Your message dated Mon, 09 Jun 2008 16:02:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#485424: fixed in courier-authlib 0.60.1-2.1
has caused the Debian Bug report #485424,
regarding courier-authlib: possible sql injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
485424: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485424
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: courier-authlib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
It was announced that courier-authlib suffers from a sql injection
vulnerability with MySQL databases that use non-Latin character
sets.
For more information see this link[0]. There is also a follow-up here[1].
A CVE id is already requested and will be added to this bugreport, once
it is available.
The patch is attached, please review and consider including it.
Cheers
Steffen
[0]: http://marc.info/?l=courier-users&m=121293814822605&w=2
[1]: http://marc.info/?l=courier-users&m=121294465330832
--- courier-authlib-0.60.1.orig/authmysqllib.c
+++ courier-authlib-0.60.1/authmysqllib.c
@@ -110,6 +110,43 @@
static MYSQL *mysql=0;
+static void set_session_options(void)
+/*
+* session variables can be set once for the whole session
+*/
+{
+/* Anton Dobkin <[EMAIL PROTECTED]>, VIAN, Ltd. */
+#if MYSQL_VERSION_ID >= 41000
+ const char *character_set=read_env("MYSQL_CHARACTER_SET"), *check;
+
+ if(character_set){
+
+ /*
+ * This function works like the SET NAMES statement, but also sets
+ * the value of mysql->charset, and thus affects the character set
+ * used by mysql_real_escape_string()
+ *
+ * (return value apparently work the opposite of what is documented)
+ */
+ mysql_set_character_set(mysql, character_set);
+ check = mysql_character_set_name(mysql);
+ if (strcmp(character_set, check) != 0)
+ {
+ err("Cannot set MySQL character set \"%s\", working with
\"%s\"\n",
+ character_set, check);
+ }
+ else
+ {
+ DPRINTF("Install of a character set for MySQL: %s",
character_set);
+ }
+ }
+#endif /* 41000 */
+}
+
+
+
+
+
static int do_connect()
{
const char *server;
@@ -236,6 +273,17 @@
mysql=0;
return (-1);
}
+
+ DPRINTF("authmysqllib: connected. Versions: "
+ "header %lu, "
+ "client %lu, "
+ "server %lu",
+ (long)MYSQL_VERSION_ID,
+ mysql_get_client_version(),
+ mysql_get_server_version(mysql));
+
+ set_session_options();
+
return (0);
}
@@ -779,42 +827,6 @@
}
}
-/* Anton Dobkin <[EMAIL PROTECTED]>, VIAN, Ltd. */
-#if MYSQL_VERSION_ID >= 41000
- const char *character_set=read_env("MYSQL_CHARACTER_SET");
-
- if(character_set){
-
- char *character_set_buf;
-
- character_set_buf=malloc(strlen(character_set)+11);
-
- if (!character_set_buf)
- {
- perror("malloc");
- return (0);
- }
-
- strcpy(character_set_buf, "SET NAMES ");
- strcat(character_set_buf, character_set);
-
- DPRINTF("Install of a character set for MySQL. SQL query: SET
NAMES %s", character_set);
-
- if(mysql_query (mysql, character_set_buf))
- {
- err("Install of a character set for MySQL is failed: %s
MYSQL_CHARACTER_SET: may be invalid character set", mysql_error(mysql));
- auth_mysql_cleanup();
-
- if (do_connect())
- {
- free(character_set_buf);
- return (0);
- }
- }
-
- free(character_set_buf);
- }
-#endif
DPRINTF("SQL query: %s", querybuf);
if (mysql_query (mysql, querybuf))
--- End Message ---
--- Begin Message ---
Source: courier-authlib
Source-Version: 0.60.1-2.1
We believe that the bug you reported is fixed in the latest version of
courier-authlib, which is due to be installed in the Debian FTP archive:
courier-authdaemon_0.60.1-2.1_i386.deb
to pool/main/c/courier-authlib/courier-authdaemon_0.60.1-2.1_i386.deb
courier-authlib-dev_0.60.1-2.1_i386.deb
to pool/main/c/courier-authlib/courier-authlib-dev_0.60.1-2.1_i386.deb
courier-authlib-ldap_0.60.1-2.1_i386.deb
to pool/main/c/courier-authlib/courier-authlib-ldap_0.60.1-2.1_i386.deb
courier-authlib-mysql_0.60.1-2.1_i386.deb
to pool/main/c/courier-authlib/courier-authlib-mysql_0.60.1-2.1_i386.deb
courier-authlib-pipe_0.60.1-2.1_i386.deb
to pool/main/c/courier-authlib/courier-authlib-pipe_0.60.1-2.1_i386.deb
courier-authlib-postgresql_0.60.1-2.1_i386.deb
to pool/main/c/courier-authlib/courier-authlib-postgresql_0.60.1-2.1_i386.deb
courier-authlib-userdb_0.60.1-2.1_i386.deb
to pool/main/c/courier-authlib/courier-authlib-userdb_0.60.1-2.1_i386.deb
courier-authlib_0.60.1-2.1.diff.gz
to pool/main/c/courier-authlib/courier-authlib_0.60.1-2.1.diff.gz
courier-authlib_0.60.1-2.1.dsc
to pool/main/c/courier-authlib/courier-authlib_0.60.1-2.1.dsc
courier-authlib_0.60.1-2.1_i386.deb
to pool/main/c/courier-authlib/courier-authlib_0.60.1-2.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <[EMAIL PROTECTED]> (supplier of updated courier-authlib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 09 Jun 2008 15:29:23 +0000
Source: courier-authlib
Binary: courier-authlib courier-authdaemon courier-authlib-dev
courier-authlib-userdb courier-authlib-mysql courier-authlib-postgresql
courier-authlib-ldap courier-authlib-pipe
Architecture: source i386
Version: 0.60.1-2.1
Distribution: unstable
Urgency: high
Maintainer: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
Changed-By: Steffen Joeris <[EMAIL PROTECTED]>
Description:
courier-authdaemon - Courier authentication daemon
courier-authlib - Courier authentication library
courier-authlib-dev - Development libraries for the Courier authentication
library
courier-authlib-ldap - LDAP support for the Courier authentication library
courier-authlib-mysql - MySQL support for the Courier authentication library
courier-authlib-pipe - External authentication support for the Courier
authentication li
courier-authlib-postgresql - PostgreSQL support for the Courier authentication
library
courier-authlib-userdb - userdb support for the Courier authentication library
Closes: 485424
Changes:
courier-authlib (0.60.1-2.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Fix sql injection vulnerability by changing to use
mysql_set_character_set instead of SET NAMES
(Change was introduced by upstream in 0.60.6)
(Closes: #485424)
Checksums-Sha1:
e143bc7a1bac103350a6240cb46ae390ec3f92c9 1379 courier-authlib_0.60.1-2.1.dsc
87f194502af31e8587882a980d2e9f0c824f0fe5 17325
courier-authlib_0.60.1-2.1.diff.gz
b5c1b90b4ae8800299238f07e47e052382db0aff 71656
courier-authlib_0.60.1-2.1_i386.deb
82f204dbdcdb5569d5698bc3f5c6a54c9658452a 7130
courier-authdaemon_0.60.1-2.1_i386.deb
b0890adfb7d8a72c6676b725cb96c863bd4db94a 110844
courier-authlib-dev_0.60.1-2.1_i386.deb
1020bdfc1ffc38691d1820686ec1c0f7edec4bde 32980
courier-authlib-userdb_0.60.1-2.1_i386.deb
ffbcc4884487809c9af7a584b2ac12248e4bce23 19734
courier-authlib-mysql_0.60.1-2.1_i386.deb
d2b0fbe8a21bbae6560f72a865bfd75249c4927a 19244
courier-authlib-postgresql_0.60.1-2.1_i386.deb
4e7684aefd57a4ee7e2beaef0d473e0c5457b0fb 21898
courier-authlib-ldap_0.60.1-2.1_i386.deb
906c211026a12c46f5601e04957cb29785db4b2a 7900
courier-authlib-pipe_0.60.1-2.1_i386.deb
Checksums-Sha256:
e73d848ce70e6d3e38f41189f40bea72f0c786c008d148bd05875157e9694940 1379
courier-authlib_0.60.1-2.1.dsc
330fdf082b6fffe8f357cbeb3b7299a4c5e29a61e26122c822be247d7ff39503 17325
courier-authlib_0.60.1-2.1.diff.gz
8469d66565200d2c250a26f10a9d52d94ea19df6dc2c6660b73da67786171d46 71656
courier-authlib_0.60.1-2.1_i386.deb
8e0f9a494eb941066fae8bcfa0e2bef7ab40b064391069d57d045aa9baacb8e3 7130
courier-authdaemon_0.60.1-2.1_i386.deb
65c8836a1196edc170beaec584eba4898175841d6a6ae59ae4166f8b070fa75b 110844
courier-authlib-dev_0.60.1-2.1_i386.deb
840e3f45245c7e281bdbe9673cf1cb3e8b355a86700fb1a4caae45d001500127 32980
courier-authlib-userdb_0.60.1-2.1_i386.deb
84d0582c2cc9ac9eddd9df7c4d61af47412af3b582c0bd50ea0c9538ab7c82ca 19734
courier-authlib-mysql_0.60.1-2.1_i386.deb
9669760cb7f7a98ba02c2134cb660993daebd554685185255f755f0c9d120630 19244
courier-authlib-postgresql_0.60.1-2.1_i386.deb
5047a539d59adf88c6db89519ec24f2fdd13719b338adfe7a7c6d398d7e1253e 21898
courier-authlib-ldap_0.60.1-2.1_i386.deb
a0634a90d1d6d0f4fdcbb760660738ae672a603b758d6d11a0433280e4b6f64e 7900
courier-authlib-pipe_0.60.1-2.1_i386.deb
Files:
98049d574d31a79c71cbd5c779fdf9f6 1379 mail optional
courier-authlib_0.60.1-2.1.dsc
2572b07eb96219b5841cca67ef48ac04 17325 mail optional
courier-authlib_0.60.1-2.1.diff.gz
5c97c3ed263483220fe277f4ec7b72f6 71656 mail optional
courier-authlib_0.60.1-2.1_i386.deb
915e0235f0172ebe08a198b7af70e234 7130 mail optional
courier-authdaemon_0.60.1-2.1_i386.deb
600af841eed335611e8290408271bc24 110844 mail optional
courier-authlib-dev_0.60.1-2.1_i386.deb
2d4e3e298e8d4aa10af8da668c4fdc8d 32980 mail optional
courier-authlib-userdb_0.60.1-2.1_i386.deb
a6cfc40da304166682c02f14d1e7a3ea 19734 mail optional
courier-authlib-mysql_0.60.1-2.1_i386.deb
0db2f5eadb7d5eb6b829b1d5dbcde557 19244 mail optional
courier-authlib-postgresql_0.60.1-2.1_i386.deb
612eed2717d52b9f7680e3772e37314d 21898 mail optional
courier-authlib-ldap_0.60.1-2.1_i386.deb
169dec2e21f413973b98c2db351b370d 7900 mail optional
courier-authlib-pipe_0.60.1-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhNT0UACgkQ62zWxYk/rQdGjwCePn2k63aCEUJnNFu7xaa0PK2z
j8gAnim0q4+4Bik5wQzG73A5qr6KNIN8
=jF1z
-----END PGP SIGNATURE-----
--- End Message ---
