mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands
Source: https://github.com/cyrusimap/cyrus-sasl MR: 118501 Type: Security Fix Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc ChangeID: 5e0fc4c28d97b498128e4aa5d3e7c012e914ef51 Description: CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
b406297d3b
commit
9f3d116fdd
@@ -0,0 +1,83 @@
|
|||||||
|
From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
Date: Wed, 15 Jun 2022 10:44:50 +0530
|
||||||
|
Subject: [PATCH] CVE-2022-24407
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
|
||||||
|
CVE: CVE-2022-24407
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
plugins/sql.c | 26 +++++++++++++++++++++++---
|
||||||
|
1 file changed, 23 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/plugins/sql.c b/plugins/sql.c
|
||||||
|
index 95f5f707..5d20759b 100644
|
||||||
|
--- a/plugins/sql.c
|
||||||
|
+++ b/plugins/sql.c
|
||||||
|
@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context,
|
||||||
|
char *statement = NULL;
|
||||||
|
char *escap_userid = NULL;
|
||||||
|
char *escap_realm = NULL;
|
||||||
|
+ char *escap_passwd = NULL;
|
||||||
|
const char *cmd;
|
||||||
|
|
||||||
|
sql_settings_t *settings;
|
||||||
|
@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context,
|
||||||
|
"Unable to begin transaction\n");
|
||||||
|
}
|
||||||
|
for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
|
||||||
|
+ /* Free the buffer, current content is from previous loop. */
|
||||||
|
+ if (escap_passwd) {
|
||||||
|
+ sparams->utils->free(escap_passwd);
|
||||||
|
+ escap_passwd = NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (cur->name[0] == '*') {
|
||||||
|
continue;
|
||||||
|
@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context,
|
||||||
|
}
|
||||||
|
sparams->utils->free(statement);
|
||||||
|
|
||||||
|
+ if (cur->values[0]) {
|
||||||
|
+ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
|
||||||
|
+ if (!escap_passwd) {
|
||||||
|
+ ret = SASL_NOMEM;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* create a statement that we will use */
|
||||||
|
statement = sql_create_statement(cmd, cur->name, escap_userid,
|
||||||
|
escap_realm,
|
||||||
|
- cur->values && cur->values[0] ?
|
||||||
|
- cur->values[0] : SQL_NULL_VALUE,
|
||||||
|
+ escap_passwd ?
|
||||||
|
+ escap_passwd : SQL_NULL_VALUE,
|
||||||
|
sparams->utils);
|
||||||
|
+ if (!statement) {
|
||||||
|
+ ret = SASL_NOMEM;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
{
|
||||||
|
char *log_statement =
|
||||||
|
sql_create_statement(cmd, cur->name,
|
||||||
|
escap_userid,
|
||||||
|
escap_realm,
|
||||||
|
- cur->values && cur->values[0] ?
|
||||||
|
+ escap_passwd ?
|
||||||
|
"<omitted>" : SQL_NULL_VALUE,
|
||||||
|
sparams->utils);
|
||||||
|
sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
|
||||||
|
@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context,
|
||||||
|
done:
|
||||||
|
if (escap_userid) sparams->utils->free(escap_userid);
|
||||||
|
if (escap_realm) sparams->utils->free(escap_realm);
|
||||||
|
+ if (escap_passwd) sparams->utils->free(escap_passwd);
|
||||||
|
if (conn) settings->sql_engine->sql_close(conn);
|
||||||
|
if (userid) sparams->utils->free(userid);
|
||||||
|
if (realm) sparams->utils->free(realm);
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \
|
|||||||
file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \
|
file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \
|
||||||
file://0001-makeinit.sh-fix-parallel-build-issue.patch \
|
file://0001-makeinit.sh-fix-parallel-build-issue.patch \
|
||||||
file://CVE-2019-19906.patch \
|
file://CVE-2019-19906.patch \
|
||||||
|
file://CVE-2022-24407.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
|
UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
|
||||||
|
|||||||
Reference in New Issue
Block a user