Bug#423928: marked as done (libpam-pgsql: unnecessarily SQL-escapes option values from trusted source)

Sun, 26 Aug 2007 14:08:36 -0700 

Your message dated Sun, 26 Aug 2007 21:02:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#423928: fixed in pam-pgsql 0.5.2-9.2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libpam-pgsql
Version: 0.5.2-9+b1
Severity: normal
Tags: patch

Hi,

the current libpam-pgsql library escapes the SQL options table name and
various column names specified from within the pam configuration file or
the pam_pgsql.conf.

This prevents more complex SQL constructs within those parameters (such
as nested SQL statements instead of a simple table or view name) without
providing any real additional security, as the options' source should be
trustworthy anyway (only system administrators can modify the PAM
configuration or pam_pgsql.conf files). Nothing was changed regarding
user provided input (such as the user name).

The attached patch removes the unnecessary escaping and is tested on our
systems. Please apply.

Greetings, Fabian

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (800, 'stable'), (3, 'testing'), (2, 'unstable'), (1, 
'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages libpam-pgsql depends on:
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libmhash2                   0.9.7-1      Library for cryptographic hashing 
ii  libpam0g                    0.79-4       Pluggable Authentication Modules l
ii  libpq4                      8.1.8-1      PostgreSQL C client library

libpam-pgsql recommends no packages.

-- no debconf information

This patch removes unnecessary SQL escaping of the options table name and
column names. This allows more complex SQL constructs within the
aforementioned options when specified via the configuration file.

 -- Fabian Knittel <[EMAIL PROTECTED]>

diff -urN pam-pgsql-0.5.2.orig/pam_pgsql.c pam-pgsql-0.5.2/pam_pgsql.c
--- pam-pgsql-0.5.2.orig/pam_pgsql.c	2007-05-14 18:35:20.000000000 +0200
+++ pam-pgsql-0.5.2/pam_pgsql.c	2007-05-14 20:07:23.000000000 +0200
@@ -425,9 +425,6 @@
     PGconn *conn;
     int rc, esclen;
     char *user_s;
-    char *pwd_column_s;
-    char *table_s;
-    char *user_column_s;
 #define CRYPT_LEN 13
 
     if(!(conn = pg_connect(options)))
@@ -439,28 +436,13 @@
     sqlescape(user, user_s, strlen(user));
     DBGLOG("%s", user_s);
 
-    esclen = strlen(options->pwd_column)*2+1;
-    pwd_column_s = malloc(esclen);
-    sqlescape(options->pwd_column, pwd_column_s, strlen(options->pwd_column));
-
-    esclen = strlen(options->table)*2+1;
-    table_s = malloc(esclen);
-    sqlescape(options->table, table_s, strlen(options->table));
-
-    esclen = strlen(options->user_column)*2+1;
-    user_column_s = malloc(esclen);
-    sqlescape(options->user_column, user_column_s, strlen(options->user_column));
-
-    DBGLOG("query: SELECT %s FROM %s WHERE %s='%s'", pwd_column_s, table_s, user_column_s, user_s);
+    DBGLOG("query: SELECT %s FROM %s WHERE %s='%s'", options->pwd_column, options->table, options->user_column, user_s);
     if(pg_exec(options, conn, &res, "SELECT %s FROM %s WHERE %s='%s'",
-               pwd_column_s,
-               table_s,
-               user_column_s,
+               options->pwd_column,
+               options->table,
+               options->user_column,
                user_s) != 0) {
 	free(user_s);
-	free(table_s);
-	free(user_column_s);  
-	free(pwd_column_s);   
                
         PQclear(res);
         PQfinish(conn);
@@ -518,9 +500,6 @@
     PQclear(res);
     PQfinish(conn);
     free(user_s);
-    free(table_s);
-    free(user_column_s);
-    free(pwd_column_s);
     return rc;
 }
 
@@ -570,10 +549,6 @@
     struct module_options *options;
     const char *user;
     char *user_s;
-    char *table_s;
-    char *expired_column_s;
-    char *user_column_s;
-    char *newtok_column_s;
     int rc, esclen;
     PGconn *conn;
     PGresult *res;
@@ -606,38 +581,17 @@
 
     sqlescape(user, user_s, strlen(user));  
 
-    esclen = strlen(options->expired_column)*2+1;
-    expired_column_s = malloc(esclen);
-    sqlescape(options->expired_column, expired_column_s, strlen(options->expired_column));
-
-    esclen = strlen(options->table)*2+1;
-    table_s = malloc(esclen);
-    sqlescape(options->table, table_s, strlen(options->table));
-
-    esclen = strlen(options->user_column)*2+1;
-    user_column_s = malloc(esclen);
-    sqlescape(options->user_column, user_column_s, strlen(options->user_column));
-
-    esclen = strlen(options->newtok_column)*2+1;
-    newtok_column_s = malloc(esclen);
-    sqlescape(options->newtok_column, newtok_column_s, strlen(options->newtok_column));
-    
-
     /* if account has expired then expired_column = '1' or 'y' */
     if(options->expired_column) {
-    	DBGLOG("query: SELECT 1 FROM %s WHERE %s='%s' AND %s='y' OR %s='1'", table_s, user_column_s, user_s, expired_column_s, expired_column_s);
+    	DBGLOG("query: SELECT 1 FROM %s WHERE %s='%s' AND %s='y' OR %s='1'", options->table, options->user_column, user_s, options->expired_column, options->expired_column);
         if(pg_exec(options, conn, &res, 
                    "SELECT 1 FROM %s WHERE %s='%s' AND (%s='y' OR %s='1')" ,
-                   table_s,
-                   user_column_s,
+                   options->table,
+                   options->user_column,
                    user_s,
-                   expired_column_s,
-                   expired_column_s) != 0) {
+                   options->expired_column,
+                   options->expired_column) != 0) {
 	    free(user_s);
-	    free(table_s);
-	    free(newtok_column_s);
-	    free(user_column_s);
-	    free(expired_column_s); 
 
             PQclear(res);
             PQfinish(conn);
@@ -646,10 +600,6 @@
         }
         if(PQntuples(res) > 0) {
 	    free(user_s);
-	    free(table_s);
-	    free(newtok_column_s);
-	    free(user_column_s);
-	    free(expired_column_s); 
 
             PQclear(res);
             PQfinish(conn);
@@ -661,19 +611,15 @@
 
     /* if new password is required then newtok_column = 'y' or '1' */
     if(options->newtok_column) {
-    	DBGLOG("query: SELECT 1 FROM %s WHERE %s='%s' AND %s='y' OR %s='1'", table_s, user_column_s, user_s, newtok_column_s, newtok_column_s);
+    	DBGLOG("query: SELECT 1 FROM %s WHERE %s='%s' AND %s='y' OR %s='1'", options->table, options->user_column, user_s, options->newtok_column, options->newtok_column);
         if(pg_exec(options, conn, &res, 
                    "SELECT 1 FROM %s WHERE %s='%s' AND (%s='y' OR %s='1')",
-                   table_s,
-                   user_column_s,
+                   options->table,
+                   options->user_column,
                    user_s,
-                   newtok_column_s,
-                   newtok_column_s) != 0) {
+                   options->newtok_column,
+                   options->newtok_column) != 0) {
 	    free(user_s);
-	    free(table_s);
-	    free(newtok_column_s);
-	    free(user_column_s);
-	    free(expired_column_s); 
 
 	    PQclear(res);
             PQfinish(conn);
@@ -682,10 +628,6 @@
         }
         if(PQntuples(res) > 0) {
 	    free(user_s);
-	    free(table_s);
-	    free(newtok_column_s);
-	    free(user_column_s);
-	    free(expired_column_s); 
 
             PQclear(res);
             PQfinish(conn);
@@ -697,10 +639,6 @@
 
     PQfinish(conn);
     free(user_s);
-    free(table_s);
-    free(newtok_column_s);
-    free(user_column_s);
-    free(expired_column_s);
     free_module_options(options);
     return PAM_SUCCESS;
 }
@@ -713,11 +651,7 @@
     int rc, std_flags, esclen;
     const char *user, *pass, *newpass;
     char *newpass_crypt, *user_s;
-    char *table_s;
     char *newpass_crypt_s;
-    char *user_column_s;
-    char *pwd_column_s;
-    char *newtok_column_s;
     PGconn *conn;
     PGresult *res;
 
@@ -811,44 +745,23 @@
 
         sqlescape(user, user_s, strlen(user));
         
-        esclen = strlen(options->pwd_column)*2+1;
-        pwd_column_s = malloc(esclen);
-        sqlescape(options->pwd_column, pwd_column_s, strlen(options->pwd_column));
- 
-        esclen = strlen(options->table)*2+1;
-        table_s = malloc(esclen);
-        sqlescape(options->table, table_s, strlen(options->table));
- 
-        esclen = strlen(options->user_column)*2+1;
-        user_column_s = malloc(esclen);
-        sqlescape(options->user_column, user_column_s, strlen(options->user_column));
- 
         esclen = strlen(newpass_crypt)*2+1;
         newpass_crypt_s = malloc(esclen);  
         sqlescape(newpass_crypt, newpass_crypt_s, strlen(newpass_crypt));
 
-	esclen = strlen(options->newtok_column)*2+1;
-	newtok_column_s = malloc(esclen);
-	sqlescape(options->newtok_column, newtok_column_s, strlen(options->newtok_column));
-
- 
-        DBGLOG("query: UPDATE %s SET %s='%s' WHERE %s='%s'", table_s, pwd_column_s, "******", user_column_s, user_s);
+        DBGLOG("query: UPDATE %s SET %s='%s' WHERE %s='%s'", options->table, options->pwd_column, "******", options->user_column, user_s);
         
     	if (!options->newtok_column) {
 	        if(pg_exec(options, conn, &res,
        	            "UPDATE %s SET %s='%s' WHERE %s='%s'",
-       	            table_s,
-       	            pwd_column_s,
+       	            options->table,
+       	            options->pwd_column,
        	            newpass_crypt_s,
-       	            user_column_s,  
+       	            options->user_column,  
        	            user_s) != 0) {
        	            	free(newpass_crypt);
 		        free(newpass_crypt_s);
 		        free(user_s);
-		        free(pwd_column_s);
-		        free(user_column_s);
-		        free(newtok_column_s);
-		        free(table_s);
 	        	free_module_options(options);
 	        	PQclear(res);
 	        	PQfinish(conn);
@@ -857,19 +770,14 @@
 	} else {
 	        if(pg_exec(options, conn, &res,
        	            "UPDATE %s SET %s='%s', %s='0' WHERE %s='%s'",
-       	            table_s,
-       	            pwd_column_s,
+       	            options->table,
+       	            options->pwd_column,
        	            newpass_crypt_s,
-       	            newtok_column_s,
-       	            user_column_s,  
+       	            options->user_column,  
        	            user_s) != 0) {
        	            	free(newpass_crypt);
 		        free(newpass_crypt_s);
 		        free(user_s);
-		        free(pwd_column_s);
-		        free(user_column_s);
-		        free(newtok_column_s);
-		        free(table_s);
 	        	free_module_options(options);
 	        	PQclear(res);
 	        	PQfinish(conn);
@@ -881,10 +789,6 @@
         free(newpass_crypt);
         free(newpass_crypt_s);
         free(user_s);
-        free(pwd_column_s);
-        free(user_column_s);
-	free(newtok_column_s);
-        free(table_s);
         PQclear(res);
         PQfinish(conn);
     }

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: pam-pgsql
Source-Version: 0.5.2-9.2

We believe that the bug you reported is fixed in the latest version of
pam-pgsql, which is due to be installed in the Debian FTP archive:

libpam-pgsql_0.5.2-9.2_amd64.deb
  to pool/main/p/pam-pgsql/libpam-pgsql_0.5.2-9.2_amd64.deb
pam-pgsql_0.5.2-9.2.diff.gz
  to pool/main/p/pam-pgsql/pam-pgsql_0.5.2-9.2.diff.gz
pam-pgsql_0.5.2-9.2.dsc
  to pool/main/p/pam-pgsql/pam-pgsql_0.5.2-9.2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Philipp Kern <[EMAIL PROTECTED]> (supplier of updated pam-pgsql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 26 Aug 2007 22:14:25 +0200
Source: pam-pgsql
Binary: libpam-pgsql
Architecture: source amd64
Version: 0.5.2-9.2
Distribution: unstable
Urgency: low
Maintainer: Primoz Bratanic <[EMAIL PROTECTED]>
Changed-By: Philipp Kern <[EMAIL PROTECTED]>
Description: 
 libpam-pgsql - PAM module to authenticate using a PostgreSQL database
Closes: 355180 423928
Changes: 
 pam-pgsql (0.5.2-9.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Added quilt to the build system.
   * Made `binary-indep' an empty target and introduced `build-stamp'.
   * Fixed a memory leak. (Closes: #355180)
   * Applied a patch to remove unnecessary escaping of the SQL queries.
     (Closes: #423928)
   * Do not install `test.c' as an example.
Files: 
 5d8dbfe1f5e7a079c720d731cb235e99 636 admin extra pam-pgsql_0.5.2-9.2.dsc
 b9b08cc42a738458b5c5beaea890693c 73861 admin extra pam-pgsql_0.5.2-9.2.diff.gz
 a9db0aee4c923ad92880783385eb1b1a 15690 admin extra 
libpam-pgsql_0.5.2-9.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG0efA7Ro5M7LPzdgRAiU7AKCfHyxDqV2n2Ww6HXkbfyCfVwFuYgCaAq4U
He9GmiC5E31YXhe/NlIN9Po=
=OL08
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to