| Message ID | 20220628055554.10496-1-hprajapati@mvista.com |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Armin Kuster |
| Headers | show |
| Series | [meta-networking,kirkstone] cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands | expand |
this patch is needed on master too, please send a version against master as well. We want to apply that before backporting it to releases On 6/28/22 1:55 AM, Hitendra Prajapati wrote: > Source: https://github.com/cyrusimap/cyrus-sasl > MR: 118497 > Type: Security Fix > Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc > ChangeID: 4736aae2b7d8986787b1666cfd6eecd590915120 > Description: > CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > .../cyrus-sasl/CVE-2022-24407.patch | 83 +++++++++++++++++++ > .../cyrus-sasl/cyrus-sasl_2.1.28.bb | 1 + > 2 files changed, 84 insertions(+) > create mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > > diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > new file mode 100644 > index 000000000..0ddea03c6 > --- /dev/null > +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > @@ -0,0 +1,83 @@ > +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <hprajapati@mvista.com> > +Date: Wed, 15 Jun 2022 10:44:50 +0530 > +Subject: [PATCH] CVE-2022-24407 > + > +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] > +CVE: CVE-2022-24407 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + plugins/sql.c | 26 +++++++++++++++++++++++--- > + 1 file changed, 23 insertions(+), 3 deletions(-) > + > +diff --git a/plugins/sql.c b/plugins/sql.c > +index 95f5f707..5d20759b 100644 > +--- a/plugins/sql.c > ++++ b/plugins/sql.c > +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, > + char *statement = NULL; > + char *escap_userid = NULL; > + char *escap_realm = NULL; > ++ char *escap_passwd = NULL; > + const char *cmd; > + > + sql_settings_t *settings; > +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, > + "Unable to begin transaction\n"); > + } > + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { > ++ /* Free the buffer, current content is from previous loop. */ > ++ if (escap_passwd) { > ++ sparams->utils->free(escap_passwd); > ++ escap_passwd = NULL; > ++ } > + > + if (cur->name[0] == '*') { > + continue; > +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, > + } > + sparams->utils->free(statement); > + > ++ if (cur->values[0]) { > ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); > ++ if (!escap_passwd) { > ++ ret = SASL_NOMEM; > ++ break; > ++ } > ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); > ++ } > ++ > + /* create a statement that we will use */ > + statement = sql_create_statement(cmd, cur->name, escap_userid, > + escap_realm, > +- cur->values && cur->values[0] ? > +- cur->values[0] : SQL_NULL_VALUE, > ++ escap_passwd ? > ++ escap_passwd : SQL_NULL_VALUE, > + sparams->utils); > ++ if (!statement) { > ++ ret = SASL_NOMEM; > ++ break; > ++ } > + > + { > + char *log_statement = > + sql_create_statement(cmd, cur->name, > + escap_userid, > + escap_realm, > +- cur->values && cur->values[0] ? > ++ escap_passwd ? > + "<omitted>" : SQL_NULL_VALUE, > + sparams->utils); > + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, > +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, > + done: > + if (escap_userid) sparams->utils->free(escap_userid); > + if (escap_realm) sparams->utils->free(escap_realm); > ++ if (escap_passwd) sparams->utils->free(escap_passwd); > + if (conn) settings->sql_engine->sql_close(conn); > + if (userid) sparams->utils->free(userid); > + if (realm) sparams->utils->free(realm); > +-- > +2.25.1 > + > diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb > index 98899dfd5..e344733ef 100644 > --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb > +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb > @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas > file://saslauthd.service \ > file://saslauthd.conf \ > file://CVE-2019-19906.patch \ > + file://CVE-2022-24407.patch \ > " > > UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#97602): https://lists.openembedded.org/g/openembedded-devel/message/97602 > Mute This Topic: https://lists.openembedded.org/mt/92038717/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
I built this on kirkstone and one patch does not apply.
ERROR: cyrus-sasl-2.1.28-r0 do_patch: Applying patch
'CVE-2022-24407.patch' on target directory
'/builds/54vdLR_9/0/akuster/meta-branch-maint/build/tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/cyrus-sasl/2.1.28-r0/git'
CmdError('quilt --quiltrc
/builds/54vdLR_9/0/akuster/meta-branch-maint/build/tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/cyrus-sasl/2.1.28-r0/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch CVE-2022-24407.patch
patching file plugins/sql.c
Hunk #1 FAILED at 1150.
Hunk #2 FAILED at 1221.
Hunk #3 FAILED at 1242.
Hunk #4 succeeded at 1127 (offset -160 lines).
3 out of 4 hunks FAILED -- rejects in file plugins/sql.c
Patch CVE-2022-24407.patch can be reverse-applied
On 6/28/22 22:55, Hitendra Prajapati wrote:
> Source: https://github.com/cyrusimap/cyrus-sasl
> MR: 118497
> Type: Security Fix
> Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc
> ChangeID: 4736aae2b7d8986787b1666cfd6eecd590915120
> Description:
> CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands.
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../cyrus-sasl/CVE-2022-24407.patch | 83 +++++++++++++++++++
> .../cyrus-sasl/cyrus-sasl_2.1.28.bb | 1 +
> 2 files changed, 84 insertions(+)
> create mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
>
> diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
> new file mode 100644
> index 000000000..0ddea03c6
> --- /dev/null
> +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
> @@ -0,0 +1,83 @@
> +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001
> +From: Hitendra Prajapati <hprajapati@mvista.com>
> +Date: Wed, 15 Jun 2022 10:44:50 +0530
> +Subject: [PATCH] CVE-2022-24407
> +
> +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
> +CVE: CVE-2022-24407
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + plugins/sql.c | 26 +++++++++++++++++++++++---
> + 1 file changed, 23 insertions(+), 3 deletions(-)
> +
> +diff --git a/plugins/sql.c b/plugins/sql.c
> +index 95f5f707..5d20759b 100644
> +--- a/plugins/sql.c
> ++++ b/plugins/sql.c
> +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context,
> + char *statement = NULL;
> + char *escap_userid = NULL;
> + char *escap_realm = NULL;
> ++ char *escap_passwd = NULL;
> + const char *cmd;
> +
> + sql_settings_t *settings;
> +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context,
> + "Unable to begin transaction\n");
> + }
> + for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
> ++ /* Free the buffer, current content is from previous loop. */
> ++ if (escap_passwd) {
> ++ sparams->utils->free(escap_passwd);
> ++ escap_passwd = NULL;
> ++ }
> +
> + if (cur->name[0] == '*') {
> + continue;
> +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context,
> + }
> + sparams->utils->free(statement);
> +
> ++ if (cur->values[0]) {
> ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
> ++ if (!escap_passwd) {
> ++ ret = SASL_NOMEM;
> ++ break;
> ++ }
> ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
> ++ }
> ++
> + /* create a statement that we will use */
> + statement = sql_create_statement(cmd, cur->name, escap_userid,
> + escap_realm,
> +- cur->values && cur->values[0] ?
> +- cur->values[0] : SQL_NULL_VALUE,
> ++ escap_passwd ?
> ++ escap_passwd : SQL_NULL_VALUE,
> + sparams->utils);
> ++ if (!statement) {
> ++ ret = SASL_NOMEM;
> ++ break;
> ++ }
> +
> + {
> + char *log_statement =
> + sql_create_statement(cmd, cur->name,
> + escap_userid,
> + escap_realm,
> +- cur->values && cur->values[0] ?
> ++ escap_passwd ?
> + "<omitted>" : SQL_NULL_VALUE,
> + sparams->utils);
> + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
> +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context,
> + done:
> + if (escap_userid) sparams->utils->free(escap_userid);
> + if (escap_realm) sparams->utils->free(escap_realm);
> ++ if (escap_passwd) sparams->utils->free(escap_passwd);
> + if (conn) settings->sql_engine->sql_close(conn);
> + if (userid) sparams->utils->free(userid);
> + if (realm) sparams->utils->free(realm);
> +--
> +2.25.1
> +
> diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
> index 98899dfd5..e344733ef 100644
> --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
> +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
> @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas
> file://saslauthd.service \
> file://saslauthd.conf \
> file://CVE-2019-19906.patch \
> + file://CVE-2022-24407.patch \
> "
>
> UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#97602): https://lists.openembedded.org/g/openembedded-devel/message/97602
> Mute This Topic: https://lists.openembedded.org/mt/92038717/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 000000000..0ddea03c6 --- /dev/null +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,83 @@ +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 15 Jun 2022 10:44:50 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 95f5f707..5d20759b 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb index 98899dfd5..e344733ef 100644 --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas file://saslauthd.service \ file://saslauthd.conf \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
Source: https://github.com/cyrusimap/cyrus-sasl MR: 118497 Type: Security Fix Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc ChangeID: 4736aae2b7d8986787b1666cfd6eecd590915120 Description: CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../cyrus-sasl/CVE-2022-24407.patch | 83 +++++++++++++++++++ .../cyrus-sasl/cyrus-sasl_2.1.28.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch