authen-SASL
 Name:           perl-Authen-SASL
-Version:        2.170.0
+Version:        2.180.0
 Release:        0
-%define cpan_version 2.1700
+# 2.1800 -> normalize -> 2.180.0
+%define cpan_version 2.1800
 License:        Artistic-1.0 OR GPL-1.0-or-later
 Summary:        SASL Authentication framework
 URL:            https://metacpan.org/release/%{cpan_name}
 Source0:        https://cpan.metacpan.org/authors/id/E/EH/EHUELS/%{cpan_name}-%{cpan_version}.tar.gz
 Source1:        cpanspec.yml
+# CVE-2025-40918 [bsc#1246623], insecurely generated client nonce
+Patch0:         perl-Authen-SASL-CVE-2025-40918.patch
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl-macros
+BuildRequires:  perl(Crypt::URandom)
 BuildRequires:  perl(Digest::HMAC_MD5)
 BuildRequires:  perl(Pod::Coverage::TrustPod)
 BuildRequires:  perl(Test::Pod)
 BuildRequires:  perl(Test::Pod::Coverage)
+Requires:       perl(Crypt::URandom)
 Requires:       perl(Digest::HMAC_MD5)
-Provides:       perl(Authen::SASL) = 2.170.0
-Provides:       perl(Authen::SASL::CRAM_MD5) = 2.170.0
-Provides:       perl(Authen::SASL::EXTERNAL) = 2.170.0
-Provides:       perl(Authen::SASL::Perl) = 2.170.0
-Provides:       perl(Authen::SASL::Perl::ANONYMOUS) = 2.170.0
-Provides:       perl(Authen::SASL::Perl::CRAM_MD5) = 2.170.0
-Provides:       perl(Authen::SASL::Perl::DIGEST_MD5) = 2.170.0
-Provides:       perl(Authen::SASL::Perl::EXTERNAL) = 2.170.0
-Provides:       perl(Authen::SASL::Perl::GSSAPI) = 2.170.0
-Provides:       perl(Authen::SASL::Perl::LOGIN) = 2.170.0
-Provides:       perl(Authen::SASL::Perl::PLAIN) = 2.170.0
+Provides:       perl(Authen::SASL) = %{version}
+Provides:       perl(Authen::SASL::CRAM_MD5) = %{version}
+Provides:       perl(Authen::SASL::EXTERNAL) = %{version}
+Provides:       perl(Authen::SASL::Perl) = %{version}
+Provides:       perl(Authen::SASL::Perl::ANONYMOUS) = %{version}
+Provides:       perl(Authen::SASL::Perl::CRAM_MD5) = %{version}
+Provides:       perl(Authen::SASL::Perl::DIGEST_MD5) = %{version}
+Provides:       perl(Authen::SASL::Perl::EXTERNAL) = %{version}
+Provides:       perl(Authen::SASL::Perl::GSSAPI) = %{version}
+Provides:       perl(Authen::SASL::Perl::LOGIN) = %{version}
+Provides:       perl(Authen::SASL::Perl::OAUTHBEARER) = %{version}
+Provides:       perl(Authen::SASL::Perl::PLAIN) = %{version}
+Provides:       perl(Authen::SASL::Perl::XOAUTH2) = %{version}
 %undefine       __perllib_provides
 Recommends:     perl(GSSAPI)
 %{perl_requires}
@@ -85,7 +92,7 @@ or if you have another plugin module that supports the Authen::SASL API
  use Authen::SASL qw(My::SASL::Plugin);
 
 %prep
-%autosetup  -n %{cpan_name}-%{cpan_version}
+%autosetup  -n %{cpan_name}-%{cpan_version} -p1
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor
@@ -100,7 +107,7 @@ make test
 %perl_gen_filelist
 
 %files -f %{name}.files
-%doc api.txt Changes compat_pl example_pl README
+%doc api.txt Changes README
 %license LICENSE
 
 %changelog