cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands

Source: https://github.com/cyrusimap/cyrus-sasl MR: 118501 Type: Security Fix Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc ChangeID: 5e0fc4c28d97b498128e4aa5d3e7c012e914ef51 Description: CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-06-28 11:19:48 +0530
committer: Armin Kuster <akuster808@gmail.com> 2022-07-16 12:56:17 -0700
commit: 9f3d116fddd81fcf71fdd9d78af0673619dc50b3 (patch)
tree: 320d6bc6c92ef97414aa8c7ff60c016cf3199309
parent: b406297d3bcdef6d174eea85945623f1a8f0e3b9 (diff)
download: meta-openembedded-9f3d116fddd81fcf71fdd9d78af0673619dc50b3.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
new file mode 100644
index 0000000000..0ddea03c69
--- /dev/null
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
@@ -0,0 +1,83 @@
+From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 15 Jun 2022 10:44:50 +0530
+Subject: [PATCH] CVE-2022-24407
+Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
+CVE: CVE-2022-24407
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ plugins/sql.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+diff --git a/plugins/sql.c b/plugins/sql.c
+index 95f5f707..5d20759b 100644
+--- a/plugins/sql.c
+++ b/plugins/sql.c
+@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context,
+     char *statement = NULL;
+     char *escap_userid = NULL;
+     char *escap_realm = NULL;
+    char *escap_passwd = NULL;
+     const char *cmd;
+     
+     sql_settings_t *settings;
+@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context,
+                            "Unable to begin transaction\n");
+     }
+     for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
+       /* Free the buffer, current content is from previous loop. */
+       if (escap_passwd) {
+           sparams->utils->free(escap_passwd);
+           escap_passwd = NULL;
+       }
+ 
+        if (cur->name[0] == '*') {
+            continue;
+@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context,
+        }
+        sparams->utils->free(statement);
+ 
+       if (cur->values[0]) {
+           escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
+           if (!escap_passwd) {
+               ret = SASL_NOMEM;
+               break;
+           }
+           settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
+       }
+
+        /* create a statement that we will use */
+        statement = sql_create_statement(cmd, cur->name, escap_userid,
+                                         escap_realm,
+-                                        cur->values && cur->values[0] ?
+-                                        cur->values[0] : SQL_NULL_VALUE,
+                                        escap_passwd ?
+                                        escap_passwd : SQL_NULL_VALUE,
+                                         sparams->utils);
+       if (!statement) {
+           ret = SASL_NOMEM;
+           break;
+       }
+        
+        {
+            char *log_statement =
+                sql_create_statement(cmd, cur->name,
+                                     escap_userid,
+                                     escap_realm,
+-                                    cur->values && cur->values[0] ?
+                                    escap_passwd ?
+                                     "<omitted>" : SQL_NULL_VALUE,
+                                     sparams->utils);
+            sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
+@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context,
+   done:
+     if (escap_userid) sparams->utils->free(escap_userid);
+     if (escap_realm) sparams->utils->free(escap_realm);
+    if (escap_passwd) sparams->utils->free(escap_passwd);
+     if (conn) settings->sql_engine->sql_close(conn);
+     if (userid) sparams->utils->free(userid);
+     if (realm) sparams->utils->free(realm);
+-- 
+2.25.1
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
index db5f94444f..3e7056d67d 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \
           file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \
           file://0001-makeinit.sh-fix-parallel-build-issue.patch \
           file://CVE-2019-19906.patch \
+           file://CVE-2022-24407.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-06-28 11:19:48 +0530
committer	Armin Kuster <akuster808@gmail.com>	2022-07-16 12:56:17 -0700
commit	9f3d116fddd81fcf71fdd9d78af0673619dc50b3 (patch)
tree	320d6bc6c92ef97414aa8c7ff60c016cf3199309
parent	b406297d3bcdef6d174eea85945623f1a8f0e3b9 (diff)
download	meta-openembedded-9f3d116fddd81fcf71fdd9d78af0673619dc50b3.tar.gz

diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 0000000000..0ddea03c69 --- /dev/null +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
@@ -0,0 +1,83 @@
		1	From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Wed, 15 Jun 2022 10:44:50 +0530
		4	Subject: [PATCH] CVE-2022-24407
		5
		6	Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
		7	CVE: CVE-2022-24407
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	plugins/sql.c \| 26 +++++++++++++++++++++++---
		11	1 file changed, 23 insertions(+), 3 deletions(-)
		12
		13	diff --git a/plugins/sql.c b/plugins/sql.c
		14	index 95f5f707..5d20759b 100644
		15	--- a/plugins/sql.c
		16	+++ b/plugins/sql.c
		17	@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context,
		18	char *statement = NULL;
		19	char *escap_userid = NULL;
		20	char *escap_realm = NULL;
		21	+ char *escap_passwd = NULL;
		22	const char *cmd;
		23
		24	sql_settings_t *settings;
		25	@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context,
		26	"Unable to begin transaction\n");
		27	}
		28	for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
		29	+ /* Free the buffer, current content is from previous loop. */
		30	+ if (escap_passwd) {
		31	+ sparams->utils->free(escap_passwd);
		32	+ escap_passwd = NULL;
		33	+ }
		34
		35	if (cur->name[0] == '*') {
		36	continue;
		37	@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context,
		38	}
		39	sparams->utils->free(statement);
		40
		41	+ if (cur->values[0]) {
		42	+ escap_passwd = (char )sparams->utils->malloc(strlen(cur->values[0])2+1);
		43	+ if (!escap_passwd) {
		44	+ ret = SASL_NOMEM;
		45	+ break;
		46	+ }
		47	+ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
		48	+ }
		49	+
		50	/* create a statement that we will use */
		51	statement = sql_create_statement(cmd, cur->name, escap_userid,
		52	escap_realm,
		53	- cur->values && cur->values[0] ?
		54	- cur->values[0] : SQL_NULL_VALUE,
		55	+ escap_passwd ?
		56	+ escap_passwd : SQL_NULL_VALUE,
		57	sparams->utils);
		58	+ if (!statement) {
		59	+ ret = SASL_NOMEM;
		60	+ break;
		61	+ }
		62
		63	{
		64	char *log_statement =
		65	sql_create_statement(cmd, cur->name,
		66	escap_userid,
		67	escap_realm,
		68	- cur->values && cur->values[0] ?
		69	+ escap_passwd ?
		70	"<omitted>" : SQL_NULL_VALUE,
		71	sparams->utils);
		72	sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
		73	@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context,
		74	done:
		75	if (escap_userid) sparams->utils->free(escap_userid);
		76	if (escap_realm) sparams->utils->free(escap_realm);
		77	+ if (escap_passwd) sparams->utils->free(escap_passwd);
		78	if (conn) settings->sql_engine->sql_close(conn);
		79	if (userid) sparams->utils->free(userid);
		80	if (realm) sparams->utils->free(realm);
		81	--
		82	2.25.1
		83


diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb index db5f94444f..3e7056d67d 100644 --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \
17	file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \	17	file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \
18	file://0001-makeinit.sh-fix-parallel-build-issue.patch \	18	file://0001-makeinit.sh-fix-parallel-build-issue.patch \
19	file://CVE-2019-19906.patch \	19	file://CVE-2019-19906.patch \
		20	file://CVE-2022-24407.patch \
20	"	21	"
21		22
22	UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"	23	UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"