Bug 225407 (CVE-2008-2667)

Summary:

net-libs/courier-authlib < 0.60.6: MySQL Non-Latin SQL injection (CVE-2008-2667)

Product:

Gentoo Security

Reporter:

Hanno Böck <hanno>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

minor

CC:

nelchael, wolf31o2

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://marc.info/?l=courier-users&m=121294465330832&w=2

Whiteboard:

B3 [glsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
build.log	none

Description Hanno Böck gentoo-dev

2008-06-08 17:46:39 UTC

courier-authlib suffers from an sql injection.

I've just added 0.60.6, archs please stabilize.

Comment 1 Christian Hoffmann (RETIRED) gentoo-dev

2008-06-08 18:21:48 UTC

Are there any details? I can't find anything at their official changelog, nor any entries at bugtraq/securityfocus.

Fixing whiteboard (brackets) and setting Severity to "major" (B1). Not sure if it is really B1 as SQL injections don't directly lead to arbitrary remote code execution, but I don't know any details, so I'll just shut up. ;)

Comment 2 Yury German 2008-06-09 04:27:14 UTC

Here is the only thing I found, claim is that the code works, although if you are not using mysql for auth then the exploit should not work based on this.

http://www.nabble.com/courier-authlib-0.60.6-released-td17720739.html

There is some example code available on another page:
http://www.mail-archive.com/courier-users@lists.sourceforge.net/msg31362.html

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2008-06-09 10:07:13 UTC

Created attachment 156053 [details]
build.log

With all USE flags disabled, it fails.  No regression.

Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8 i686)
=================================================================
System uname: 2.6.24-gentoo-r8 i686 AMD Athlon(tm) X2 Dual Core Processor BE-2400
Timestamp of tree: Mon, 09 Jun 2008 07:35:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r13
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb /var/spool/torque /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="3dnow 3dnowext X a52 acl acpi aiglx alsa apache2 apm applet artworkextra asf audiofile avahi bash-completion beagle berkdb bidi bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli console cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evince evo exif fam fat fbcon fdftk ffmpeg firefox flac foomaticdb fortran ftp gb gcj gdbm gif glitz gnome gpm gsf gstreamer gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imap imlib immqt-bc isdnlog java javascript jpeg jpeg2k kde ldap libnotify lirc lm_sensors mad maildir matroska mbox mdnsresponder-compat midi mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mudflap mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc objc++ objc-gc offensive ogg opengl openmp pam pango pcre pdf perl php plotutils pmu png ppds pppd prediction preview-latex print python qt3 qt3support qt4 quicktime readline reflection samba sdk session slang spell spl sse ssl svg svga t1lib tcl tcpd tetex theora threads thumbnailing tiff tk toolkit-scroll-bars totem tracker truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x86 xface xft xine xml xorg xosd xpm xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" USERLAND="GNU" VIDEO_CARDS="vesa fbdev fglrx"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2008-06-10 08:10:06 UTC

[ebuild   R   ] net-libs/courier-authlib-0.60.6  USE="berkdb crypt gdbm ldap mysql pam postgres -debug -vpopmail" 0 kB

Stable for HPPA:
  =net-libs/courier-authlib-0.60.6

Comment 5 Brent Baude (RETIRED) gentoo-dev

2008-06-10 14:21:25 UTC

ppc64 done

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2008-06-10 19:07:58 UTC

same on alpha/ia64/sparc, but i think its because with USE="-*" it still tries to run the testsuite for bdb.

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2008-06-10 19:17:07 UTC

ppc stable

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2008-06-11 11:24:51 UTC

alpha/ia64/sparc stable

Comment 9 Christian Faulhammer (RETIRED) gentoo-dev

2008-06-13 06:43:54 UTC

(In reply to comment #6)
> same on alpha/ia64/sparc, but i think its because with USE="-*" it still tries
> to run the testsuite for bdb.

net-mail could you please disable said tests?

Comment 10 Christian Faulhammer (RETIRED) gentoo-dev

2008-06-17 20:27:40 UTC

x86 stable, I restricted tests when USE=berkdb is not set...simplest solution

Comment 11 Hanno Böck gentoo-dev

2008-06-18 11:45:52 UTC

> I restricted tests when USE=berkdb is not set...simplest solution

No, bare nonsense. It fails in the compile phase, not in the test phase. Please test such changes before committing them.

Reverting, I'm in contact with flameeyes to resolve the issue.

Comment 12 Markus Meier gentoo-dev

2008-06-22 11:28:18 UTC

amd64 stable

Comment 13 Chris Gianelloni (RETIRED) gentoo-dev

2008-08-01 17:49:20 UTC

2008.0 is out, so no need to keep release on the CC list.

Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2008-08-05 15:28:23 UTC

time to vote. If I understand well, it's a pre-auth sql injection. So i vote Yes.

Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-08-11 18:55:09 UTC

Yes too, request filed.

Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-09-05 21:01:44 UTC

GLSA 200809-05.