File 0001-CVE-2022-24407-Escape-password-for-SQL-ins... of Package cyrus-sasl-saslauthd

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch of Package cyrus-sasl-saslauthd (Revision e9a86eb39165f344aba0cbce10326922)

Currently displaying revision e9a86eb39165f344aba0cbce10326922 , Show latest

From 37f2e0f0658d78a1496dc277f402f8b577ce6aae Mon Sep 17 00:00:00 2001
From: Klaus Espenlaub <klaus@espenlaub.com>
Date: Tue, 8 Feb 2022 20:34:40 +0000
Subject: [PATCH] CVE-2022-24407 Escape password for SQL insert/update
 commands.

Signed-off-by: Klaus Espenlaub <klaus@espenlaub.com>
---
 plugins/sql.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/plugins/sql.c b/plugins/sql.c
index 31b54a78..6ac81c2f 100644

--- a/plugins/sql.c.orig	2022-02-21 14:33:10.753089792 +0100
+++ b/plugins/sql.c	2022-02-21 14:34:10.137679334 +0100
@@ -1145,6 +1145,7 @@
     char *statement = NULL;
     char *escap_userid = NULL;
     char *escap_realm = NULL;
+    char *escap_passwd = NULL;
     const char *cmd;
     
     sql_settings_t *settings;
@@ -1216,6 +1217,11 @@
 			    "Unable to begin transaction\n");
     }
     for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
+	/* Free the buffer, current content is from previous loop. */
+	if (escap_passwd) {
+	    sparams->utils->free(escap_passwd);
+	    escap_passwd = NULL;
+	}
 
 	if (cur->name[0] == '*') {
 	    continue;
@@ -1237,19 +1243,32 @@
 	}
 	sparams->utils->free(statement);
 
+	if (cur->values[0]) {
+	    escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
+	    if (!escap_passwd) {
+		ret = SASL_NOMEM;
+		break;
+	    }
+	    settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
+	}
+
 	/* create a statement that we will use */
 	statement = sql_create_statement(cmd, cur->name, escap_userid,
 					 escap_realm,
-					 cur->values && cur->values[0] ?
-					 cur->values[0] : SQL_NULL_VALUE,
+					 escap_passwd ?
+					 escap_passwd : SQL_NULL_VALUE,
 					 sparams->utils);
+	if (!statement) {
+	    ret = SASL_NOMEM;
+	    break;
+	}
 	
 	{
 	    char *log_statement =
 		sql_create_statement(cmd, cur->name,
 				     escap_userid,
 				     escap_realm,
-				     cur->values && cur->values[0] ?
+				     escap_passwd ?
 				     "<omitted>" : SQL_NULL_VALUE,
 				     sparams->utils);
 	    sparams->utils->log(NULL, SASL_LOG_DEBUG,
@@ -1282,6 +1301,7 @@
   done:
     if (escap_userid) sparams->utils->free(escap_userid);
     if (escap_realm) sparams->utils->free(escap_realm);
+    if (escap_passwd) sparams->utils->free(escap_passwd);
     if (conn) settings->sql_engine->sql_close(conn);
     if (userid) sparams->utils->free(userid);
     if (realm) sparams->utils->free(realm);

Places

File 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch of Package cyrus-sasl-saslauthd (Revision e9a86eb39165f344aba0cbce10326922)

Places