!27 [sync] PR-24: 【openEuler-22.03-LTS-Next】Fix CVE-2022-24407

From: @openeuler-sync-bot 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch

@@ -0,0 +1,82 @@
+From 9eff746c9daecbcc0041b09a5a51ba30738cdcbc Mon Sep 17 00:00:00 2001
+From: Klaus Espenlaub <klaus@espenlaub.com>
+Date: Tue, 8 Feb 2022 20:34:40 +0000
+Subject: [PATCH] CVE-2022-24407 Escape password for SQL insert/update
+ commands.
+
+Signed-off-by: Klaus Espenlaub <klaus@espenlaub.com>
+---
+ plugins/sql.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/sql.c b/plugins/sql.c
+index 31b54a7..6ac81c2 100644
+--- a/plugins/sql.c
++++ b/plugins/sql.c
+@@ -1151,6 +1151,7 @@ static int sql_auxprop_store(void *glob_context,
+     char *statement = NULL;
+     char *escap_userid = NULL;
+     char *escap_realm = NULL;
++    char *escap_passwd = NULL;
+     const char *cmd;
+     
+     sql_settings_t *settings;
+@@ -1222,6 +1223,11 @@ static int sql_auxprop_store(void *glob_context,
+ 			    "Unable to begin transaction\n");
+     }
+     for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
++	/* Free the buffer, current content is from previous loop. */
++	if (escap_passwd) {
++	    sparams->utils->free(escap_passwd);
++	    escap_passwd = NULL;
++	}
+ 
+ 	if (cur->name[0] == '*') {
+ 	    continue;
+@@ -1243,19 +1249,32 @@ static int sql_auxprop_store(void *glob_context,
+ 	}
+ 	sparams->utils->free(statement);
+ 
++	if (cur->values[0]) {
++	    escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
++	    if (!escap_passwd) {
++		ret = SASL_NOMEM;
++		break;
++	    }
++	    settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
++	}
++
+ 	/* create a statement that we will use */
+ 	statement = sql_create_statement(cmd, cur->name, escap_userid,
+ 					 escap_realm,
+-					 cur->values && cur->values[0] ?
+-					 cur->values[0] : SQL_NULL_VALUE,
++					 escap_passwd ?
++					 escap_passwd : SQL_NULL_VALUE,
+ 					 sparams->utils);
++	if (!statement) {
++	    ret = SASL_NOMEM;
++	    break;
++	}
+ 	
+ 	{
+ 	    char *log_statement =
+ 		sql_create_statement(cmd, cur->name,
+ 				     escap_userid,
+ 				     escap_realm,
+-				     cur->values && cur->values[0] ?
++				     escap_passwd ?
+ 				     "<omitted>" : SQL_NULL_VALUE,
+ 				     sparams->utils);
+ 	    sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
+@@ -1288,6 +1307,7 @@ static int sql_auxprop_store(void *glob_context,
+   done:
+     if (escap_userid) sparams->utils->free(escap_userid);
+     if (escap_realm) sparams->utils->free(escap_realm);
++    if (escap_passwd) sparams->utils->free(escap_passwd);
+     if (conn) settings->sql_engine->sql_close(conn);
+     if (userid) sparams->utils->free(userid);
+     if (realm) sparams->utils->free(realm);
+-- 
+1.8.3.1
+

cyrus-sasl.spec

@@ -6,7 +6,7 @@
 
 Name: cyrus-sasl
 Version: 2.1.27
-Release: 12
+Release: 13
 Summary: The Cyrus SASL API Implementation
 
 License: BSD with advertising
@@ -18,6 +18,7 @@ Source2: saslauthd.sysconfig
 Patch0: 0003-Prevent-double-free-of-RC4-context.patch
 Patch1: fix-CVE-2019-19906.patch
 Patch2: backport-db_gdbm-fix-gdbm_errno-overlay-from-gdbm_close.patch
+Patch3: backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
 
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
 BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
@@ -260,6 +261,9 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 
 
 %changelog
+* Thu Feb 24 2022 yixiangzhike <yixiangzhike007@163.com> - 2.1.27-13
+- fix CVE-2022-24407
+
 * Thu Aug 26 2021 panxiaohe <panxiaohe@huawei.com> - 2.1.27-12
 - remove with-bdb=db from configure