Accepting request 950460 from home:dirkmueller:branches:openSUSE:Factory:Rings:1-MinimalX

- cyrus-sasl: prevent fail of %pre when berkely db utils are not installed (seems like we want to use this only for upgrade so no Prereq added) - move license to licensedir - remove use of RPM_BUILD_ROOT - minimal spec cleanups - avoid bashisms - postfix: sasl authentication with password fails (bsc#1194265) Add config parameter --with-dblib=gdbm - Avoid converting of /etc/sasldb2 by every update. Convert /etc/sasldb2 only if it is a Berkeley DB - CVE-2020-8032: cyrus-sasl: Local privilege escalation to root due to insecure tmp file usage. (bsc#1180669) Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary files. - cyrus-sasl: prevent fail of %pre when berkely db utils are not installed (seems like we want to use this only for upgrade so no Prereq added) - move license to licensedir - remove use of RPM_BUILD_ROOT - minimal spec cleanups - avoid bashisms - postfix: sasl authentication with password fails (bsc#1194265) Add config parameter --with-dblib=gdbm - Avoid converting of /etc/sasldb2 by every update. Convert /etc/sasldb2 only if it is a Berkeley DB OBS-URL: https://build.opensuse.org/request/show/950460 OBS-URL: https://build.opensuse.org/package/show/network/cyrus-sasl?expand=0&rev=92
2022-02-03 15:26:40 +00:00 · 2022-02-03 15:26:40 +00:00 · 1371118b27
commit 1371118b27
parent e7fc61044a
8 changed files with 165 additions and 77 deletions
--- a/cyrus-sasl-bdb.changes
+++ b/cyrus-sasl-bdb.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Jan 31 10:03:15 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- cyrus-sasl: prevent fail of %pre when berkely db utils are
+  not installed (seems like we want to use this only for upgrade
+  so no Prereq added) 
+- move license to licensedir
+- remove use of RPM_BUILD_ROOT
+- minimal spec cleanups
+- avoid bashisms
+
+-------------------------------------------------------------------
+Thu Jan 13 14:58:15 UTC 2022 - Peter Varkoly <varkoly@suse.com>
+
+- postfix: sasl authentication with password fails (bsc#1194265)
+  Add config parameter --with-dblib=gdbm
+- Avoid converting of /etc/sasldb2 by every update. Convert
+  /etc/sasldb2 only if it is a Berkeley DB
+
 -------------------------------------------------------------------
 Thu Feb 25 18:03:26 UTC 2021 - Peter Varkoly <varkoly@suse.com>

@ -5,6 +24,14 @@ Thu Feb 25 18:03:26 UTC 2021 - Peter Varkoly <varkoly@suse.com>
  not be linked to berkely db. libsasl2-3 is now defined as
  %BuildRequires and %Requires

+-------------------------------------------------------------------
+Fri Jan  8 11:32:42 UTC 2021 - Peter Varkoly <varkoly@suse.com>
+
+- CVE-2020-8032: cyrus-sasl: Local privilege escalation to root
+  due to insecure tmp file usage. (bsc#1180669)
+  Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary
+  files.
+
 -------------------------------------------------------------------
 Tue Dec  8 13:33:33 UTC 2020 - Peter Varkoly <varkoly@suse.com>

--- a/cyrus-sasl-bdb.spec
+++ b/cyrus-sasl-bdb.spec
@ -205,7 +205,7 @@ rm -r $RPM_BUILD_ROOT%{_libdir}/libsasl2.so.3*
 find "%buildroot" -type f -name "*.la" -print -delete

 %files
-%defattr(-,root,root)
+%license COPYING
 %dir %{_libdir}/sasl2
 %{_libdir}/sasl2/libanonymous.so*
 %{_libdir}/sasl2/liblogin.so*
@ -215,51 +215,42 @@ find "%buildroot" -type f -name "*.la" -print -delete
 /usr/bin/*
 %doc %{_mandir}/man3/sasl.*.gz
 %doc %{_mandir}/man8/*.gz
-%doc COPYING

 %files gssapi
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libgssapiv2.so*

 %files crammd5
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libcrammd5.so*

 %files digestmd5
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libdigestmd5.so*

 %files otp
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libotp.so*

 %files plain
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libplain.so*

 %files ntlm
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libntlm.so*

 %files gs2
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libgs2.so*

 %files scram
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libscram.so*

 %files devel
-%defattr(-,root,root)
-%doc AUTHORS COPYING ChangeLog README doc
+%license COPYING
+%doc AUTHORS ChangeLog README doc
 %_includedir/sasl/
 %doc %{_mandir}/man3/sasl_*.gz
 %{_libdir}/libsasl2.so
--- a/cyrus-sasl-saslauthd-bdb.changes
+++ b/cyrus-sasl-saslauthd-bdb.changes
@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Mon Jan 31 10:03:15 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- cyrus-sasl: prevent fail of %pre when berkely db utils are
+  not installed (seems like we want to use this only for upgrade
+  so no Prereq added) 
+- move license to licensedir
+- remove use of RPM_BUILD_ROOT
+- minimal spec cleanups
+- avoid bashisms
+
+-------------------------------------------------------------------
+Thu Jan 13 14:58:15 UTC 2022 - Peter Varkoly <varkoly@suse.com>
+
+- postfix: sasl authentication with password fails (bsc#1194265)
+  Add config parameter --with-dblib=gdbm
+- Avoid converting of /etc/sasldb2 by every update. Convert
+  /etc/sasldb2 only if it is a Berkeley DB
+
+-------------------------------------------------------------------
+Thu Feb 25 18:03:26 UTC 2021 - Peter Varkoly <varkoly@suse.com>
+
+- Fix build: Do not build libsasl2-3 in the bdb package. This will
+  not be linked to berkely db. libsasl2-3 is now defined as
+  %BuildRequires and %Requires
+
+-------------------------------------------------------------------
+Fri Jan  8 11:32:42 UTC 2021 - Peter Varkoly <varkoly@suse.com>
+
+- CVE-2020-8032: cyrus-sasl: Local privilege escalation to root
+  due to insecure tmp file usage. (bsc#1180669)
+  Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary
+  files.
+
 -------------------------------------------------------------------
 Tue Dec  8 13:33:33 UTC 2020 - Peter Varkoly <varkoly@suse.com>

--- a/cyrus-sasl-saslauthd-bdb.spec
+++ b/cyrus-sasl-saslauthd-bdb.spec
@ -155,22 +155,20 @@ install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}
 %service_add_post saslauthd.service

 %files
-%defattr(-,root,root)
+%license saslauthd/COPYING
 %{_fillupdir}/sysconfig.saslauthd
 %{_unitdir}/saslauthd.service
-%dir %attr(0755, root, root) %ghost /run/sasl2   
+%dir %attr(0755, root, root) %ghost /run/sasl2
 /usr/sbin/*
 /usr/bin/*
 %doc %{_mandir}/man8/*.gz
-%doc saslauthd/COPYING saslauthd/ChangeLog saslauthd/LDAP_SASLAUTHD
+%doc saslauthd/ChangeLog saslauthd/LDAP_SASLAUTHD

 %files -n cyrus-sasl-sqlauxprop-bdb
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libsql.so*

 %files -n cyrus-sasl-ldap-auxprop-bdb
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libldapdb.so*

--- a/cyrus-sasl-saslauthd.changes
+++ b/cyrus-sasl-saslauthd.changes
@ -1,10 +1,44 @@
+-------------------------------------------------------------------
+Mon Jan 31 10:03:15 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- cyrus-sasl: prevent fail of %pre when berkely db utils are
+  not installed (seems like we want to use this only for upgrade
+  so no Prereq added) 
+- move license to licensedir
+- remove use of RPM_BUILD_ROOT
+- minimal spec cleanups
+- avoid bashisms
+
+-------------------------------------------------------------------
+Thu Jan 13 14:58:15 UTC 2022 - Peter Varkoly <varkoly@suse.com>
+
+- postfix: sasl authentication with password fails (bsc#1194265)
+  Add config parameter --with-dblib=gdbm
+- Avoid converting of /etc/sasldb2 by every update. Convert
+  /etc/sasldb2 only if it is a Berkeley DB
+
+-------------------------------------------------------------------
+Thu Feb 25 18:03:26 UTC 2021 - Peter Varkoly <varkoly@suse.com>
+
+- Fix build: Do not build libsasl2-3 in the bdb package. This will
+  not be linked to berkely db. libsasl2-3 is now defined as
+  %BuildRequires and %Requires
+
+-------------------------------------------------------------------
+Fri Jan  8 11:32:42 UTC 2021 - Peter Varkoly <varkoly@suse.com>
+
+- CVE-2020-8032: cyrus-sasl: Local privilege escalation to root
+  due to insecure tmp file usage. (bsc#1180669)
+  Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary
+  files.
+
 -------------------------------------------------------------------
 Tue Dec  8 13:33:33 UTC 2020 - Peter Varkoly <varkoly@suse.com>

 - Remove Berkeley DB dependency (JIRA#SLE-12190)
-  The pacakges cyrus-sasl and cyrus-sasl-saslauthd are build
+  The packages cyrus-sasl and cyrus-sasl-saslauthd are built
  without Berkely DB support. gdbm will be used instead of BDB.
-  The pacakges cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are build
+  The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built
  with Berkely DB support.
 - Update to 2.1.27
  * Added support for OpenSSL 1.1
--- a/cyrus-sasl-saslauthd.spec
+++ b/cyrus-sasl-saslauthd.spec
@ -155,22 +155,20 @@ install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}
 %service_add_post saslauthd.service

 %files
-%defattr(-,root,root)
+%license saslauthd/COPYING
 %{_fillupdir}/sysconfig.saslauthd
 %{_unitdir}/saslauthd.service
-%dir %attr(0755, root, root) %ghost /run/sasl2   
+%dir %attr(0755, root, root) %ghost /run/sasl2
 /usr/sbin/*
 /usr/bin/*
 %doc %{_mandir}/man8/*.gz
-%doc saslauthd/COPYING saslauthd/ChangeLog saslauthd/LDAP_SASLAUTHD
+%doc saslauthd/ChangeLog saslauthd/LDAP_SASLAUTHD

 %files -n cyrus-sasl-sqlauxprop
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libsql.so*

 %files -n cyrus-sasl-ldap-auxprop
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libldapdb.so*

--- a/cyrus-sasl.changes
+++ b/cyrus-sasl.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Jan 31 10:03:15 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- cyrus-sasl: prevent fail of %pre when berkely db utils are
+  not installed (seems like we want to use this only for upgrade
+  so no Prereq added) 
+- move license to licensedir
+- remove use of RPM_BUILD_ROOT
+- minimal spec cleanups
+- avoid bashisms
+
 -------------------------------------------------------------------
 Thu Jan 13 14:58:15 UTC 2022 - Peter Varkoly <varkoly@suse.com>

@ -6,6 +17,13 @@ Thu Jan 13 14:58:15 UTC 2022 - Peter Varkoly <varkoly@suse.com>
 - Avoid converting of /etc/sasldb2 by every update. Convert
  /etc/sasldb2 only if it is a Berkeley DB

+-------------------------------------------------------------------
+Thu Feb 25 18:03:26 UTC 2021 - Peter Varkoly <varkoly@suse.com>
+
+- Fix build: Do not build libsasl2-3 in the bdb package. This will
+  not be linked to berkely db. libsasl2-3 is now defined as
+  %BuildRequires and %Requires
+
 -------------------------------------------------------------------
 Fri Jan  8 11:32:42 UTC 2021 - Peter Varkoly <varkoly@suse.com>

--- a/cyrus-sasl.spec
+++ b/cyrus-sasl.spec
@ -16,38 +16,36 @@
 #


-Name:           cyrus-sasl
 %define lname	libsasl2-3
+Name:           cyrus-sasl
 Version:        2.1.27
 Release:        0
-URL:            http://asg.web.cmu.edu/sasl/
 Summary:        Implementation of Cyrus SASL API
 License:        BSD-4-Clause
 Group:          Productivity/Networking/Other
-
+URL:            http://asg.web.cmu.edu/sasl/
 Source:         %{name}-%{version}.tar.gz
 Source1:        cyrus-sasl-rc.tar.bz2
 Source2:        README.Source
 Source3:        baselibs.conf
-Patch:          cyrus-sasl.dif
+Patch0:         cyrus-sasl.dif
 # see https://github.com/cyrusimap/cyrus-sasl/issues/587
 Patch1:         cyrus-sasl-bug587.patch
 Patch5:         cyrus-sasl-no_rpath.patch
 Patch6:         cyrus-sasl-lfs.patch
 Patch7:         fix_libpq-fe_include.diff
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  gdbm-devel
 BuildRequires:  krb5-mini-devel
 BuildRequires:  libtool
 BuildRequires:  openssl-devel
 BuildRequires:  opie
 BuildRequires:  pam-devel
-BuildRequires:  pkg-config
+BuildRequires:  pkgconfig
+Conflicts:      cyrus-sasl-bdb
 %ifarch ppc64
 # bug437293
 Obsoletes:      cyrus-sasl-64bit
 %endif
-Conflicts:      cyrus-sasl-bdb

 %package      gssapi
 Summary:        Plugin for the GSSAPI SASL mechanism
@ -98,16 +96,15 @@ Requires:       %{name} = %{version}
 Conflicts:      cyrus-sasl-bdb-scram

 %package      devel
-# bug437293
-%ifarch ppc64
-Obsoletes:      cyrus-sasl-devel-64bit
-%endif
-#
 Summary:        Cyrus SASL API Implementation, Libraries and Header Files
 Group:          Development/Libraries/C and C++
 Requires:       %lname = %version
 Requires:       glibc-devel
 Conflicts:      cyrus-sasl-devel-bdb
+# bug437293
+%ifarch ppc64
+Obsoletes:      cyrus-sasl-devel-64bit
+%endif

 %package -n libsasl2-3
 Summary:        Simple Authentication and Security Layer (SASL) library
@ -175,7 +172,7 @@ then
    echo "dlcompat contains potential legal risks."
    rm -rf %{_builddir}/%{name}-%{version}/dlcompat-*
 fi
-%patch
+%patch0
 %patch1 -p1
 %patch5 -p1
 %patch6 -p1
@ -187,7 +184,7 @@ autoreconf -f
 export CFLAGS="%optflags -fno-strict-aliasing"
 %configure --with-pic \
            --with-plugindir=%{_libdir}/sasl2 \
-            --with-configdir=/etc/sasl2/:%{_libdir}/sasl2 \
+            --with-configdir=%{_sysconfdir}/sasl2/:%{_libdir}/sasl2 \
 	    --with-saslauthd=/run/sasl2/ \
 	    --with-dblib=gdbm \
 	    --enable-pam \
@ -198,27 +195,28 @@ export CFLAGS="%optflags -fno-strict-aliasing"
 	    --enable-krb4=no \
            --enable-sql=no \
 	    --with-devrandom=/dev/urandom
-%{__make} %{?_smp_mflags} sasldir=%{_libdir}/sasl2
+%make_build sasldir=%{_libdir}/sasl2

 %install
-make DESTDIR=$RPM_BUILD_ROOT sasldir=%{_libdir}/sasl2 install
-mkdir -p $RPM_BUILD_ROOT/usr/bin
-mkdir -p $RPM_BUILD_ROOT/etc/sasl2
-install -m 755 sample/.libs/client $RPM_BUILD_ROOT/usr/bin/cyrus_sasl_sample_client
-install -m 755 sample/.libs/server $RPM_BUILD_ROOT/usr/bin/cyrus_sasl_sample_server
+make DESTDIR=%{buildroot} sasldir=%{_libdir}/sasl2 install
+mkdir -p %{buildroot}%{_bindir}
+mkdir -p %{buildroot}%{_sysconfdir}/sasl2
+install -m 755 sample/.libs/client %{buildroot}%{_bindir}/cyrus_sasl_sample_client
+install -m 755 sample/.libs/server %{buildroot}%{_bindir}/cyrus_sasl_sample_server
 chmod 0644 doc/*
 rm -f doc/Makefile*
-rm -f $RPM_BUILD_ROOT/%{_mandir}/cat?/*
-rm -f $RPM_BUILD_ROOT/%{_mandir}/man8/saslauthd*
-rm -f $RPM_BUILD_ROOT/usr/sbin/saslauthd
-rm -f $RPM_BUILD_ROOT/usr/sbin/testsaslauthd
-find "%buildroot" -type f -name "*.la" -print -delete
+rm -f %{buildroot}/%{_mandir}/cat?/*
+rm -f %{buildroot}/%{_mandir}/man8/saslauthd*
+rm -f %{buildroot}%{_sbindir}/saslauthd
+rm -f %{buildroot}%{_sbindir}/testsaslauthd
+find %{buildroot} -type f -name "*.la" -delete -print

 %pre
 #Convert password file from berkely into gdbm
 #In %pre the existing file will be dumped out
-if  /usr/bin/db_verify /etc/sasldb2 &> /dev/null ; then
-cat <<EOF > /var/adm/update-scripts/saslpw.awk
+
+if test -x %{_bindir}/db_verify && %{_bindir}/db_verify %{_sysconfdir}/sasldb2 >/dev/null 2>&1 ; then
+cat > %{_localstatedir}/adm/update-scripts/saslpw.awk <<EOF
 {
        split(\$0,b,/\\\00/)
        if( b[3] == "userPassword" ) {
@ -233,83 +231,73 @@ cat <<EOF > /var/adm/update-scripts/saslpw.awk
        }
 }
 EOF
-db_dump -p /etc/sasldb2 | gawk -f /var/adm/update-scripts/saslpw.awk > /var/adm/update-scripts/saslpwd
-rm -f /var/adm/update-scripts/saslpw.awk
-mv /etc/sasldb2 /etc/sasldb2-back
+db_dump -p %{_sysconfdir}/sasldb2 | gawk -f %{_localstatedir}/adm/update-scripts/saslpw.awk > %{_localstatedir}/adm/update-scripts/saslpwd
+rm -f %{_localstatedir}/adm/update-scripts/saslpw.awk
+mv %{_sysconfdir}/sasldb2 %{_sysconfdir}/sasldb2-back
 fi

 %post
-if [ -e /var/adm/update-scripts/saslpwd ]; then
-        chmod 755 /var/adm/update-scripts/saslpwd
-        /var/adm/update-scripts/saslpwd
-	rm -f /var/adm/update-scripts/saslpwd
+if [ -e %{_localstatedir}/adm/update-scripts/saslpwd ]; then
+        chmod 755 %{_localstatedir}/adm/update-scripts/saslpwd
+        %{_localstatedir}/adm/update-scripts/saslpwd
+	rm -f %{_localstatedir}/adm/update-scripts/saslpwd
 fi

 %post   -n %lname -p /sbin/ldconfig
 %postun -n %lname -p /sbin/ldconfig

 %files -n %lname
-%defattr(-,root,root)
 %{_libdir}/libsasl2.so.3*

 %files
-%defattr(-,root,root)
+%license COPYING
 %dir %{_libdir}/sasl2
 %{_libdir}/sasl2/libanonymous.so*
 %{_libdir}/sasl2/liblogin.so*
 %{_libdir}/sasl2/libsasldb.so*
-%dir /etc/sasl2/
-/usr/sbin/*
-/usr/bin/*
-%doc %{_mandir}/man3/sasl.*.gz
-%doc %{_mandir}/man8/*.gz
-%doc COPYING
+%dir %{_sysconfdir}/sasl2/
+%{_sbindir}/*
+%{_bindir}/*
+%{_mandir}/man3/sasl.*.gz
+%{_mandir}/man8/*.gz

 %files gssapi
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libgssapiv2.so*

 %files crammd5
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libcrammd5.so*

 %files digestmd5
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libdigestmd5.so*

 %files otp
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libotp.so*

 %files plain
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libplain.so*

 %files ntlm
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libntlm.so*

 %files gs2
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libgs2.so*

 %files scram
-%defattr(-,root,root)
 %dir %_libdir/sasl2/
 %{_libdir}/sasl2/libscram.so*

 %files devel
-%defattr(-,root,root)
-%doc AUTHORS COPYING ChangeLog README doc
+%license COPYING
+%doc AUTHORS ChangeLog README doc
 %_includedir/sasl/
-%doc %{_mandir}/man3/sasl_*.gz
+%{_mandir}/man3/sasl_*.gz
 %{_libdir}/libsasl2.so
 %{_libdir}/pkgconfig/*