Package: courier-authlib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
It was announced that courier-authlib suffers from a sql injection
vulnerability with MySQL databases that use non-Latin character
sets.
For more information see this link[0]. There is also a follow-up here[1].
A CVE id is already requested and will be added to this bugreport, once
it is available.
The patch is attached, please review and consider including it.
Cheers
Steffen
[0]: http://marc.info/?l=courier-users&m=121293814822605&w=2
[1]: http://marc.info/?l=courier-users&m=121294465330832
--- courier-authlib-0.60.1.orig/authmysqllib.c
+++ courier-authlib-0.60.1/authmysqllib.c
@@ -110,6 +110,43 @@
static MYSQL *mysql=0;
+static void set_session_options(void)
+/*
+* session variables can be set once for the whole session
+*/
+{
+/* Anton Dobkin <[EMAIL PROTECTED]>, VIAN, Ltd. */
+#if MYSQL_VERSION_ID >= 41000
+ const char *character_set=read_env("MYSQL_CHARACTER_SET"), *check;
+
+if(character_set){
+
+/*
+* This function works like the SET NAMES statement, but also sets
+* the value of mysql->charset, and thus affects the character set
+* used by mysql_real_escape_string()
+*
+* (return value apparently work the opposite of what is documented)
+*/
+mysql_set_character_set(mysql, character_set);
+check = mysql_character_set_name(mysql);
+if (strcmp(character_set, check) != 0)
+{
+err("Cannot set MySQL character set \"%s\", working with
\"%s\"\n",
+character_set, check);
+}
+else
+{
+DPRINTF("Install of a character set for MySQL: %s",
character_set);
+}
+}
+#endif /* 41000 */
+}
+
+
+
+
+
static int do_connect()
{
const char *server;
@@ -236,6 +273,17 @@
mysql=0;
return (-1);
}
+
+DPRINTF("authmysqllib: connected. Versions: "
+"header %lu, "
+"client %lu, "
+"server %lu",
+(long)MYSQL_VERSION_ID,
+mysql_get_client_version(),
+mysql_get_server_version(mysql));
+
+set_session_options();
+
return (0);
}
@@ -779,42 +827,6 @@
}
}
-/* Anton Dobkin <[EMAIL PROTECTED]>, VIAN, Ltd. */
-#if MYSQL_VERSION_ID >= 41000
- const char *character_set=read_env("MYSQL_CHARACTER_SET");
-
-if(character_set){
-
- char *character_set_buf;
-
-character_set_buf=malloc(strlen(character_set)+11);
-
- if (!character_set_buf)
-{
- perror("malloc");
- return (0);
- }
-
- strcpy(character_set_buf, "SET NAMES ");
- strcat(character_set_buf, character_set);
-
-DPRINTF("Install of a character set for MySQL. SQL query: SET
NAMES %s", character_set);
-
-if(mysql_query (mysql, character_set_buf))
-{
-err("Install of a character set for MySQL is failed: %s
MYSQL_CHARACTER_SET: may be invalid character set", mysql_error(mysql));
- auth_mysql_cleanup();
-
- if (do_connect())
- {
- free(character_set_buf);
- return (0);
- }
-}
-
- free(character_set_buf);
-}
-#endif
DPRINTF("SQL query: %s", querybuf);
if (mysql_query (mysql, querybuf))