| Message ID | 20220630040138.6776-1-hprajapati@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,master] cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands | expand |
this fails to apply the patch during build. https://autobuilder.yoctoproject.org/typhoon/#/builders/88/builds/1809/steps/15/logs/stdio Please test it before sending a v2. On Thu, Jun 30, 2022 at 12:01 AM Hitendra Prajapati <hprajapati@mvista.com> wrote: > > Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc > CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > .../cyrus-sasl/CVE-2022-24407.patch | 83 +++++++++++++++++++ > .../cyrus-sasl/cyrus-sasl_2.1.28.bb | 1 + > 2 files changed, 84 insertions(+) > create mode 100644 meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > > diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > new file mode 100644 > index 000000000..0ddea03c6 > --- /dev/null > +++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch > @@ -0,0 +1,83 @@ > +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <hprajapati@mvista.com> > +Date: Wed, 15 Jun 2022 10:44:50 +0530 > +Subject: [PATCH] CVE-2022-24407 > + > +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] > +CVE: CVE-2022-24407 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + plugins/sql.c | 26 +++++++++++++++++++++++--- > + 1 file changed, 23 insertions(+), 3 deletions(-) > + > +diff --git a/plugins/sql.c b/plugins/sql.c > +index 95f5f707..5d20759b 100644 > +--- a/plugins/sql.c > ++++ b/plugins/sql.c > +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, > + char *statement = NULL; > + char *escap_userid = NULL; > + char *escap_realm = NULL; > ++ char *escap_passwd = NULL; > + const char *cmd; > + > + sql_settings_t *settings; > +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, > + "Unable to begin transaction\n"); > + } > + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { > ++ /* Free the buffer, current content is from previous loop. */ > ++ if (escap_passwd) { > ++ sparams->utils->free(escap_passwd); > ++ escap_passwd = NULL; > ++ } > + > + if (cur->name[0] == '*') { > + continue; > +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, > + } > + sparams->utils->free(statement); > + > ++ if (cur->values[0]) { > ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); > ++ if (!escap_passwd) { > ++ ret = SASL_NOMEM; > ++ break; > ++ } > ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); > ++ } > ++ > + /* create a statement that we will use */ > + statement = sql_create_statement(cmd, cur->name, escap_userid, > + escap_realm, > +- cur->values && cur->values[0] ? > +- cur->values[0] : SQL_NULL_VALUE, > ++ escap_passwd ? > ++ escap_passwd : SQL_NULL_VALUE, > + sparams->utils); > ++ if (!statement) { > ++ ret = SASL_NOMEM; > ++ break; > ++ } > + > + { > + char *log_statement = > + sql_create_statement(cmd, cur->name, > + escap_userid, > + escap_realm, > +- cur->values && cur->values[0] ? > ++ escap_passwd ? > + "<omitted>" : SQL_NULL_VALUE, > + sparams->utils); > + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, > +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, > + done: > + if (escap_userid) sparams->utils->free(escap_userid); > + if (escap_realm) sparams->utils->free(escap_realm); > ++ if (escap_passwd) sparams->utils->free(escap_passwd); > + if (conn) settings->sql_engine->sql_close(conn); > + if (userid) sparams->utils->free(userid); > + if (realm) sparams->utils->free(realm); > +-- > +2.25.1 > + > diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb > index 98899dfd5..0b2ce3639 100644 > --- a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb > +++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb > @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas > file://saslauthd.service \ > file://saslauthd.conf \ > file://CVE-2019-19906.patch \ > + file://CVE-2022-24407.patch \ > " > > UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#97633): https://lists.openembedded.org/g/openembedded-devel/message/97633 > Mute This Topic: https://lists.openembedded.org/mt/92080316/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 000000000..0ddea03c6 --- /dev/null +++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,83 @@ +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 15 Jun 2022 10:44:50 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 95f5f707..5d20759b 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb index 98899dfd5..0b2ce3639 100644 --- a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb +++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas file://saslauthd.service \ file://saslauthd.conf \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../cyrus-sasl/CVE-2022-24407.patch | 83 +++++++++++++++++++ .../cyrus-sasl/cyrus-sasl_2.1.28.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch