| Message ID | 20220620044411.6397-1-hprajapati@mvista.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [dunfell] cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands | expand |
This patch appears to be intended for meta-openembedded, not oe-core. You should resend to: openembedded-devel@lists.openembedded.org Steve On Sun, Jun 19, 2022 at 6:44 PM Hitendra Prajapati <hprajapati@mvista.com> wrote: > > Source: https://github.com/cyrusimap/cyrus-sasl > MR: 118501 > Type: Security Fix > Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc > ChangeID: 5e0fc4c28d97b498128e4aa5d3e7c012e914ef51 > Description: > CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > .../cyrus-sasl/CVE-2022-24407.patch | 83 +++++++++++++++++++ > .../cyrus-sasl/cyrus-sasl_2.1.27.bb | 1 + > 2 files changed, 84 insertions(+) > create mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > > diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > new file mode 100644 > index 000000000..0ddea03c6 > --- /dev/null > +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > @@ -0,0 +1,83 @@ > +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <hprajapati@mvista.com> > +Date: Wed, 15 Jun 2022 10:44:50 +0530 > +Subject: [PATCH] CVE-2022-24407 > + > +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] > +CVE: CVE-2022-24407 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + plugins/sql.c | 26 +++++++++++++++++++++++--- > + 1 file changed, 23 insertions(+), 3 deletions(-) > + > +diff --git a/plugins/sql.c b/plugins/sql.c > +index 95f5f707..5d20759b 100644 > +--- a/plugins/sql.c > ++++ b/plugins/sql.c > +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, > + char *statement = NULL; > + char *escap_userid = NULL; > + char *escap_realm = NULL; > ++ char *escap_passwd = NULL; > + const char *cmd; > + > + sql_settings_t *settings; > +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, > + "Unable to begin transaction\n"); > + } > + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { > ++ /* Free the buffer, current content is from previous loop. */ > ++ if (escap_passwd) { > ++ sparams->utils->free(escap_passwd); > ++ escap_passwd = NULL; > ++ } > + > + if (cur->name[0] == '*') { > + continue; > +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, > + } > + sparams->utils->free(statement); > + > ++ if (cur->values[0]) { > ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); > ++ if (!escap_passwd) { > ++ ret = SASL_NOMEM; > ++ break; > ++ } > ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); > ++ } > ++ > + /* create a statement that we will use */ > + statement = sql_create_statement(cmd, cur->name, escap_userid, > + escap_realm, > +- cur->values && cur->values[0] ? > +- cur->values[0] : SQL_NULL_VALUE, > ++ escap_passwd ? > ++ escap_passwd : SQL_NULL_VALUE, > + sparams->utils); > ++ if (!statement) { > ++ ret = SASL_NOMEM; > ++ break; > ++ } > + > + { > + char *log_statement = > + sql_create_statement(cmd, cur->name, > + escap_userid, > + escap_realm, > +- cur->values && cur->values[0] ? > ++ escap_passwd ? > + "<omitted>" : SQL_NULL_VALUE, > + sparams->utils); > + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, > +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, > + done: > + if (escap_userid) sparams->utils->free(escap_userid); > + if (escap_realm) sparams->utils->free(escap_realm); > ++ if (escap_passwd) sparams->utils->free(escap_passwd); > + if (conn) settings->sql_engine->sql_close(conn); > + if (userid) sparams->utils->free(userid); > + if (realm) sparams->utils->free(realm); > +-- > +2.25.1 > + > diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb > index db5f94444..3e7056d67 100644 > --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb > +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb > @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \ > file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \ > file://0001-makeinit.sh-fix-parallel-build-issue.patch \ > file://CVE-2019-19906.patch \ > + file://CVE-2022-24407.patch \ > " > > UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#167080): https://lists.openembedded.org/g/openembedded-core/message/167080 > Mute This Topic: https://lists.openembedded.org/mt/91871133/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 000000000..0ddea03c6 --- /dev/null +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,83 @@ +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 15 Jun 2022 10:44:50 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 95f5f707..5d20759b 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb index db5f94444..3e7056d67 100644 --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \ file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \ file://0001-makeinit.sh-fix-parallel-build-issue.patch \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
Source: https://github.com/cyrusimap/cyrus-sasl MR: 118501 Type: Security Fix Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc ChangeID: 5e0fc4c28d97b498128e4aa5d3e7c012e914ef51 Description: CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../cyrus-sasl/CVE-2022-24407.patch | 83 +++++++++++++++++++ .../cyrus-sasl/cyrus-sasl_2.1.27.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch