Re: [oe] [meta-oe][master][PATCH] cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands

Thu, 30 Jun 2022 10:49:12 -0700 

this fails to apply the patch during build.

https://autobuilder.yoctoproject.org/typhoon/#/builders/88/builds/1809/steps/15/logs/stdio

Please test it before sending a v2.

On Thu, Jun 30, 2022 at 12:01 AM Hitendra Prajapati
<[email protected]> wrote:
>
> Backport from 
> https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc
> CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an 
> attacker to execute arbitrary SQL commands.
>
> Signed-off-by: Hitendra Prajapati <[email protected]>
> ---
>  .../cyrus-sasl/CVE-2022-24407.patch           | 83 +++++++++++++++++++
>  .../cyrus-sasl/cyrus-sasl_2.1.28.bb           |  1 +
>  2 files changed, 84 insertions(+)
>  create mode 100644 
> meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
>
> diff --git 
> a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch 
> b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
> new file mode 100644
> index 000000000..0ddea03c6
> --- /dev/null
> +++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
> @@ -0,0 +1,83 @@
> +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001
> +From: Hitendra Prajapati <[email protected]>
> +Date: Wed, 15 Jun 2022 10:44:50 +0530
> +Subject: [PATCH] CVE-2022-24407
> +
> +Upstream-Status: Backport 
> [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
> +CVE: CVE-2022-24407
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + plugins/sql.c | 26 +++++++++++++++++++++++---
> + 1 file changed, 23 insertions(+), 3 deletions(-)
> +
> +diff --git a/plugins/sql.c b/plugins/sql.c
> +index 95f5f707..5d20759b 100644
> +--- a/plugins/sql.c
> ++++ b/plugins/sql.c
> +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context,
> +     char *statement = NULL;
> +     char *escap_userid = NULL;
> +     char *escap_realm = NULL;
> ++    char *escap_passwd = NULL;
> +     const char *cmd;
> +
> +     sql_settings_t *settings;
> +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context,
> +                           "Unable to begin transaction\n");
> +     }
> +     for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
> ++      /* Free the buffer, current content is from previous loop. */
> ++      if (escap_passwd) {
> ++          sparams->utils->free(escap_passwd);
> ++          escap_passwd = NULL;
> ++      }
> +
> +       if (cur->name[0] == '*') {
> +           continue;
> +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context,
> +       }
> +       sparams->utils->free(statement);
> +
> ++      if (cur->values[0]) {
> ++          escap_passwd = (char 
> *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
> ++          if (!escap_passwd) {
> ++              ret = SASL_NOMEM;
> ++              break;
> ++          }
> ++          settings->sql_engine->sql_escape_str(escap_passwd, 
> cur->values[0]);
> ++      }
> ++
> +       /* create a statement that we will use */
> +       statement = sql_create_statement(cmd, cur->name, escap_userid,
> +                                        escap_realm,
> +-                                       cur->values && cur->values[0] ?
> +-                                       cur->values[0] : SQL_NULL_VALUE,
> ++                                       escap_passwd ?
> ++                                       escap_passwd : SQL_NULL_VALUE,
> +                                        sparams->utils);
> ++      if (!statement) {
> ++          ret = SASL_NOMEM;
> ++          break;
> ++      }
> +
> +       {
> +           char *log_statement =
> +               sql_create_statement(cmd, cur->name,
> +                                    escap_userid,
> +                                    escap_realm,
> +-                                   cur->values && cur->values[0] ?
> ++                                   escap_passwd ?
> +                                    "<omitted>" : SQL_NULL_VALUE,
> +                                    sparams->utils);
> +           sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
> +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context,
> +   done:
> +     if (escap_userid) sparams->utils->free(escap_userid);
> +     if (escap_realm) sparams->utils->free(escap_realm);
> ++    if (escap_passwd) sparams->utils->free(escap_passwd);
> +     if (conn) settings->sql_engine->sql_close(conn);
> +     if (userid) sparams->utils->free(userid);
> +     if (realm) sparams->utils->free(realm);
> +--
> +2.25.1
> +
> diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb 
> b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb
> index 98899dfd5..0b2ce3639 100644
> --- a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb
> +++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb
> @@ -14,6 +14,7 @@ SRC_URI = 
> "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas
>             file://saslauthd.service \
>             file://saslauthd.conf \
>             file://CVE-2019-19906.patch \
> +           file://CVE-2022-24407.patch \
>             "
>
>  UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives";
> --
> 2.25.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#97642): 
https://lists.openembedded.org/g/openembedded-devel/message/97642
Mute This Topic: https://lists.openembedded.org/mt/92080316/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to