Hello community, here is the log from the commit of package atheme for openSUSE:Factory checked in at 2017-03-31 15:10:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/atheme (Old) and /work/SRC/openSUSE:Factory/.atheme.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "atheme" Fri Mar 31 15:10:14 2017 rev:21 rq:483748 version:7.2.9 Changes: -------- --- /work/SRC/openSUSE:Factory/atheme/atheme.changes 2016-12-02 16:41:02.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.atheme.new/atheme.changes 2017-03-31 15:10:26.172336771 +0200 @@ -1,0 +2,12 @@ +Thu Mar 30 07:15:51 UTC 2017 - jengelh@inai.de + +- Update to new upstream release 7.2.8 + * Close a memory leak that could be exploited by attackers to + potentially cause a denial of service. + [CVE-2017-6384, boo#1027614] +- Update to new upstream release 7.2.9 + * Fixing use after free that could potentially be used by an + attacker already having the privilege to use SASL impersonation + to cause a denial of service. + +------------------------------------------------------------------- Old: ---- atheme-7.2.7.tar.bz2 New: ---- atheme-7.2.9.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ atheme.spec ++++++ --- /var/tmp/diff_new_pack.XorBuO/_old 2017-03-31 15:10:26.880236687 +0200 +++ /var/tmp/diff_new_pack.XorBuO/_new 2017-03-31 15:10:26.884236121 +0200 @@ -1,7 +1,7 @@ # # spec file for package atheme # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: atheme %define lname libathemecore1 -Version: 7.2.7 +Version: 7.2.9 Release: 0 Url: http://atheme.net/ Summary: Extensible IRC services ++++++ atheme-7.2.7.tar.bz2 -> atheme-7.2.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/NEWS.md new/atheme-7.2.9/NEWS.md --- old/atheme-7.2.7/NEWS.md 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/NEWS.md 2017-02-12 15:58:54.000000000 +0100 @@ -1,3 +1,18 @@ +Atheme Services 7.2.9 Release Notes +=================================== + +This is a security release fixing use after free that could potentially be abused +by an attacker already having the privilege to use SASL impersonation to cause a +denial of service. Users of 7.2.8 should update to version 7.2.9; older releases +are not affected. + +Atheme Services 7.2.8 Release Notes +=================================== + +This is a security release fixing a memory leak that could potentially be abused +by attackers to cause a denial of service. Users of Atheme 7.2.7 should update to +version 7.2.8; older releases are not affected. + Atheme Services 7.2.7 Release Notes =================================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/configure new/atheme-7.2.9/configure --- old/atheme-7.2.7/configure 2016-10-08 18:58:57.000000000 +0200 +++ new/atheme-7.2.9/configure 2017-02-12 16:02:49.000000000 +0100 @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for atheme 7.2.7. +# Generated by GNU Autoconf 2.69 for atheme 7.2.9. # -# Report bugs to <https://github.com/atheme/atheme/issues>. +# Report bugs to <https://github.com/atheme/atheme/issues/>. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -267,7 +267,7 @@ $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and -$0: https://github.com/atheme/atheme/issues about your +$0: https://github.com/atheme/atheme/issues/ about your $0: system, including any error possibly output before this $0: message. Then install a modern shell, or manually run $0: the script under such a shell if you do have one." @@ -580,9 +580,9 @@ # Identity of this package. PACKAGE_NAME='atheme' PACKAGE_TARNAME='atheme' -PACKAGE_VERSION='7.2.7' -PACKAGE_STRING='atheme 7.2.7' -PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues' +PACKAGE_VERSION='7.2.9' +PACKAGE_STRING='atheme 7.2.9' +PACKAGE_BUGREPORT='https://github.com/atheme/atheme/issues/' PACKAGE_URL='' ac_default_prefix=~/atheme @@ -1341,7 +1341,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures atheme 7.2.7 to adapt to many kinds of systems. +\`configure' configures atheme 7.2.9 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1406,7 +1406,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of atheme 7.2.7:";; + short | recursive ) echo "Configuration of atheme 7.2.9:";; esac cat <<\_ACEOF @@ -1466,7 +1466,7 @@ Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to <https://github.com/atheme/atheme/issues>. +Report bugs to <https://github.com/atheme/atheme/issues/>. _ACEOF ac_status=$? fi @@ -1529,7 +1529,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -atheme configure 7.2.7 +atheme configure 7.2.9 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1688,9 +1688,9 @@ $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -( $as_echo "## ------------------------------------------------------ ## -## Report this to https://github.com/atheme/atheme/issues ## -## ------------------------------------------------------ ##" +( $as_echo "## ------------------------------------------------------- ## +## Report this to https://github.com/atheme/atheme/issues/ ## +## ------------------------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac @@ -2038,7 +2038,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by atheme $as_me 7.2.7, which was +It was created by atheme $as_me 7.2.9, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4831,7 +4831,7 @@ PACKAGE=atheme -VERSION=7.2.7 +VERSION=7.2.9 @@ -10462,7 +10462,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by atheme $as_me 7.2.7, which was +This file was extended by atheme $as_me 7.2.9, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -10522,13 +10522,13 @@ Configuration commands: $config_commands -Report bugs to <https://github.com/atheme/atheme/issues>." +Report bugs to <https://github.com/atheme/atheme/issues/>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -atheme config.status 7.2.7 +atheme config.status 7.2.9 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/configure.ac new/atheme-7.2.9/configure.ac --- old/atheme-7.2.7/configure.ac 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/configure.ac 2017-02-12 15:58:54.000000000 +0100 @@ -7,7 +7,7 @@ AC_PREREQ(2.59) -AC_INIT(atheme, 7.2.7, [https://github.com/atheme/atheme/issues]) +AC_INIT(atheme, 7.2.9, [https://github.com/atheme/atheme/issues/]) AC_CONFIG_AUX_DIR(autoconf) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/dist/atheme.conf.example new/atheme-7.2.9/dist/atheme.conf.example --- old/atheme-7.2.7/dist/atheme.conf.example 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/dist/atheme.conf.example 2017-02-12 15:58:54.000000000 +0100 @@ -107,8 +107,8 @@ * * The following crypto modules are available: * - * PBKDF2 cryptography (new) modules/crypto/pbkdf2v2 - * PBKDF2 cryptography (old) modules/crypto/pbkdf2 + * PBKDF2 cryptography (new, recommended) modules/crypto/pbkdf2v2 + * PBKDF2 cryptography (old, compatibility) modules/crypto/pbkdf2 * POSIX-style crypt(3) modules/crypto/posix * IRCServices (also Anope etc) compatibility modules/crypto/ircservices * Raw MD5 (Anope compatibility) modules/crypto/rawmd5 @@ -126,6 +126,7 @@ * * The rawsha1 and pbkdf2/pbkdf2v2 modules require OpenSSL. */ +#loadmodule "modules/crypto/pbkdf2v2"; loadmodule "modules/crypto/posix"; /* Authentication module. @@ -803,6 +804,27 @@ * SERVICES RUNTIME CONFIGURATION SECTION. * ******************************************************************************/ +/* + * If you are using the crypto/pbkdf2v2 module, you may wish to edit this block + * + * It is recommended to either leave the values at the defaults, or experiment + * with them so that it takes approximately 1 second for users to identify. + */ +pbkdf2v2 { + + /* digest + * Valid values are "SHA256" and "SHA512" + * The default is "SHA512" + */ + #digest = "SHA512"; + + /* rounds + * Valid values are 10000 to 5000000 (inclusive) + * The default is 64000 + */ + #rounds = 64000; +}; + /* The serverinfo{} block defines how we appear on the IRC network. */ serverinfo { /* name diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/email/default/register new/atheme-7.2.9/email/default/register --- old/atheme-7.2.7/email/default/register 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/email/default/register 2017-02-12 15:58:54.000000000 +0100 @@ -9,7 +9,7 @@ In order to complete your account registration, you must type the following command on IRC: - /msg &nicksvs& VERIFY REGISTER &accountname& ¶m& +/msg &nicksvs& VERIFY REGISTER &accountname& ¶m& Thank you for registering your account on the &netname& IRC network! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/email/default/setemail new/atheme-7.2.9/email/default/setemail --- old/atheme-7.2.7/email/default/setemail 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/email/default/setemail 2017-02-12 15:58:54.000000000 +0100 @@ -9,7 +9,7 @@ In order to complete the e-mail address change, you must verify your new e-mail address by issuing the following command on IRC: - /msg &nicksvs& VERIFY EMAILCHG &accountname& ¶m& +/msg &nicksvs& VERIFY EMAILCHG &accountname& ¶m& Thank you for updating your e-mail address on file with the &netname& IRC network! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/email/default/setpass new/atheme-7.2.9/email/default/setpass --- old/atheme-7.2.7/email/default/setpass 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/email/default/setpass 2017-02-12 15:58:54.000000000 +0100 @@ -14,7 +14,7 @@ In order to set a new password, you must send the following command on IRC, where <password> is the new password you wish to set. - /msg &nicksvs& SETPASS &accountname& ¶m& <password> +/msg &nicksvs& SETPASS &accountname& ¶m& <password> -- If this message is unsolicited, please contact &replyto& diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/include/serno.h new/atheme-7.2.9/include/serno.h --- old/atheme-7.2.7/include/serno.h 2016-10-08 18:58:57.000000000 +0200 +++ new/atheme-7.2.9/include/serno.h 2017-02-12 16:02:49.000000000 +0100 @@ -1,2 +1,2 @@ /* Generated automatically by makepackage. Any changes made here will be lost. */ -#define SERNO "ddc1fd73ee114b0f6d7a714db22c51c23c719b6e" +#define SERNO "4db7745cc39e835c6bd00ad9fac6a8c9b71fabaa" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/include/sysconf.h.in~ new/atheme-7.2.9/include/sysconf.h.in~ --- old/atheme-7.2.7/include/sysconf.h.in~ 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/include/sysconf.h.in~ 1970-01-01 01:00:00.000000000 +0100 @@ -1,290 +0,0 @@ -/* include/sysconf.h.in. Generated from configure.ac by autoheader. */ - -/* Define if building universal (internal helper macro) */ -#undef AC_APPLE_UNIVERSAL_BUILD - -/* Define to 1 if translation of program messages to the user's native - language is requested. */ -#undef ENABLE_NLS - -/* Define to 1 if you have the `arc4random' function. */ -#undef HAVE_ARC4RANDOM - -/* Define to 1 if you have the `arc4random_buf' function. */ -#undef HAVE_ARC4RANDOM_BUF - -/* Define to 1 if you have the `arc4random_uniform' function. */ -#undef HAVE_ARC4RANDOM_UNIFORM - -/* Define to 1 if you have the `asprintf' function. */ -#undef HAVE_ASPRINTF - -/* Define if crypt() is available */ -#undef HAVE_CRYPT - -/* Define if the GNU dcgettext() function is already present or preinstalled. - */ -#undef HAVE_DCGETTEXT - -/* Define to 1 if you have the `execve' function. */ -#undef HAVE_EXECVE - -/* Define to 1 if you have the `explicit_bzero' function. */ -#undef HAVE_EXPLICIT_BZERO - -/* Define to 1 if you have the `fork' function. */ -#undef HAVE_FORK - -/* Define to 1 if you have the `getpid' function. */ -#undef HAVE_GETPID - -/* Define to 1 if you have the `getrlimit' function. */ -#undef HAVE_GETRLIMIT - -/* Define if the GNU gettext() function is already present or preinstalled. */ -#undef HAVE_GETTEXT - -/* Define to 1 if you have the `gettimeofday' function. */ -#undef HAVE_GETTIMEOFDAY - -/* Define if you have the iconv() function. */ -#undef HAVE_ICONV - -/* Define to 1 if you have the `inet_ntop' function. */ -#undef HAVE_INET_NTOP - -/* Define to 1 if you have the `inet_pton' function. */ -#undef HAVE_INET_PTON - -/* Define to 1 if the system has the type `intmax_t'. */ -#undef HAVE_INTMAX_T - -/* Define to 1 if you have the <inttypes.h> header file. */ -#undef HAVE_INTTYPES_H - -/* Define to 1 if you have the `nsl' library (-lnsl). */ -#undef HAVE_LIBNSL - -/* Define to 1 if libqrencode is available */ -#undef HAVE_LIBQRENCODE - -/* Define to 1 if you have the `socket' library (-lsocket). */ -#undef HAVE_LIBSOCKET - -/* Define to 1 if you have the <link.h> header file. */ -#undef HAVE_LINK_H - -/* Define to 1 if you have the `localeconv' function. */ -#undef HAVE_LOCALECONV - -/* Define to 1 if you have the <locale.h> header file. */ -#undef HAVE_LOCALE_H - -/* Define to 1 if the system has the type `long double'. */ -#undef HAVE_LONG_DOUBLE - -/* Define to 1 if the system has the type 'long long int'. */ -#undef HAVE_LONG_LONG_INT - -/* Define to 1 if you have the <memory.h> header file. */ -#undef HAVE_MEMORY_H - -/* Define to 1 if you have the `memset_s' function. */ -#undef HAVE_MEMSET_S - -/* Define to 1 if openssl is available */ -#undef HAVE_OPENSSL - -/* Define to 1 if you have the <openssl/ec.h> header file. */ -#undef HAVE_OPENSSL_EC_H - -/* Define to 1 if you have the <openssl/err.h> header file. */ -#undef HAVE_OPENSSL_ERR_H - -/* Define to 1 if you have the <openssl/ssl.h> header file. */ -#undef HAVE_OPENSSL_SSL_H - -/* Define if you want to use PCRE */ -#undef HAVE_PCRE - -/* Define to 1 if the system has the type `ptrdiff_t'. */ -#undef HAVE_PTRDIFF_T - -/* Define to 1 if you have a C99 compliant `snprintf' function. */ -#undef HAVE_SNPRINTF - -/* Define to 1 if you have the <stdarg.h> header file. */ -#undef HAVE_STDARG_H - -/* Define to 1 if you have the <stddef.h> header file. */ -#undef HAVE_STDDEF_H - -/* Define to 1 if you have the <stdint.h> header file. */ -#undef HAVE_STDINT_H - -/* Define to 1 if you have the <stdlib.h> header file. */ -#undef HAVE_STDLIB_H - -/* Define to 1 if you have the `strcasestr' function. */ -#undef HAVE_STRCASESTR - -/* Define to 1 if you have the <strings.h> header file. */ -#undef HAVE_STRINGS_H - -/* Define to 1 if you have the <string.h> header file. */ -#undef HAVE_STRING_H - -/* Define to 1 if you have the `strtok_r' function. */ -#undef HAVE_STRTOK_R - -/* Define to 1 if `decimal_point' is a member of `struct lconv'. */ -#undef HAVE_STRUCT_LCONV_DECIMAL_POINT - -/* Define to 1 if `thousands_sep' is a member of `struct lconv'. */ -#undef HAVE_STRUCT_LCONV_THOUSANDS_SEP - -/* Define to 1 if you have the <sys/stat.h> header file. */ -#undef HAVE_SYS_STAT_H - -/* Define to 1 if you have the <sys/types.h> header file. */ -#undef HAVE_SYS_TYPES_H - -/* Define to 1 if the system has the type `uintmax_t'. */ -#undef HAVE_UINTMAX_T - -/* Define to 1 if the system has the type `uintptr_t'. */ -#undef HAVE_UINTPTR_T - -/* Define to 1 if you have the `umask' function. */ -#undef HAVE_UMASK - -/* Define to 1 if you have the <unistd.h> header file. */ -#undef HAVE_UNISTD_H - -/* Define to 1 if the system has the type 'unsigned long long int'. */ -#undef HAVE_UNSIGNED_LONG_LONG_INT - -/* Define to 1 if you have the <varargs.h> header file. */ -#undef HAVE_VARARGS_H - -/* Define to 1 if you have the `vasprintf' function. */ -#undef HAVE_VASPRINTF - -/* Define to 1 if you have the `va_copy' function or macro. */ -#undef HAVE_VA_COPY - -/* Define to 1 if you have a C99 compliant `vsnprintf' function. */ -#undef HAVE_VSNPRINTF - -/* Define to 1 if you have the `__va_copy' function or macro. */ -#undef HAVE___VA_COPY - -/* Uncomment to enable reproducible builds. */ -#undef REPRODUCIBLE_BUILDS - -/* Uncomment to enable large network support. */ -#undef LARGE_NETWORK - -/* Name of package */ -#undef PACKAGE - -/* Define to the address where bug reports for this package should be sent. */ -#undef PACKAGE_BUGREPORT - -/* Define to the full name of this package. */ -#undef PACKAGE_NAME - -/* Define to the full name and version of this package. */ -#undef PACKAGE_STRING - -/* Define to the one symbol short name of this package. */ -#undef PACKAGE_TARNAME - -/* Define to the home page for this package. */ -#undef PACKAGE_URL - -/* Define to the version of this package. */ -#undef PACKAGE_VERSION - -/* Define to 1 if you have the ANSI C header files. */ -#undef STDC_HEADERS - -/* Enable extensions on AIX 3, Interix. */ -#ifndef _ALL_SOURCE -# undef _ALL_SOURCE -#endif -/* Enable GNU extensions on systems that have them. */ -#ifndef _GNU_SOURCE -# undef _GNU_SOURCE -#endif -/* Enable threading extensions on Solaris. */ -#ifndef _POSIX_PTHREAD_SEMANTICS -# undef _POSIX_PTHREAD_SEMANTICS -#endif -/* Enable extensions on HP NonStop. */ -#ifndef _TANDEM_SOURCE -# undef _TANDEM_SOURCE -#endif -/* Enable general extensions on Solaris. */ -#ifndef __EXTENSIONS__ -# undef __EXTENSIONS__ -#endif - - -/* Vendor and URL for modules's "vendor" field */ -#undef VENDOR_STRING - -/* Version number of package */ -#undef VERSION - -/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most - significant byte first (like Motorola and SPARC, unlike Intel). */ -#if defined AC_APPLE_UNIVERSAL_BUILD -# if defined __BIG_ENDIAN__ -# define WORDS_BIGENDIAN 1 -# endif -#else -# ifndef WORDS_BIGENDIAN -# undef WORDS_BIGENDIAN -# endif -#endif - -/* Define to 1 if on MINIX. */ -#undef _MINIX - -/* Define to 2 if the system does not provide POSIX.1 features except with - this defined. */ -#undef _POSIX_1_SOURCE - -/* Define to 1 if you need to in order for `stat' and other things to work. */ -#undef _POSIX_SOURCE - -/* Define to rpl_asprintf if the replacement function should be used. */ -#undef asprintf - -/* Define to empty if `const' does not conform to ANSI C. */ -#undef const - -/* Define to the widest signed integer type if <stdint.h> and <inttypes.h> do - not define. */ -#undef intmax_t - -/* Define to `unsigned int' if <sys/types.h> does not define. */ -#undef size_t - -/* Define to rpl_snprintf if the replacement function should be used. */ -#undef snprintf - -/* Define to the widest unsigned integer type if <stdint.h> and <inttypes.h> - do not define. */ -#undef uintmax_t - -/* Define to the type of an unsigned integer type wide enough to hold a - pointer, if such a type exists, and if the system does not define it. */ -#undef uintptr_t - -/* Define to rpl_vasprintf if the replacement function should be used. */ -#undef vasprintf - -/* Define to rpl_vsnprintf if the replacement function should be used. */ -#undef vsnprintf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/modules/crypto/pbkdf2.c new/atheme-7.2.9/modules/crypto/pbkdf2.c --- old/atheme-7.2.7/modules/crypto/pbkdf2.c 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/modules/crypto/pbkdf2.c 2017-02-12 15:58:54.000000000 +0100 @@ -31,65 +31,6 @@ #define ROUNDS (128000) #define SALTLEN (16) -/* This is an implementation of PKCS#5 v2.0 password based encryption key - * derivation function PBKDF2. - * SHA1 version verified against test vectors posted by Peter Gutmann - * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list. - */ -int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, - const unsigned char *salt, int saltlen, int iter, - const EVP_MD *digest, - int keylen, unsigned char *out) -{ - unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; - int cplen, j, k, tkeylen, mdlen; - unsigned long i = 1; - HMAC_CTX hctx; - - mdlen = EVP_MD_size(digest); - - HMAC_CTX_init(&hctx); - p = out; - tkeylen = keylen; - if(!pass) - passlen = 0; - else if(passlen == -1) - passlen = strlen(pass); - while(tkeylen) - { - if(tkeylen > mdlen) - cplen = mdlen; - else - cplen = tkeylen; - /* We are unlikely to ever use more than 256 blocks (5120 bits!) - * but just in case... - */ - itmp[0] = (unsigned char)((i >> 24) & 0xff); - itmp[1] = (unsigned char)((i >> 16) & 0xff); - itmp[2] = (unsigned char)((i >> 8) & 0xff); - itmp[3] = (unsigned char)(i & 0xff); - HMAC_Init_ex(&hctx, pass, passlen, digest, NULL); - HMAC_Update(&hctx, salt, saltlen); - HMAC_Update(&hctx, itmp, 4); - HMAC_Final(&hctx, digtmp, NULL); - memcpy(p, digtmp, cplen); - for(j = 1; j < iter; j++) - { - HMAC(digest, pass, passlen, - digtmp, mdlen, digtmp, NULL); - for(k = 0; k < cplen; k++) - p[k] ^= digtmp[k]; - } - tkeylen-= cplen; - i++; - p+= cplen; - } - HMAC_CTX_cleanup(&hctx); - return 1; -} - -/*******************************************************************************************/ - static const char *pbkdf2_salt(void) { static char buf[SALTLEN + 1]; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/modules/crypto/pbkdf2v2.c new/atheme-7.2.9/modules/crypto/pbkdf2v2.c --- old/atheme-7.2.7/modules/crypto/pbkdf2v2.c 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/modules/crypto/pbkdf2v2.c 2017-02-12 15:58:54.000000000 +0100 @@ -28,13 +28,6 @@ #include <openssl/evp.h> /* - * You can change the 2 values below without invalidating old hashes - */ - -#define PBKDF2_PRF_DEF 6 -#define PBKDF2_ITER_DEF 64000 - -/* * Do not change anything below this line unless you know what you are doing, * AND how it will (possibly) break backward-, forward-, or cross-compatibility * @@ -47,65 +40,15 @@ #define PBKDF2_F_SALT "$z$%u$%u$%s$" #define PBKDF2_F_PRINT "$z$%u$%u$%s$%s" +#define PBKDF2_C_MIN 10000 +#define PBKDF2_C_MAX 5000000 +#define PBKDF2_C_DEF 64000 + static const char salt_chars[62] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789"; -/* - * This equivalent implementation provided incase the user doesn't - * have a new enough OpenSSL library installed on their machine - */ -int PKCS5_PBKDF2_HMAC(const char *pass, int pl, - const unsigned char *salt, int sl, - int iter, const EVP_MD *PRF, - int dkLen, unsigned char *out) -{ - if (! pass) - pl = 0; - - if (pass && pl < 0) - pl = strlen(pass); - - int tkLen = dkLen; - int mdLen = EVP_MD_size(PRF); - unsigned char *p = out; - unsigned long i = 1; - - HMAC_CTX hctx; - HMAC_CTX_init(&hctx); - - while (tkLen) { - - unsigned char itmp[4]; - itmp[0] = (unsigned char) ((i >> 24) & 0xFF); - itmp[1] = (unsigned char) ((i >> 16) & 0xFF); - itmp[2] = (unsigned char) ((i >> 8) & 0xFF); - itmp[3] = (unsigned char) ((i >> 0) & 0xFF); - i++; - - unsigned char digtmp[EVP_MAX_MD_SIZE]; - HMAC_Init_ex(&hctx, pass, pl, PRF, NULL); - HMAC_Update(&hctx, salt, sl); - HMAC_Update(&hctx, itmp, 4); - HMAC_Final(&hctx, digtmp, NULL); - - int cpLen = (tkLen > mdLen) ? mdLen : tkLen; - memcpy(p, digtmp, cpLen); - - int j, k; - for (j = 1; j < iter; j++) { - HMAC(PRF, pass, pl, digtmp, mdLen, digtmp, NULL); - for (k = 0; k < cpLen; k++) - p[k] ^= digtmp[k]; - } - - tkLen -= cpLen; - p += cpLen; - } - - HMAC_CTX_cleanup(&hctx); - - return 1; -} +static unsigned int pbkdf2v2_digest = 6; /* SHA512 */ +static unsigned int pbkdf2v2_rounds = PBKDF2_C_DEF; static const char *pbkdf2v2_make_salt(void) { @@ -119,7 +62,7 @@ salt[i] = salt_chars[arc4random() % sizeof salt_chars]; (void) snprintf(result, sizeof result, PBKDF2_F_SALT, - PBKDF2_PRF_DEF, PBKDF2_ITER_DEF, salt); + pbkdf2v2_digest, pbkdf2v2_rounds, salt); return result; } @@ -189,30 +132,59 @@ if (sscanf(user_pass_string, PBKDF2_F_SCAN, &prf, &iter, salt) < 3) return 0; - if (prf != PBKDF2_PRF_DEF) + if (prf != pbkdf2v2_digest) return 1; - if (iter != PBKDF2_ITER_DEF) + if (iter != pbkdf2v2_rounds) return 1; return 0; } -static crypt_impl_t pbkdf2_crypt_impl = { +static int c_ci_pbkdf2v2_digest(mowgli_config_file_entry_t *ce) +{ + if (ce->vardata == NULL) + { + conf_report_warning(ce, "no parameter for configuration option"); + return 0; + } + + if (!strcasecmp(ce->vardata, "SHA256")) + pbkdf2v2_digest = 5; + else if (!strcasecmp(ce->vardata, "SHA512")) + pbkdf2v2_digest = 6; + else + conf_report_warning(ce, "invalid parameter for configuration option"); + + return 0; +} + +static crypt_impl_t pbkdf2v2_crypt_impl = { .id = "pbkdf2v2", .crypt = &pbkdf2v2_crypt, .salt = &pbkdf2v2_make_salt, .needs_param_upgrade = &pbkdf2v2_needs_param_upgrade, }; +static mowgli_list_t conf_pbkdf2v2_table; + void _modinit(module_t* m) { - crypt_register(&pbkdf2_crypt_impl); + crypt_register(&pbkdf2v2_crypt_impl); + + add_subblock_top_conf("PBKDF2V2", &conf_pbkdf2v2_table); + add_conf_item("DIGEST", &conf_pbkdf2v2_table, c_ci_pbkdf2v2_digest); + add_uint_conf_item("ROUNDS", &conf_pbkdf2v2_table, 0, &pbkdf2v2_rounds, + PBKDF2_C_MIN, PBKDF2_C_MAX, PBKDF2_C_DEF); } void _moddeinit(module_unload_intent_t intent) { - crypt_unregister(&pbkdf2_crypt_impl); + del_conf_item("DIGEST", &conf_pbkdf2v2_table); + del_conf_item("ROUNDS", &conf_pbkdf2v2_table); + del_top_conf("PBKDF2V2"); + + crypt_unregister(&pbkdf2v2_crypt_impl); } -#endif +#endif /* HAVE_OPENSSL */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/modules/memoserv/main.c new/atheme-7.2.9/modules/memoserv/main.c --- old/atheme-7.2.7/modules/memoserv/main.c 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/modules/memoserv/main.c 2017-02-12 15:58:54.000000000 +0100 @@ -38,6 +38,9 @@ void _moddeinit(module_unload_intent_t intent) { + hook_del_user_identify(on_user_identify); + hook_del_user_away(on_user_away); + if (memosvs != NULL) service_delete(memosvs); } @@ -54,6 +57,11 @@ notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"), ircd->uses_rcommand ? "" : "msg ", memosvs->disp); } + if (mu->memos.count >= maxmemos) + { + notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please " + "delete memos you no longer need.")); + } } static void on_user_away(user_t *u) @@ -80,6 +88,11 @@ notice(memosvs->me->nick, u->nick, _("To read them, type /%s%s READ NEW"), ircd->uses_rcommand ? "" : "msg ", memosvs->disp); } + if (mu->memos.count >= maxmemos) + { + notice(memosvs->me->nick, u->nick, _("Your memo inbox is full! Please " + "delete memos you no longer need.")); + } } /* vim:cinoptions=>s,e0,n0,f0,{0,}0,^0,=s,ps,t0,c3,+s,(2s,us,)20,*30,gs,hs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/atheme-7.2.7/modules/saslserv/main.c new/atheme-7.2.9/modules/saslserv/main.c --- old/atheme-7.2.7/modules/saslserv/main.c 2016-10-08 16:58:00.000000000 +0200 +++ new/atheme-7.2.9/modules/saslserv/main.c 2017-02-12 15:58:54.000000000 +0100 @@ -609,6 +609,7 @@ req.mu = source_mu; req.allowed = true; hook_call_user_can_login(&req); + object_unref(req.si); if (!req.allowed) { sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(source_mu)->name); @@ -645,9 +646,11 @@ sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "allowed IMPERSONATE by \2%s\2 to \2%s\2", entity(source_mu)->name, entity(target_mu)->name); + req.si = sasl_sourceinfo_create(p); req.mu = target_mu; req.allowed = true; hook_call_user_can_login(&req); + object_unref(req.si); if (!req.allowed) { sasl_logcommand(p, source_mu, CMDLOG_LOGIN, "failed LOGIN to \2%s\2 (denied by hook)", entity(target_mu)->name);