diff --git a/backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch b/backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch new file mode 100644 index 0000000000000000000000000000000000000000..87c77b5404b55f3a26b930476f9eaf2fbe7191c5 --- /dev/null +++ b/backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch @@ -0,0 +1,82 @@ +From 9eff746c9daecbcc0041b09a5a51ba30738cdcbc Mon Sep 17 00:00:00 2001 +From: Klaus Espenlaub +Date: Tue, 8 Feb 2022 20:34:40 +0000 +Subject: [PATCH] CVE-2022-24407 Escape password for SQL insert/update + commands. + +Signed-off-by: Klaus Espenlaub +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 31b54a7..6ac81c2 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1151,6 +1151,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1222,6 +1223,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1243,19 +1249,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1288,6 +1307,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +1.8.3.1 + diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index 2709dc191664eb2222a49d32e106bce6b0909ec7..a28ade905fc3d108c0fbb1188755a7f25e588251 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -6,7 +6,7 @@ Name: cyrus-sasl Version: 2.1.27 -Release: 12 +Release: 13 Summary: The Cyrus SASL API Implementation License: BSD with advertising @@ -18,6 +18,7 @@ Source2: saslauthd.sysconfig Patch0: 0003-Prevent-double-free-of-RC4-context.patch Patch1: fix-CVE-2019-19906.patch Patch2: backport-db_gdbm-fix-gdbm_errno-overlay-from-gdbm_close.patch +Patch3: backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch BuildRequires: autoconf, automake, libtool, gdbm-devel, groff BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig @@ -260,6 +261,9 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %changelog +* Thu Feb 24 2022 yixiangzhike - 2.1.27-13 +- fix CVE-2022-24407 + * Thu Aug 26 2021 panxiaohe - 2.1.27-12 - remove with-bdb=db from configure