Hello community, here is the log from the commit of package orthanc for openSUSE:Factory checked in at 2020-04-05 20:57:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/orthanc (Old) and /work/SRC/openSUSE:Factory/.orthanc.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "orthanc" Sun Apr 5 20:57:11 2020 rev:4 rq:791489 version:1.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/orthanc/orthanc.changes 2020-03-29 14:26:03.166108469 +0200 +++ /work/SRC/openSUSE:Factory/.orthanc.new.3248/orthanc.changes 2020-04-05 20:57:18.393427341 +0200 @@ -1,0 +2,5 @@ +Sun Apr 5 07:33:34 UTC 2020 - Axel Braun <axel.br...@gmx.de> + +- sqlitewrapper.patch (boo#1167431) + +------------------------------------------------------------------- New: ---- sqlitewrapper.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ orthanc.spec ++++++ --- /var/tmp/diff_new_pack.pTg9iV/_old 2020-04-05 20:57:20.053429122 +0200 +++ /var/tmp/diff_new_pack.pTg9iV/_new 2020-04-05 20:57:20.057429126 +0200 @@ -38,6 +38,8 @@ Source11: http://orthanc.osimis.io/ThirdPartyDownloads/dicom-web/axios-0.19.0.tar.gz Source12: http://orthanc.osimis.io/ThirdPartyDownloads/jquery-3.4.1.min.js Source13: http://orthanc.osimis.io/ThirdPartyDownloads/dicom-web/vuejs-2.6.10.tar.gz +# Patch against SQL injection: +Patch0: sqlitewrapper.patch BuildRequires: civetweb-devel BuildRequires: cmake >= 2.8.0 @@ -119,6 +121,8 @@ %prep %setup -q -n Orthanc-%{version} +%patch0 -p0 + cp %{S:1} %{S:2} . cp %{S:6} UnitTestsSources/. ++++++ orthanc.service ++++++ --- /var/tmp/diff_new_pack.pTg9iV/_old 2020-04-05 20:57:20.237429319 +0200 +++ /var/tmp/diff_new_pack.pTg9iV/_new 2020-04-05 20:57:20.241429324 +0200 @@ -2,6 +2,9 @@ Description=Orthanc DICOM server Documentation=man:orthanc(1) http://www.orthanc-server.com/ After=syslog.target network.target + +[Service] +# some security settings PrivateTmp=true ProtectSystem=true ProtectHome=true @@ -13,7 +16,6 @@ PrivateDevices=true MemoryDenyWriteExecute=true -[Service] Type=simple User=orthanc Group=orthanc ++++++ sqlitewrapper.patch ++++++ # HG changeset patch # User Sebastien Jodogne <s.jodo...@gmail.com> # Date 1585918057 -7200 # Node ID 2bf30ef727e3c0c0498be75eecb253efbb3c1070 # Parent 7f083dfae62b7031fd964681e7ab01e576e49d54 # enforcing SQLiteDatabaseWrapper::GetTableRecordCount() against SQL injection diff -r 7f083dfae62b -r 2bf30ef727e3 OrthancServer/Database/SQLiteDatabaseWrapper.cpp --- OrthancServer/Database/SQLiteDatabaseWrapper.cpp Fri Apr 03 14:06:13 2020 +0200 +++ OrthancServer/Database/SQLiteDatabaseWrapper.cpp Fri Apr 03 14:47:37 2020 +0200 @@ -296,17 +296,34 @@ int64_t SQLiteDatabaseWrapper::GetTableRecordCount(const std::string& table) { - char buf[128]; - sprintf(buf, "SELECT COUNT(*) FROM %s", table.c_str()); - SQLite::Statement s(db_, buf); - - if (!s.Step()) + /** + * "Generally one cannot use SQL parameters/placeholders for + * database identifiers (tables, columns, views, schemas, etc.) or + * database functions (e.g., CURRENT_DATE), but instead only for + * binding literal values." => To avoid any SQL injection, we + * check that the "table" parameter has only alphabetic + * characters. + * https://stackoverflow.com/a/1274764/881731 + **/ + for (size_t i = 0; i < table.size(); i++) { - throw OrthancException(ErrorCode_InternalError); + if (!isalpha(table[i])) + { + throw OrthancException(ErrorCode_ParameterOutOfRange); + } } - int64_t c = s.ColumnInt(0); - assert(!s.Step()); + // Don't use "SQLITE_FROM_HERE", otherwise "table" would be cached + SQLite::Statement s(db_, "SELECT COUNT(*) FROM " + table); - return c; + if (s.Step()) + { + int64_t c = s.ColumnInt(0); + assert(!s.Step()); + return c; + } + else + { + throw OrthancException(ErrorCode_InternalError); + } }