Fix for CVE-2022-24407

Resolves: rhbz#2055848
Signed-off-by: Simo Sorce <simo@redhat.com>

0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch

@@ -0,0 +1,82 @@
+From 37f2e0f0658d78a1496dc277f402f8b577ce6aae Mon Sep 17 00:00:00 2001
+From: Klaus Espenlaub <klaus@espenlaub.com>
+Date: Tue, 8 Feb 2022 20:34:40 +0000
+Subject: [PATCH] CVE-2022-24407 Escape password for SQL insert/update
+ commands.
+
+Signed-off-by: Klaus Espenlaub <klaus@espenlaub.com>
+---
+ plugins/sql.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/sql.c b/plugins/sql.c
+index 31b54a78..6ac81c2f 100644
+--- a/plugins/sql.c
++++ b/plugins/sql.c
+@@ -1151,6 +1151,7 @@ static int sql_auxprop_store(void *glob_context,
+     char *statement = NULL;
+     char *escap_userid = NULL;
+     char *escap_realm = NULL;
++    char *escap_passwd = NULL;
+     const char *cmd;
+     
+     sql_settings_t *settings;
+@@ -1222,6 +1223,11 @@ static int sql_auxprop_store(void *glob_context,
+ 			    "Unable to begin transaction\n");
+     }
+     for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
++	/* Free the buffer, current content is from previous loop. */
++	if (escap_passwd) {
++	    sparams->utils->free(escap_passwd);
++	    escap_passwd = NULL;
++	}
+ 
+ 	if (cur->name[0] == '*') {
+ 	    continue;
+@@ -1243,19 +1249,32 @@ static int sql_auxprop_store(void *glob_context,
+ 	}
+ 	sparams->utils->free(statement);
+ 
++	if (cur->values[0]) {
++	    escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
++	    if (!escap_passwd) {
++		ret = SASL_NOMEM;
++		break;
++	    }
++	    settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
++	}
++
+ 	/* create a statement that we will use */
+ 	statement = sql_create_statement(cmd, cur->name, escap_userid,
+ 					 escap_realm,
+-					 cur->values && cur->values[0] ?
+-					 cur->values[0] : SQL_NULL_VALUE,
++					 escap_passwd ?
++					 escap_passwd : SQL_NULL_VALUE,
+ 					 sparams->utils);
++	if (!statement) {
++	    ret = SASL_NOMEM;
++	    break;
++	}
+ 	
+ 	{
+ 	    char *log_statement =
+ 		sql_create_statement(cmd, cur->name,
+ 				     escap_userid,
+ 				     escap_realm,
+-				     cur->values && cur->values[0] ?
++				     escap_passwd ?
+ 				     "<omitted>" : SQL_NULL_VALUE,
+ 				     sparams->utils);
+ 	    sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
+@@ -1288,6 +1307,7 @@ static int sql_auxprop_store(void *glob_context,
+   done:
+     if (escap_userid) sparams->utils->free(escap_userid);
+     if (escap_realm) sparams->utils->free(escap_realm);
++    if (escap_passwd) sparams->utils->free(escap_passwd);
+     if (conn) settings->sql_engine->sql_close(conn);
+     if (userid) sparams->utils->free(userid);
+     if (realm) sparams->utils->free(realm);
+-- 
+2.25.1
+

cyrus-sasl.spec

@@ -9,7 +9,7 @@
 Summary: The Cyrus SASL library
 Name: cyrus-sasl
 Version: 2.1.27
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: BSD with advertising
 URL: https://www.cyrusimap.org/sasl/
 
@@ -49,6 +49,8 @@ Patch500: cyrus-sasl-2.1.27-coverity.patch
 Patch501: cyrus-sasl-2.1.27-cumulative-digestmd5.patch
 Patch502: cyrus-sasl-2.1.27-cumulative-ossl3.patch
 
+Patch900: 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
+
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
 BuildRequires: krb5-devel >= 1.19, openssl-devel, pam-devel, pkgconfig
 BuildRequires: mariadb-connector-c-devel, libpq-devel, zlib-devel
@@ -187,6 +189,7 @@ the GS2 authentication scheme.
 %patch500 -p1 -b .coverity
 %patch501 -p1 -b .digestmd5
 %patch502 -p1 -b .ossl3
+%patch900 -p1 -b .CVE-2022-24407
 
 %build
 # reconfigure
@@ -398,6 +401,10 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %{_sbindir}/sasl2-shared-mechlist
 
 %changelog
+* Thu Feb 23 2022 Simo Sorce <simo@redhat.com> - 2.1.27-6
+- Fix for CVE-2022-24407
+- Resolves: rhbz#2055848
+
 * Mon Feb  9 2022 Simo Sorce <simo@redhat.com> - 2.1.27-19
 - Fix a memleak in one of the OpenSSL 3 compat patches
   found by covscan