From 1722fea689af1890b71f25d923b7594938525f20 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 23 Feb 2022 10:54:58 +0100 Subject: [PATCH] Fix CVE-2022-24407 (#2057334) --- ...scape-password-for-SQL-insert-update.patch | 82 +++++++++++++++++++ cyrus-sasl.spec | 5 ++ 2 files changed, 87 insertions(+) create mode 100644 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch diff --git a/0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch b/0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch new file mode 100644 index 0000000..a430d65 --- /dev/null +++ b/0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch @@ -0,0 +1,82 @@ +From 37f2e0f0658d78a1496dc277f402f8b577ce6aae Mon Sep 17 00:00:00 2001 +From: Klaus Espenlaub +Date: Tue, 8 Feb 2022 20:34:40 +0000 +Subject: [PATCH] CVE-2022-24407 Escape password for SQL insert/update + commands. + +Signed-off-by: Klaus Espenlaub +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 31b54a78..6ac81c2f 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1151,6 +1151,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1222,6 +1223,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1243,19 +1249,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1288,6 +1307,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index 920e1d2..bded229 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -50,6 +50,8 @@ Patch500: cyrus-sasl-2.1.27-coverity.patch Patch501: cyrus-sasl-2.1.27-cumulative-digestmd5.patch Patch502: cyrus-sasl-2.1.27-cumulative-ossl3.patch +Patch900: 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch + BuildRequires: autoconf, automake, libtool, gdbm-devel, groff BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig BuildRequires: mariadb-connector-c-devel, libpq-devel, zlib-devel @@ -186,6 +188,9 @@ the GS2 authentication scheme. %patch501 -p1 -b .digestmd5 %patch502 -p1 -b .ossl3 + +%patch900 -p1 -b .CVE-2022-24407 + %build # reconfigure cp %{SOURCE11} ./