Gentoo Bug 225407 - net-libs/courier-authlib < 0.60.6: MySQL Non-Latin SQL injection (CVE-2008-2667)

Description:

Opened: 2008-06-08 17:46 0000

courier-authlib suffers from an sql injection.

I've just added 0.60.6, archs please stabilize.

------- Comment #1 From Christian Hoffmann 2008-06-08 18:21:48 0000 -------

Are there any details? I can't find anything at their official changelog, nor
any entries at bugtraq/securityfocus.

Fixing whiteboard (brackets) and setting Severity to "major" (B1). Not sure if
it is really B1 as SQL injections don't directly lead to arbitrary remote code
execution, but I don't know any details, so I'll just shut up. ;)

------- Comment #2 From Yury German 2008-06-09 04:27:14 0000 -------

Here is the only thing I found, claim is that the code works, although if you
are not using mysql for auth then the exploit should not work based on this.

http://www.nabble.com/courier-authlib-0.60.6-released-td17720739.html

There is some example code available on another page:
http://www.mail-archive.com/courier-users@lists.sourceforge.net/msg31362.html

------- Comment #3 From Christian Faulhammer 2008-06-09 10:07:13 0000 -------

Created an attachment (id=156053) [details]
build.log

With all USE flags disabled, it fails.  No regression.

Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.24-gentoo-r8 i686)
=================================================================
System uname: 2.6.24-gentoo-r8 i686 AMD Athlon(tm) X2 Dual Core Processor
BE-2400
Timestamp of tree: Mon, 09 Jun 2008 07:35:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r13
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config
/usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown
/usr/share/config /var/lib/hsqldb /var/spool/torque /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo
/etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms
strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="3dnow 3dnowext X a52 acl acpi aiglx alsa apache2 apm applet artworkextra
asf audiofile avahi bash-completion beagle berkdb bidi bogofilter bootsplash
branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli console cracklib crypt
css cups curl custom-cflags dbus dga directfb divx4linux dri dts dvd dvdr
dvdread dvi eds emacs emboss encode esd evince evo exif fam fat fbcon fdftk
ffmpeg firefox flac foomaticdb fortran ftp gb gcj gdbm gif glitz gnome gpm gsf
gstreamer gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imap imlib
immqt-bc isdnlog java javascript jpeg jpeg2k kde ldap libnotify lirc lm_sensors
mad maildir matroska mbox mdnsresponder-compat midi mikmod mime mmx mmxext mng
mono mp3 mpeg mpeg2 mudflap mule mysql nautilus ncurses nforce2 nls nocardbus
nptl nptlonly nsplugin nvidia objc objc++ objc-gc offensive ogg opengl openmp
pam pango pcre pdf perl php plotutils pmu png ppds pppd prediction
preview-latex print python qt3 qt3support qt4 quicktime readline reflection
samba sdk session slang spell spl sse ssl svg svga t1lib tcl tcpd tetex theora
threads thumbnailing tiff tk toolkit-scroll-bars totem tracker truetype
truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis
win32codecs wmf wxwindows x86 xface xft xine xml xorg xosd xpm xv xvid zlib"
ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi
null plug rate route share shm softvol" APACHE2_MODULES="actions alias
auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm
authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache
dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache
filter headers include info log_config logio mem_cache mime mime_magic
negotiation rewrite setenvif speling status unique_id userdir usertrack
vhost_alias" CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="mouse keyboard"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" USERLAND="GNU"
VIDEO_CARDS="vesa fbdev fglrx"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #4 From Jeroen Roovers 2008-06-10 08:10:06 0000 -------

[ebuild   R   ] net-libs/courier-authlib-0.60.6  USE="berkdb crypt gdbm ldap
mysql pam postgres -debug -vpopmail" 0 kB

Stable for HPPA:
  =net-libs/courier-authlib-0.60.6

------- Comment #5 From Brent Baude 2008-06-10 14:21:25 0000 -------

ppc64 done

------- Comment #6 From Raúl Porcel 2008-06-10 19:07:58 0000 -------

same on alpha/ia64/sparc, but i think its because with USE="-*" it still tries
to run the testsuite for bdb.

------- Comment #7 From Tobias Scherbaum 2008-06-10 19:17:07 0000 -------

ppc stable

------- Comment #8 From Raúl Porcel 2008-06-11 11:24:51 0000 -------

alpha/ia64/sparc stable

------- Comment #9 From Christian Faulhammer 2008-06-13 06:43:54 0000 -------

(In reply to comment #6)
> same on alpha/ia64/sparc, but i think its because with USE="-*" it still tries
> to run the testsuite for bdb.

net-mail could you please disable said tests?

------- Comment #10 From Christian Faulhammer 2008-06-17 20:27:40 0000 -------

x86 stable, I restricted tests when USE=berkdb is not set...simplest solution

------- Comment #11 From Hanno Boeck 2008-06-18 11:45:52 0000 -------

> I restricted tests when USE=berkdb is not set...simplest solution

No, bare nonsense. It fails in the compile phase, not in the test phase. Please
test such changes before committing them.

Reverting, I'm in contact with flameeyes to resolve the issue.

------- Comment #12 From Markus Meier 2008-06-22 11:28:18 0000 -------

amd64 stable

------- Comment #13 From Chris Gianelloni (RETIRED) 2008-08-01 17:49:20 0000 -------

2008.0 is out, so no need to keep release on the CC list.

------- Comment #14 From Raphael Marichez 2008-08-05 15:28:23 0000 -------

time to vote. If I understand well, it's a pre-auth sql injection. So i vote
Yes.

------- Comment #15 From Pierre-Yves Rofes 2008-08-11 18:55:09 0000 -------

Yes too, request filed.

------- Comment #16 From Pierre-Yves Rofes 2008-09-05 21:01:44 0000 -------

GLSA 200809-05.

Filename	Description	Type	Creator	Created	Size	Actions
20080609-082651.log	build.log	text/plain	Christian Faulhammer	2008-06-09 10:07 0000	235.52 KB	Details
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 225407 depends on:			Show dependency tree
Bug 225407 blocks:			Show dependency tree

Bugzilla Bug 225407

net-libs/courier-authlib < 0.60.6: MySQL Non-Latin SQL injection (CVE-2008-2667)

Last modified: 2008-09-05 21:01:44 0000