Bug#485424: courier-authlib: possible sql injection

2008-06-09 Thread Stefan Hornburg (Racke) 
Steffen Joeris wrote:
> Package: courier-authlib
> Severity: grave
> Tags: security, patch
> Justification: user security hole
> 
> Hi
> 
> It was announced that courier-authlib suffers from a sql injection
> vulnerability with MySQL databases that use non-Latin character 
> sets.
> For more information see this link[0]. There is also a follow-up here[1].
> A CVE id is already requested and will be added to this bugreport, once
> it is available.
> 
> The patch is attached, please review and consider including it.

This problem fixed in courier-authlib 0.60.6, so the patch from upstream
should be used (if different). I'm off for social event now, you can
upload a NMU if you like.

Regards
 Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#485424: courier-authlib: possible sql injection

2008-06-09 Thread Steffen Joeris 
Package: courier-authlib
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

It was announced that courier-authlib suffers from a sql injection
vulnerability with MySQL databases that use non-Latin character 
sets.
For more information see this link[0]. There is also a follow-up here[1].
A CVE id is already requested and will be added to this bugreport, once
it is available.

The patch is attached, please review and consider including it.

Cheers
Steffen

[0]: http://marc.info/?l=courier-users&m=121293814822605&w=2

[1]: http://marc.info/?l=courier-users&m=121294465330832
--- courier-authlib-0.60.1.orig/authmysqllib.c
+++ courier-authlib-0.60.1/authmysqllib.c
@@ -110,6 +110,43 @@
 
 static MYSQL *mysql=0;
 
+static void set_session_options(void)
+/*
+* session variables can be set once for the whole session
+*/
+{
+/* Anton Dobkin <[EMAIL PROTECTED]>, VIAN, Ltd. */
+#if MYSQL_VERSION_ID >= 41000
+   const char *character_set=read_env("MYSQL_CHARACTER_SET"), *check;
+
+if(character_set){
+
+/*
+* This function works like the SET NAMES statement, but also sets
+* the value of mysql->charset, and thus affects the character set
+* used by mysql_real_escape_string()
+*
+* (return value apparently work the opposite of what is documented)
+*/
+mysql_set_character_set(mysql, character_set);
+check = mysql_character_set_name(mysql);
+if (strcmp(character_set, check) != 0)
+{
+err("Cannot set MySQL character set \"%s\", working with 
\"%s\"\n",
+character_set, check);
+}
+else
+{
+DPRINTF("Install of a character set for MySQL: %s", 
character_set);
+}
+}
+#endif /* 41000 */
+}
+
+
+
+
+
 static int do_connect()
 {
 const  char *server;
@@ -236,6 +273,17 @@
mysql=0;
return (-1);
}
+
+DPRINTF("authmysqllib: connected. Versions: "
+"header %lu, "
+"client %lu, "
+"server %lu",
+(long)MYSQL_VERSION_ID,
+mysql_get_client_version(),
+mysql_get_server_version(mysql));
+ 
+set_session_options();
+
return (0);
 }
 
@@ -779,42 +827,6 @@
}
}
 
-/* Anton Dobkin <[EMAIL PROTECTED]>, VIAN, Ltd. */
-#if MYSQL_VERSION_ID >= 41000
-   const char *character_set=read_env("MYSQL_CHARACTER_SET");
-
-if(character_set){
-
-   char *character_set_buf;
-   
-character_set_buf=malloc(strlen(character_set)+11);
-   
-   if (!character_set_buf)
-{
-   perror("malloc");
-   return (0);
-   }
-   
-   strcpy(character_set_buf, "SET NAMES ");
-   strcat(character_set_buf, character_set);
-   
-DPRINTF("Install of a character set for MySQL. SQL query: SET 
NAMES %s", character_set);   
-   
-if(mysql_query (mysql, character_set_buf))
-{
-err("Install of a character set for MySQL is failed: %s 
MYSQL_CHARACTER_SET: may be invalid character set", mysql_error(mysql));
-   auth_mysql_cleanup();
-   
-   if (do_connect())
-   {
-   free(character_set_buf);
-   return (0);
-   }
-}
-   
-   free(character_set_buf);
-}
-#endif 
 
DPRINTF("SQL query: %s", querybuf);
if (mysql_query (mysql, querybuf))