Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 252576 (CVE-2008-2380) - net-libs/courier-authlib <0.62.0: SQL-Injection vulnerability (CVE-2008-2380)
Summary: net-libs/courier-authlib <0.62.0: SQL-Injection vulnerability (CVE-2008-2380)
Status: RESOLVED FIXED
Alias: CVE-2008-2380
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.courier-mta.org/authlib/ch...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-26 09:36 UTC by Matti Bickel (RETIRED)
Modified: 2009-03-11 19:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
courier-authlib-0.62.2 build log (net-libs:courier-authlib-0.62.2:20090223-162200.log,150.68 KB, text/plain)
2009-02-23 17:39 UTC, Steffen 'j0inty' Stollfuß
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matti Bickel (RETIRED) gentoo-dev 2008-12-26 09:36:13 UTC
From the changelog:

0.62.0

2008-12-17  Sam Varshavchik  <mrsam@courier-mta.com>

	* authpgsqllib.c: Use PQescapeStringConn() instead of removing all
	apostrophes from query parameters. This fixes a potential SQL injection
	vulnerability if the Postgres database uses a non-Latin locale.
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2008-12-26 09:39:09 UTC
mail herd, can you provide an updated ebuild, please?
Comment 2 Hanno Böck gentoo-dev 2009-02-22 16:35:34 UTC
bumped
Comment 3 Matti Bickel (RETIRED) gentoo-dev 2009-02-22 17:07:04 UTC
Thanks to me slacking, we're overdue on the issue.
Arches, requesting stable keywords for 
=net-libs/courier-authlib-0.62.2: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 4 Tobias Klausmann gentoo-dev 2009-02-23 12:11:05 UTC
Stable on alpha.
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2009-02-23 14:04:21 UTC
Sparc stable for courier-authlib-0.62.2.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-02-23 16:54:18 UTC
ppc64 done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-02-23 16:56:16 UTC
Stable for HPPA.
Comment 8 Steffen 'j0inty' Stollfuß 2009-02-23 17:38:46 UTC
Hi,

I ran into trouble while compiling the courier-authlib-0.62.2 on amd64.

/bin/sh ./libtool --tag=CC   --mode=link x86_64-pc-linux-gnu-gcc  -march=k8-sse3 -O2 -pipe -fforce-addr -Wall -I.. -I./..  -Wl,-O1 -o libuse
rdb.la  userdb.lo userdb2.lo userdbmkpw.lo
/var/tmp/portage/net-libs/courier-authlib-0.62.2/work/courier-authlib-0.62.2/userdb/libtool: line 190: libtool: link: not configured to buil
d any kind of library: command not found
/var/tmp/portage/net-libs/courier-authlib-0.62.2/work/courier-authlib-0.62.2/userdb/libtool: line 190: libtool: link: See the  documentation
 for more information.: command not found
/var/tmp/portage/net-libs/courier-authlib-0.62.2/work/courier-authlib-0.62.2/userdb/libtool: line 190: libtool: link: Fatal configuration er
ror.: command not found
make[3]: *** [libuserdb.la] Fehler 127
make[3]: *** Warte auf noch nicht beendete Prozesse...


I will attach the build log and the emerge --info, too.



bier vhosts.d # emerge --info
Portage 2.1.6.7 (hardened/linux/amd64/2008.0, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.28-hardened x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5600+-with-glibc2.2.5
Timestamp of tree: Mon, 23 Feb 2009 15:45:02 +0000
app-shells/bash:     3.2_p48-r1
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python:     2.4.4-r6, 2.5.4-r2
dev-python/pycrypto: 2.0.1-r6
dev-util/cmake:      2.6.2-r1
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.4.3-r1
sys-apps/sandbox:    1.3.8
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.5, 1.7.9-r1, 1.10.2
sys-devel/binutils:  2.19.1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.28-r1
ABI="amd64"
ACCEPT_KEYWORDS="amd64 ~amd64"
ALSA_CARDS="hda_intel"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
APACHE2_MPMS="prefork"
ARCH="amd64"
ASFLAGS_x86="--32"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CDEFINE_amd64="__x86_64__"
CDEFINE_x86="__i386__"
CFLAGS="-march=k8-sse3 -O2 -pipe -fforce-addr"
CFLAGS_x86="-m32"
CHOST="x86_64-pc-linux-gnu"
CHOST_amd64="x86_64-pc-linux-gnu"
CHOST_x86="i686-pc-linux-gnu"
CLASSPATH="."
CLEAN_DELAY="5"
COLLISION_IGNORE="/lib/modules"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CVS_RSH="ssh"
CXXFLAGS="-march=k8-sse3 -O2 -pipe -fforce-addr"
DEFAULT_ABI="amd64"
DISTDIR="/datapool/portage/distfiles"
EDITOR="/bin/nano"
ELIBC="glibc"
EMERGE_DEFAULT_OPTS="--ask --verbose --nospinner"
EMERGE_WARNING_DELAY="10"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
GAMES_DATADIR="/datapool/games"
GAMES_DATADIR_BASE="/datapool"
GAMES_PREFIX_OPT="/datapool/games"
GCC_SPECS=""
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo/ ftp://ftp.tu-clausthal.de/pub/gentoo/"
HOME="/root"
INFOPATH="/usr/share/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.19.1/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.3.3/info"
INPUT_DEVICES="keyboard mouse evdev"
JAVAC="/bin/javac"
JDK_HOME=""
KERNEL="linux"
LANG="de_DE.UTF-8"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LC_ADDRESS="de_DE.UTF-8"
LC_ALL="de_DE.UTF-8"
LC_COLLATE="de_DE.UTF-8"
LC_CTYPE="de_DE.UTF-8"
LC_IDENTIFICATION="de_DE.UTF-8"
LC_MEASUREMENT="de_DE.UTF-8"
LC_MESSAGES="de_DE.UTF-8"
LC_MONETARY="de_DE.UTF-8"
LC_NAME="de_DE.UTF-8"
LC_NUMERIC="de_DE.UTF-8"
LC_PAPER="de_DE.UTF-8"
LC_TELEPHONE="de_DE.UTF-8"
LC_TIME="de_DE.UTF-8"
LDFLAGS="-Wl,-O1"
LDFLAGS_x86="-m elf_i386"
LESS="-R -M --shift 5"
LESSCHARSET="UTF-8"
LESSOPEN="|lesspipe.sh %s"
LIBDIR_amd64="lib64"
LIBDIR_ppc="lib32"
LIBDIR_ppc64="lib64"
LIBDIR_sparc32="lib32"
LIBDIR_sparc64="lib64"
LIBDIR_x86="lib32"
LINGUAS="de en_GB"
LOGNAME="root"
LS_COLORS="rs=0:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:"
MAKEOPTS="-j4"
MANPATH="/man:/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.19.1/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.3.3/man:/etc/java-config/system-vm/man/:/usr/lib64/php5/man/:/usr/share/postgresql-8.3/man"
MULTILIB_ABIS="amd64 x86"
MULTILIB_STRICT_DENY="64-bit.*shared object"
MULTILIB_STRICT_DIRS="/lib32 /lib /usr/lib32 /usr/lib /usr/kde/*/lib32 /usr/kde/*/lib /usr/qt/*/lib32 /usr/qt/*/lib /usr/X11R6/lib32 /usr/X11R6/lib"
MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|binutils|eclipse-3|debug|portage)"
NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml"
ORACLE_HOME="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server"
ORACLE_SID="XE"
PAGER="/usr/bin/less"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.3.3"
PKGDIR="/usr/portage/packages"
PORTAGE_ARCHLIST="ppc s390 amd64 x86 ppc64 x86-fbsd m68k arm sparc sh mips ia64 alpha hppa sparc-fbsd"
PORTAGE_BINHOST_CHUNKSIZE="3000"
PORTAGE_BIN_PATH="/usr/lib64/portage/bin"
PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png"
PORTAGE_CONFIGROOT="/"
PORTAGE_COUNTER_HASH="b6aa543ad34e8ec36cae5f41e8ee8ed6"
PORTAGE_DEBUG="0"
PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"
PORTAGE_ELOG_CLASSES="log warn error"
PORTAGE_ELOG_MAILFROM="portage@localhost"
PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"
PORTAGE_ELOG_MAILURI="root"
PORTAGE_ELOG_SYSTEM="save"
PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5"
PORTAGE_FETCH_RESUME_MIN_SIZE="350K"
PORTAGE_GID="250"
PORTAGE_INST_GID="0"
PORTAGE_INST_UID="0"
PORTAGE_PYM_PATH="/usr/lib64/portage/pym"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_TMPDIR="/var/tmp"
PORTAGE_TMPFS="/dev/shm"
PORTAGE_VERBOSE="1"
PORTAGE_WORKDIR_MODE="0700"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/webapps-experimental /usr/local/portage/overlay"
PORT_LOGDIR="/datapool/portage/logs"
PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND"
PWD="/etc/apache2/vhosts.d"
RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
ROOT="/"
ROOTPATH="/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.3.3"
RPMDIR="/usr/portage/rpm"
SHELL="/bin/bash"
SHLVL="2"
STAGE1_USE="hardened multilib nptl nptlonly pic"
STY="517.pts-1.bier"
SUPPORT_ALSA="1"
SYMLINK_LIB="yes"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
TERM="screen"
TERMCAP="SC|screen|VT 100/ANSI X3.64 virtual terminal:\
        :DO=\E[%dB:LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:bs:bt=\E[Z:\
        :cd=\E[J:ce=\E[K:cl=\E[H\E[J:cm=\E[%i%d;%dH:ct=\E[3g:\
        :do=^J:nd=\E[C:pt:rc=\E8:rs=\Ec:sc=\E7:st=\EH:up=\EM:\
        :le=^H:bl=^G:cr=^M:it#8:ho=\E[H:nw=\EE:ta=^I:is=\E)0:\
        :li#59:co#120:am:xn:xv:LP:sr=\EM:al=\E[L:AL=\E[%dL:\
        :cs=\E[%i%d;%dr:dl=\E[M:DL=\E[%dM:dc=\E[P:DC=\E[%dP:\
        :im=\E[4h:ei=\E[4l:mi:IC=\E[%d@:ks=\E[?1h\E=:\
        :ke=\E[?1l\E>:vi=\E[?25l:ve=\E[34h\E[?25h:vs=\E[34l:\
        :ti=\E[?1049h:te=\E[?1049l:us=\E[4m:ue=\E[24m:so=\E[3m:\
        :se=\E[23m:mb=\E[5m:md=\E[1m:mr=\E[7m:me=\E[m:ms:\
        :Co#8:pa#64:AF=\E[3%dm:AB=\E[4%dm:op=\E[39;49m:AX:\
        :vb=\Eg:G0:as=\E(0:ae=\E(B:\
        :ac=\140\140aaffggjjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~..--++,,hhII00:\
        :po=\E[5i:pf=\E[4i:Z0=\E[?3h:Z1=\E[?3l:k0=\E[10~:\
        :k1=\EOP:k2=\EOQ:k3=\EOR:k4=\EOS:k5=\E[15~:k6=\E[17~:\
        :k7=\E[18~:k8=\E[19~:k9=\E[20~:k;=\E[21~:F1=\E[23~:\
        :F2=\E[24~:F3=\E[1;2P:F4=\E[1;2Q:F5=\E[1;2R:F6=\E[1;2S:\
        :F7=\E[15;2~:F8=\E[17;2~:F9=\E[18;2~:FA=\E[19;2~:kb=^H:\
        :K2=\EOE:kB=\E[Z:kF=\E[1;2B:kR=\E[1;2A:*4=\E[3;2~:\
        :*7=\E[1;2F:#2=\E[1;2H:#3=\E[2;2~:#4=\E[1;2D:%c=\E[6;2~:\
        :%e=\E[5;2~:%i=\E[1;2C:kh=\E[1~:@1=\E[1~:kH=\E[4~:\
        :@7=\E[4~:kN=\E[6~:kP=\E[5~:kI=\E[2~:kD=\E[3~:ku=\EOA:\
        :kd=\EOB:kr=\EOC:kl=\EOD:km:"
TNS_ADMIN="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/admin/"
USE="3dnow 3dnowext X509 aac acl acpi alsa amd64 apache2 bash-completion berkdb bzip2 cli cracklib crypt ctype curl cvs dedicated dri encode ext2 ext3 ffmpeg flac gdbm git gnutls gpm hardened icecast iconv iproute2 isdnlog java jpeg jpeg2k justify kerberos libedit logrotate loop-aes lzo mercurial midi mmx mp3 mp4 mssql mudflap multilib mysql mysqli ncurses nfs nls nptl nptlonly ogg openmp pam pcre perforce perl php pic png postgres pppd python readline reflection reiserfs samba sasl session speex spl sqlite sse sse2 sse3 ssl subversion sysfs tcpd theora tiff tls unicode urandom usb vhosts vim-syntax vorbis webdav x264 xinetd xml xorg xpm xsl xvid zip zlib" ALSA_CARDS="hda_intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en_GB" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
USER="root"
USERLAND="GNU"
USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CAMERAS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES USERLAND VIDEO_CARDS"
USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND"
USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d"
VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
WINDOW="0"
_="/usr/bin/emerge"
Comment 9 Steffen 'j0inty' Stollfuß 2009-02-23 17:39:34 UTC
Created attachment 182916 [details]
courier-authlib-0.62.2 build log
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-02-25 14:28:22 UTC
(In reply to comment #8)
> Hi,
> 
> I ran into trouble while compiling the courier-authlib-0.62.2 on amd64.

bug 225867

arm/ia64/s390/sh/x86 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2009-02-25 16:12:49 UTC
ppc stable
Comment 12 Markus Meier gentoo-dev 2009-02-25 18:38:14 UTC
armin76 failes...
Comment 13 Markus Meier gentoo-dev 2009-02-25 20:33:40 UTC
amd64 stable, all arches done.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-05 20:21:21 UTC
Ready for vote, I vote YES.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-07 18:34:20 UTC
YES, too. Request filed.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-11 19:36:41 UTC
GLSA 200903-25