diff --git a/SOURCES/0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch b/SOURCES/0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch new file mode 100644 index 0000000..a430d65 --- /dev/null +++ b/SOURCES/0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch @@ -0,0 +1,82 @@ +From 37f2e0f0658d78a1496dc277f402f8b577ce6aae Mon Sep 17 00:00:00 2001 +From: Klaus Espenlaub +Date: Tue, 8 Feb 2022 20:34:40 +0000 +Subject: [PATCH] CVE-2022-24407 Escape password for SQL insert/update + commands. + +Signed-off-by: Klaus Espenlaub +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 31b54a78..6ac81c2f 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1151,6 +1151,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1222,6 +1223,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1243,19 +1249,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1288,6 +1307,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec index e667c2c..74c8fff 100644 --- a/SPECS/cyrus-sasl.spec +++ b/SPECS/cyrus-sasl.spec @@ -8,7 +8,7 @@ Summary: The Cyrus SASL library Name: cyrus-sasl Version: 2.1.27 -Release: 5%{?dist} +Release: 6%{?dist} License: BSD with advertising Group: System Environment/Libraries # Source0 originally comes from https://www.cyrusimap.org/releases/; @@ -36,6 +36,8 @@ Patch832: cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.pa Patch833: cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch Patch834: cyrus-sasl-2.1.27-Emit-debug-log-only-in-case-of-errors.patch +Patch900: 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch + Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, automake, libtool, gdbm-devel, groff BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig @@ -173,6 +175,7 @@ the GS2 authentication scheme. %patch832 -p1 -b .gssapi_cbs %patch833 -p1 -b .maxssf0 %patch834 -p1 -b .nolog +%patch900 -p1 -b .CVE-2022-24407 %build # reconfigure @@ -406,6 +409,10 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %{_sbindir}/sasl2-shared-mechlist %changelog +* Thu Feb 17 2022 Simo Sorce - 2.1.27-6 +- Fix for CVE-2022-24407 +- Resolves: rhbz#2055846 + * Tue May 5 2020 Simo Sorce - 2.1.27-5 - Reduce excessive GSSAPI plugin logging - Resolves: rhbz#1274734