9 files changed, 399 insertions, 0 deletions
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/0001-Fix-time.h-check.patch b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/0001-Fix-time.h-check.patch
new file mode 100644
index 0000000000..3b7054a799
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/0001-Fix-time.h-check.patch
@@ -0,0 +1,54 @@
+From 266f0acf7f5e029afbb3e263437039e50cd6c262 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Wed, 23 Feb 2022 00:45:15 +0000
+Subject: [PATCH] Fix <time.h> check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We're conditionally including based on HAVE_TIME_H in a bunch of places,
+but we're not actually checking for time.h, so that's never going to be defined.
+
+While at it, add in a missing include in the cram plugin.
+
+This fixes a bunch of implicit declaration warnings:
+```
+ * cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
+ * cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function ‘clock’ [-Wimplicit-function-declaration]
+ * cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
+ * cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
+ * cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function ‘clock’ [-Wimplicit-function-declaration]
+ * cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
+```
+
+Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/266f0acf7f5e029afbb3e263437039e50cd6c262]
+Signed-off-by: Sam James <sam@gentoo.org>
+---
+ configure.ac   | 2 +-
+ plugins/cram.c | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -1231,7 +1231,7 @@ AC_CHECK_HEADERS_ONCE([sys/time.h])
+ 
+ AC_HEADER_DIRENT
+ AC_HEADER_SYS_WAIT
+-AC_CHECK_HEADERS(crypt.h des.h dlfcn.h fcntl.h limits.h malloc.h paths.h strings.h sys/file.h sys/time.h syslog.h unistd.h inttypes.h sys/uio.h sys/param.h sysexits.h stdarg.h varargs.h krb5.h)
++AC_CHECK_HEADERS(crypt.h des.h dlfcn.h fcntl.h limits.h malloc.h paths.h strings.h sys/file.h sys/time.h syslog.h time.h unistd.h inttypes.h sys/uio.h sys/param.h sysexits.h stdarg.h varargs.h krb5.h)
+ 
+ IPv6_CHECK_SS_FAMILY()
+ IPv6_CHECK_SA_LEN()
+--- a/plugins/cram.c
++++ b/plugins/cram.c
+@@ -53,6 +53,10 @@
+ #endif
+ #include <fcntl.h>
+ 
++#ifdef HAVE_TIME_H
++#include <time.h>
++#endif
++
+ #include <sasl.h>
+ #include <saslplug.h>
+ #include <saslutil.h>
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/0001-sample-Rename-dprintf-to-cyrus_dprintf.patch b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/0001-sample-Rename-dprintf-to-cyrus_dprintf.patch
new file mode 100644
index 0000000000..4c6d61dfc7
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/0001-sample-Rename-dprintf-to-cyrus_dprintf.patch
@@ -0,0 +1,91 @@
+From ade70f39c4aa5a8830462d9ccf3b8f8dd968c0d8 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 28 Feb 2022 11:10:26 -0800
+Subject: [PATCH] sample: Rename dprintf to cyrus_dprintf
+
+This avoids shadowing the dprintf implementations in glibc
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ sample/client.c | 12 ++++++------
+ sample/common.c |  2 +-
+ sample/common.h |  2 +-
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/sample/client.c b/sample/client.c
+index e723c6b7..6a04f428 100644
+--- a/sample/client.c
++++ b/sample/client.c
+@@ -241,9 +241,9 @@ int mysasl_negotiate(FILE *in, FILE *out, sasl_conn_t *conn)
+     int r, c;
+ 
+     /* get the capability list */
+-    dprintf(0, "receiving capability list... ");
++    cyrus_dprintf(0, "receiving capability list... ");
+     len = recv_string(in, buf, sizeof buf);
+-    dprintf(0, "%s\n", buf);
++    cyrus_dprintf(0, "%s\n", buf);
+ 
+     if (mech) {
+ 	/* make sure that 'mech' appears in 'buf' */
+@@ -262,7 +262,7 @@ int mysasl_negotiate(FILE *in, FILE *out, sasl_conn_t *conn)
+ 	return -1;
+     }
+     
+-    dprintf(1, "using mechanism %s\n", chosenmech);
++    cyrus_dprintf(1, "using mechanism %s\n", chosenmech);
+ 
+     /* we send up to 3 strings;
+        the mechanism chosen, the presence of initial response,
+@@ -276,7 +276,7 @@ int mysasl_negotiate(FILE *in, FILE *out, sasl_conn_t *conn)
+     }
+ 
+     for (;;) {
+-	dprintf(2, "waiting for server reply...\n");
++	cyrus_dprintf(2, "waiting for server reply...\n");
+ 
+ 	c = fgetc(in);
+ 	switch (c) {
+@@ -303,10 +303,10 @@ int mysasl_negotiate(FILE *in, FILE *out, sasl_conn_t *conn)
+ 	}
+ 
+ 	if (data) {
+-	    dprintf(2, "sending response length %d...\n", len);
++	    cyrus_dprintf(2, "sending response length %d...\n", len);
+ 	    send_string(out, data, len);
+ 	} else {
+-	    dprintf(2, "sending null response...\n");
++	    cyrus_dprintf(2, "sending null response...\n");
+ 	    send_string(out, "", 0);
+ 	}
+     }
+diff --git a/sample/common.c b/sample/common.c
+index 712549fd..d138e450 100644
+--- a/sample/common.c
++++ b/sample/common.c
+@@ -127,7 +127,7 @@ int recv_string(FILE *f, char *buf, int buflen)
+ 
+ int debuglevel = 0;
+ 
+-int dprintf(int lvl, const char *fmt, ...)
++int cyrus_dprintf(int lvl, const char *fmt, ...)
+ {
+     va_list ap;
+     int ret = 0;
+diff --git a/sample/common.h b/sample/common.h
+index 819d0101..cd56907a 100644
+--- a/sample/common.h
++++ b/sample/common.h
+@@ -43,7 +43,7 @@ extern int send_string(FILE *f, const char *s, int l);
+ extern int recv_string(FILE *f, char *buf, int buflen);
+ 
+ extern int debuglevel;
+-extern int dprintf(int lvl, const char *fmt, ...);
++extern int cyrus_dprintf(int lvl, const char *fmt, ...);
+ 
+ extern void saslerr(int why, const char *what);
+ extern void saslfail(int why, const char *what);
+-- 
+2.35.1
+
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2019-19906.patch b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2019-19906.patch
new file mode 100644
index 0000000000..8c95268bb5
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2019-19906.patch
@@ -0,0 +1,37 @@
+From 94fe6eb9ea2691f4a7c32fbf2d0c7c454995b666 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 11:08:57 +0800
+Subject: [PATCH] Fix #587
+
+Off by one error in common.c, CVE-2019-19906.
+
+Thanks to Stephan Zeisberg for reporting
+
+CVE: CVE-2019-19906
+
+Upstream-Stauts: Backport [https://github.com/cyrusimap/cyrus-sasl
+/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+Upstream-Status: Pending
+
+ lib/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/common.c b/lib/common.c
+index d9104c8..fef82db 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
+ 
+   if (add==NULL) add = "(null)";
+ 
+-  addlen=strlen(add); /* only compute once */
++  addlen=strlen(add)+1; /* only compute once */
+   if (_buf_alloc(out, alloclen, (*outlen)+addlen+1)!=SASL_OK)
+     return SASL_NOMEM;
+ 
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
new file mode 100644
index 0000000000..3d67f47414
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
@@ -0,0 +1,27 @@
+From 078f98ea154475d953ce5b7cd851732f4dc270a7 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 5 Jul 2022 09:31:07 +0530
+Subject: [PATCH] CVE-2022-24407
+
+Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
+CVE: CVE-2022-24407
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ plugins/sql.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/sql.c b/plugins/sql.c
+index 6ac81c2f..d90dbac9 100644
+--- a/plugins/sql.c
++++ b/plugins/sql.c
+@@ -1127,6 +1127,7 @@ static int sql_auxprop_lookup(void *glob_context,
+   done:
+     if (escap_userid) sparams->utils->free(escap_userid);
+     if (escap_realm) sparams->utils->free(escap_realm);
++    if (escap_passwd) sparams->utils->free(escap_passwd);
+     if (conn) settings->sql_engine->sql_close(conn);
+     if (userid) sparams->utils->free(userid);
+     if (realm) sparams->utils->free(realm);
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch
new file mode 100644
index 0000000000..308d88204f
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch
@@ -0,0 +1,39 @@
+Remove AC_TRY_RUN
+
+It can not be run during cross compile
+
+Upstream-Status: Inappropriate [Cross-compile specific]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+--- a/m4/sasl2.m4
++++ b/m4/sasl2.m4
+@@ -316,28 +316,8 @@ if test "$gssapi" != no; then
+   AC_CACHE_CHECK([for SPNEGO support in GSSAPI libraries],[ac_cv_gssapi_supports_spnego],[
+     cmu_save_LIBS="$LIBS"
+     LIBS="$LIBS $GSSAPIBASE_LIBS"
+-    AC_TRY_RUN([
+-#ifdef HAVE_GSSAPI_H
+-#include <gssapi.h>
+-#else
+-#include <gssapi/gssapi.h>
+-#endif
+-
+-int main(void)
+-{
+-    gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
+-    gss_OID_set mech_set;
+-    OM_uint32 min_stat;
+-    int have_spnego = 0;
+-                                                                               
+-    if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) {
+-	gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego);
+-	gss_release_oid_set(&min_stat, &mech_set);
+-    }
+-
+-    return (!have_spnego);  // 0 = success, 1 = failure
+-}
+-],[ac_cv_gssapi_supports_spnego=yes],[ac_cv_gssapi_supports_spnego=no])
++    AC_DEFINE(HAVE_GSS_SPNEGO,,[Define if your GSSAPI implementation supports SPNEGO])
++    AC_MSG_RESULT(yes)
+     LIBS="$cmu_save_LIBS"
+   ])
+   AS_IF([test "$ac_cv_gssapi_supports_spnego" = yes],[
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/debian_patches_0014_avoid_pic_overwrite.diff b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/debian_patches_0014_avoid_pic_overwrite.diff
new file mode 100644
index 0000000000..a5f2f5dd91
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/debian_patches_0014_avoid_pic_overwrite.diff
@@ -0,0 +1,30 @@
+From 1a5f3004e9081eab6263a29cd5be792f06441e36 Mon Sep 17 00:00:00 2001
+From: Fabian Fagerholm <fabbe@debian.org>
+Date: Wed, 24 Jul 2013 11:38:25 -0400
+Subject: [PATCH] cyrus-sasl: Add patches from Debian to fix linking
+
+Description: This patch makes sure the non-PIC version of libsasldb.a, which
+is created out of non-PIC objects, is not going to overwrite the PIC version,
+which is created out of PIC objects. The PIC version is placed in .libs, and
+the non-PIC version in the current directory.  This ensures that both non-PIC
+and PIC versions are available in the correct locations.
+
+---
+Upstream-Status: Pending
+
+ lib/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index a158ca3..3137e19 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -99,7 +99,7 @@ endif
+ 
+ libsasl2.a: libsasl2.la $(SASL_STATIC_OBJS)
+ 	@echo adding static plugins and dependencies
+-	$(AR) cru .libs/$@ $(SASL_STATIC_OBJS)
++	$(AR) cru $@ $(SASL_STATIC_OBJS)
+ 	@for i in ./libsasl2.la ../common/libplugin_common.la ../sasldb/libsasldb.la ../plugins/lib*.la; do \
+ 	if test ! -f $$i; then continue; fi; . $$i; \
+ 	for j in $$dependency_libs foo; do \
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/saslauthd.conf b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/saslauthd.conf
new file mode 100644
index 0000000000..a91a9d3340
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/saslauthd.conf
@@ -0,0 +1,11 @@
+# Directory in which to place saslauthd's listening socket, pid file, and so
+# on.  This directory must already exist.
+SOCKETDIR=@LOCALSTATEDIR@/run/saslauthd
+
+# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
+# of which mechanism your installation was compiled with the ablity to use.
+MECH=pam
+
+# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
+# for the list of accepted flags.
+FLAGS=
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/saslauthd.service b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/saslauthd.service
new file mode 100644
index 0000000000..e63592af6c
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/saslauthd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=SASL authentication daemon.
+After=syslog.target
+
+[Service]
+Type=forking
+PIDFile=/run/saslauthd/saslauthd.pid
+EnvironmentFile=@SYSCONFDIR@/default/saslauthd
+ExecStart=@SBINDIR@/saslauthd -m $SOCKETDIR -a $MECH $FLAGS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb
new file mode 100644
index 0000000000..a6703ecf8d
--- /dev/null
+++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb
@@ -0,0 +1,98 @@
+SUMMARY = "Generic client/server library for SASL authentication"
+SECTION = "libs"
+HOMEPAGE = "http://asg.web.cmu.edu/sasl/"
+DEPENDS = "openssl db groff-native"
+LICENSE = "BSD-4-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=3f55e0974e3d6db00ca6f57f2d206396"
+
+SRCREV = "7a6b45b177070198fed0682bea5fa87c18abb084"
+
+SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sasl-2.1 \
+           file://avoid-to-call-AC_TRY_RUN.patch \
+           file://debian_patches_0014_avoid_pic_overwrite.diff \
+           file://0001-sample-Rename-dprintf-to-cyrus_dprintf.patch \
+           file://saslauthd.service \
+           file://saslauthd.conf \
+           file://CVE-2019-19906.patch \
+	   file://CVE-2022-24407.patch \
+           file://0001-Fix-time.h-check.patch \
+           "
+
+UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig useradd systemd
+
+EXTRA_OECONF += "--with-dblib=berkeley \
+                 --with-plugindir='${libdir}/sasl2' \
+                 andrew_cv_runpath_switch=none"
+
+PACKAGECONFIG ??= "\
+    ${@bb.utils.filter('DISTRO_FEATURES', 'ldap pam', d)} \
+"
+PACKAGECONFIG[gssapi] = "--enable-gssapi=yes,--enable-gssapi=no,krb5,"
+PACKAGECONFIG[pam] = "--with-pam,--without-pam,libpam,"
+PACKAGECONFIG[opie] = "--with-opie,--without-opie,opie,"
+PACKAGECONFIG[des] = "--with-des,--without-des,,"
+PACKAGECONFIG[ldap] = "--with-ldap=${STAGING_LIBDIR} --enable-ldapdb,--without-ldap --disable-ldapdb,openldap,"
+PACKAGECONFIG[ntlm] = "--enable-ntlm=yes,--enable-ntlm=no,,"
+
+CFLAGS += "-fPIC"
+
+do_configure:prepend () {
+    # make it be able to work with db 5.0 version
+    local sed_files="sasldb/db_berkeley.c utils/dbconverter-2.c"
+    for sed_file in $sed_files; do
+        sed -i 's#DB_VERSION_MAJOR == 4.*#(&) || DB_VERSION_MAJOR == 5#' ${S}/$sed_file
+    done
+}
+
+do_compile:prepend () {
+    cd include
+    ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS} ${S}/include/makemd5.c -o makemd5
+    touch makemd5.o makemd5.lo makemd5
+    cd ..
+}
+
+do_install:append() {
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        install -d ${D}${systemd_unitdir}/system
+        install -m 0644 ${UNPACKDIR}/saslauthd.service ${D}${systemd_unitdir}/system
+
+        sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/saslauthd.service
+        sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${systemd_unitdir}/system/saslauthd.service
+        sed -i -e 's#@SYSCONFDIR@#${sysconfdir}#g' ${D}${systemd_unitdir}/system/saslauthd.service
+
+        install -d ${D}${sysconfdir}/tmpfiles.d
+        echo "d /run/saslauthd/ - - - -" > ${D}${sysconfdir}/tmpfiles.d/saslauthd.conf
+
+        install -d ${D}${sysconfdir}/default/
+        install -m 0644 ${UNPACKDIR}/saslauthd.conf ${D}${sysconfdir}/default/saslauthd
+        sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${sysconfdir}/default/saslauthd
+    fi
+}
+
+USERADD_PACKAGES = "${PN}-bin"
+GROUPADD_PARAM:${PN}-bin = "--system mail"
+USERADD_PARAM:${PN}-bin = "--system --home=/var/spool/mail -g mail cyrus"
+
+SYSTEMD_PACKAGES = "${PN}-bin"
+SYSTEMD_SERVICE:${PN}-bin = "saslauthd.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+SRC_URI[md5sum] = "a7f4e5e559a0e37b3ffc438c9456e425"
+SRC_URI[sha256sum] = "8fbc5136512b59bb793657f36fadda6359cae3b08f01fd16b3d406f1345b7bc3"
+
+PACKAGES =+ "${PN}-bin"
+
+FILES:${PN}           += "${libdir}/sasl2/*.so*"
+FILES:${PN}-bin       += "${bindir} \
+                          ${sysconfdir}/default/saslauthd \
+                          ${systemd_unitdir}/system/saslauthd.service \
+                          ${sysconfdir}/tmpfiles.d/saslauthd.conf"
+FILES:${PN}-dev       += "${libdir}/sasl2/*.la"
+FILES:${PN}-dbg       += "${libdir}/sasl2/.debug"
+FILES:${PN}-staticdev += "${libdir}/sasl2/*.a"
+
+INSANE_SKIP:${PN} += "dev-so"