Re: [meta-networking][kirkstone][PATCH] cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands


Hitendra Prajapati
 

Hi Team,

I have send patch for master also.

Link :  https://lists.openembedded.org/g/openembedded-devel/topic/meta_oe_master_patch/92080316?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,92080316,previd%3D1656561709166530002,nextid%3D1656465639067169245&previd=1656561709166530002&nextid=1656465639067169245


Regards,

Hitendra

On 29/06/22 22:38, Khem Raj wrote:
this patch is needed on master too, please send a version against master as well. We want to apply that before

backporting it to releases


On 6/28/22 1:55 AM, Hitendra Prajapati wrote:
Source: https://github.com/cyrusimap/cyrus-sasl
MR: 118497
Type: Security Fix
Disposition: Backport from https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc
ChangeID: 4736aae2b7d8986787b1666cfd6eecd590915120
Description:
        CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands.

Signed-off-by: Hitendra Prajapati <hprajapati@...>
---
  .../cyrus-sasl/CVE-2022-24407.patch           | 83 +++++++++++++++++++
  .../cyrus-sasl/cyrus-sasl_2.1.28.bb           |  1 +
  2 files changed, 84 insertions(+)
  create mode 100644 meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch

diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
new file mode 100644
index 000000000..0ddea03c6
--- /dev/null
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
@@ -0,0 +1,83 @@
+From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@...>
+Date: Wed, 15 Jun 2022 10:44:50 +0530
+Subject: [PATCH] CVE-2022-24407
+
+Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
+CVE: CVE-2022-24407
+Signed-off-by: Hitendra Prajapati <hprajapati@...>
+---
+ plugins/sql.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/sql.c b/plugins/sql.c
+index 95f5f707..5d20759b 100644
+--- a/plugins/sql.c
++++ b/plugins/sql.c
+@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context,
+     char *statement = NULL;
+     char *escap_userid = NULL;
+     char *escap_realm = NULL;
++    char *escap_passwd = NULL;
+     const char *cmd;
+
+     sql_settings_t *settings;
+@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context,
+                 "Unable to begin transaction\n");
+     }
+     for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
++    /* Free the buffer, current content is from previous loop. */
++    if (escap_passwd) {
++        sparams->utils->free(escap_passwd);
++        escap_passwd = NULL;
++    }
+
+     if (cur->name[0] == '*') {
+         continue;
+@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context,
+     }
+     sparams->utils->free(statement);
+
++    if (cur->values[0]) {
++        escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
++        if (!escap_passwd) {
++        ret = SASL_NOMEM;
++        break;
++        }
++        settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
++    }
++
+     /* create a statement that we will use */
+     statement = sql_create_statement(cmd, cur->name, escap_userid,
+                      escap_realm,
+-                     cur->values && cur->values[0] ?
+-                     cur->values[0] : SQL_NULL_VALUE,
++                     escap_passwd ?
++                     escap_passwd : SQL_NULL_VALUE,
+                      sparams->utils);
++    if (!statement) {
++        ret = SASL_NOMEM;
++        break;
++    }
+    
+     {
+         char *log_statement =
+         sql_create_statement(cmd, cur->name,
+                      escap_userid,
+                      escap_realm,
+-                     cur->values && cur->values[0] ?
++                     escap_passwd ?
+                      "<omitted>" : SQL_NULL_VALUE,
+                      sparams->utils);
+         sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
+@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context,
+   done:
+     if (escap_userid) sparams->utils->free(escap_userid);
+     if (escap_realm) sparams->utils->free(escap_realm);
++    if (escap_passwd) sparams->utils->free(escap_passwd);
+     if (conn) settings->sql_engine->sql_close(conn);
+     if (userid) sparams->utils->free(userid);
+     if (realm) sparams->utils->free(realm);
+--
+2.25.1
+
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
index 98899dfd5..e344733ef 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas
             file://saslauthd.service \
             file://saslauthd.conf \
             file://CVE-2019-19906.patch \
+       file://CVE-2022-24407.patch \
             "
    UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"



--
Regards,
Hitendra Prajapati
MontaVista Software LLC

Join openembedded-devel@lists.openembedded.org to automatically receive all group messages.