On 2026-05-14 21:41:39, Adrian Bunk wrote:
On Sat, May 09, 2026 at 08:41:13AM +0200, Peter Wienemann wrote:Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:sogo User: [email protected] Usertags: pu[ Reason ] This applies a security fix introduced by upstream release 5.12.7 to version 5.12.1 distributed with Trixie. I am not aware of any CVE identifier for it. Upstream recommends to update immediately provided one of the following setups is used [0]: 1. At least one user source is a PostgreSQL database. 2. a) At least one user source is an SQL database (MariaDB or PostgreSQL) b) Passwords are stored in plain text ...https://security-tracker.debian.org/tracker/CVE-2026-46445
As Adrian pointed out CVEs were assigned to the issues addressed by the proposed change in the meantime - more precisely two CVEs:
https://security-tracker.debian.org/tracker/CVE-2026-46445 https://security-tracker.debian.org/tracker/CVE-2026-46446 I attach an updated debdiff which includes the CVE information. Best regards PeterP. S.: In the meantime a new SOGo version (5.12.8) was released with even more security fixes:
https://www.sogo.nu/news/2026/sogo-v5128-released.html
diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog --- sogo-5.12.1/debian/changelog 2025-12-31 11:33:39.000000000 +0100 +++ sogo-5.12.1/debian/changelog 2026-05-16 21:48:19.000000000 +0200 @@ -1,3 +1,15 @@ +sogo (5.12.1-3+deb13u2) trixie; urgency=medium + + * Non-maintainer upload. + * Add patch to fix the following vulnerabilities: + - CVE-2026-46445: SQL injection vulnerability when at least one user + source is a PostgreSQL database + - CVE-2026-46446: SQL injection vulnerability when at least one user + source is an SQL database (MariaDB or PostgreSQL) and passwords are + stored in plain text + + -- Peter Wienemann <[email protected]> Sat, 16 May 2026 21:48:19 +0200 + sogo (5.12.1-3+deb13u1) trixie; urgency=high * Non-maintainer upload by the Security Team. diff -Nru sogo-5.12.1/debian/patches/CVE-2026-46445_CVE-2026-46446.patch sogo-5.12.1/debian/patches/CVE-2026-46445_CVE-2026-46446.patch --- sogo-5.12.1/debian/patches/CVE-2026-46445_CVE-2026-46446.patch 1970-01-01 01:00:00.000000000 +0100 +++ sogo-5.12.1/debian/patches/CVE-2026-46445_CVE-2026-46446.patch 2026-05-16 21:48:19.000000000 +0200 @@ -0,0 +1,176 @@ +From: Hivert Quentin <[email protected]> +Date: Tue, 24 Mar 2026 15:26:37 +0100 +Subject: fix(sql): use proper sql adaptor for usr source + +Origin: upstream, https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21.diff +--- + SoObjects/SOGo/SQLSource.m | 70 ++++++++++++++++++++++++++++++++-------------- + 1 file changed, 49 insertions(+), 21 deletions(-) + +diff --git a/SoObjects/SOGo/SQLSource.m b/SoObjects/SOGo/SQLSource.m +index 93e8a81..2a4a950 100644 +--- a/SoObjects/SOGo/SQLSource.m ++++ b/SoObjects/SOGo/SQLSource.m +@@ -225,9 +225,16 @@ + */ + - (NSString *) _encryptPassword: (NSString *) plainPassword + { +- NSString *pass; ++ NSString *pass, *passwordScheme; + NSString* result; + ++ // if ([_userPasswordAlgorithm caseInsensitiveCompare: @"none"] == NSOrderedSame || ++ // [_userPasswordAlgorithm caseInsensitiveCompare: @"plain"] == NSOrderedSame || ++ // [_userPasswordAlgorithm caseInsensitiveCompare: @"cleartext"] == NSOrderedSame) ++ // { ++ // pass = [pass stringByReplacingString: @"'" withString: @"''"]; ++ // } ++ + pass = [plainPassword asCryptedPassUsingScheme: _userPasswordAlgorithm + keyPath: _keyPath]; + +@@ -272,6 +279,7 @@ + grace: (int *) _grace + disablepasswordPolicyCheck: (BOOL) _disablepasswordPolicyCheck + { ++ EOAdaptor *adaptor; + EOAdaptorChannel *channel; + EOQualifier *qualifier; + GCSChannelManager *cm; +@@ -281,11 +289,13 @@ + + rc = NO; + +- _login = [_login stringByReplacingString: @"'" withString: @"''"]; + cm = [GCSChannelManager defaultChannelManager]; + channel = [cm acquireOpenChannelForURL: _viewURL]; + if (channel) + { ++ EOAdaptorContext *adaptorCtx; ++ adaptorCtx = [channel adaptorContext]; ++ adaptor = [adaptorCtx adaptor]; + if (_loginFields) + { + NSMutableArray *qualifiers; +@@ -324,7 +334,8 @@ + nil]; + [qualifier autorelease]; + } +- [qualifier appendSQLToString: sql]; ++ [qualifier appendSQLToString: sql ++ withAdaptor: adaptor]; + + ex = [channel evaluateExpressionX: sql]; + if (!ex) +@@ -430,9 +441,11 @@ + { + BOOL didChange, isOldPwdOk, isPolicyOk; + EOAdaptorChannel *channel; ++ EOAdaptor *adaptor; ++ EOQualifier *qualifier_login, *qualifier_pwd; + GCSChannelManager *cm; + NSException *ex; +- NSString *sqlstr; ++ NSMutableString *sqlstr; + + *perr = -1; + isOldPwdOk = NO; +@@ -455,16 +468,28 @@ + return NO; + + // Save new password +- login = [login stringByReplacingString: @"'" withString: @"''"]; ++ // login = [login stringByReplacingString: @"'" withString: @"''"]; + cm = [GCSChannelManager defaultChannelManager]; + channel = [cm acquireOpenChannelForURL: _viewURL]; + if (channel) + { +- sqlstr = [NSString stringWithFormat: (@"UPDATE %@" +- @" SET c_password = '%@'" +- @" WHERE c_uid = '%@'"), +- [_viewURL gcsTableName], encryptedPassword, login]; +- ++ EOAdaptorContext *adaptorCtx; ++ adaptorCtx = [channel adaptorContext]; ++ adaptor = [adaptorCtx adaptor]; ++ sqlstr = [NSMutableString stringWithFormat: @"UPDATE %@ SET ", ++ [_viewURL gcsTableName]]; ++ ++ qualifier_pwd = [[EOKeyValueQualifier alloc] initWithKey: @"c_password" ++ operatorSelector: EOQualifierOperatorEqual ++ value: encryptedPassword]; ++ [qualifier_pwd appendSQLToString: sqlstr ++ withAdaptor: adaptor]; ++ [sqlstr appendString: @" WHERE "]; ++ qualifier_login = [[EOKeyValueQualifier alloc] initWithKey: @"c_uid" ++ operatorSelector: EOQualifierOperatorEqual ++ value: login]; ++ [qualifier_login appendSQLToString: sqlstr ++ withAdaptor: adaptor]; + ex = [channel evaluateExpressionX: sqlstr]; + if (!ex) + { +@@ -998,7 +1023,9 @@ + inDomain: (NSString *)domain + limit: (int)limit + { ++ EOAdaptor *adaptor; + EOAdaptorChannel *channel; ++ EOQualifier *qualifier; + NSEnumerator *criteriaList; + NSMutableArray *fields, *results; + GCSChannelManager *cm; +@@ -1014,12 +1041,14 @@ + channel = [cm acquireOpenChannelForURL: _viewURL]; + if (channel) + { ++ EOAdaptorContext *adaptorCtx; ++ adaptorCtx = [channel adaptorContext]; ++ adaptor = [adaptorCtx adaptor]; + fields = [NSMutableArray array]; + if ([filter length]) + { +- lowerFilter = [filter lowercaseString]; +- lowerFilter = [lowerFilter asSafeSQLLikeString]; +- filterFormat = [NSString stringWithFormat: @"LOWER(%%@) LIKE '%%%%%@%%%%'", lowerFilter]; ++ filter = [[filter asSafeSQLString] stringByReplacingString: @"\%" withString: @"%%"]; ++ filterFormat = [NSString stringWithFormat: @"(%%@ isCaseInsensitiveLike: '*%@*')", filter]; + if (criteria) + criteriaList = [criteria objectEnumerator]; + else +@@ -1044,7 +1073,9 @@ + if ([fields count]) + { + qs = [[[fields uniqueObjects] stringsWithFormat: filterFormat] componentsJoinedByString: @" OR "]; +- [sql appendString: qs]; ++ qualifier = [EOQualifier qualifierWithQualifierFormat: qs]; ++ [qualifier appendSQLToString: sql ++ withAdaptor: adaptor]; + } + else + [sql appendString: @"1 = 1"]; +@@ -1108,7 +1139,7 @@ + andSortOrdering: (EOSortOrdering *) ordering + inDomain: (NSString *) domain + { +- static EOAdaptor *adaptor = nil; ++ EOAdaptor *adaptor; + NSException *ex; + NSMutableArray *results; + NSMutableString *sql; +@@ -1123,12 +1154,9 @@ + channel = [cm acquireOpenChannelForURL: _viewURL]; + if (channel) + { +- if (!adaptor) +- { +- EOAdaptorContext *adaptorCtx; +- adaptorCtx = [channel adaptorContext]; +- adaptor = [adaptorCtx adaptor]; +- } ++ EOAdaptorContext *adaptorCtx; ++ adaptorCtx = [channel adaptorContext]; ++ adaptor = [adaptorCtx adaptor]; + sql = [NSMutableString stringWithFormat: @"SELECT c_name FROM %@ WHERE (", [_viewURL gcsTableName]]; + + if (qualifier) diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series --- sogo-5.12.1/debian/patches/series 2025-12-31 11:33:39.000000000 +0100 +++ sogo-5.12.1/debian/patches/series 2026-05-16 21:48:19.000000000 +0200 @@ -17,3 +17,4 @@ upstream_use_openid_libcurl.patch CVE-2025-63499.patch CVE-2025-63498.patch +CVE-2026-46445_CVE-2026-46446.patch
OpenPGP_signature.asc
Description: OpenPGP digital signature
