Debian Bug report logs - #308031
mailutils: sql injection vulnerability in sql authentication module

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Primoz Bratanic <primoz@slo-tech.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mailutils: sql injection vulnerability in sql authentication module

Date: Sat, 07 May 2005 14:56:21 +0200

Package: mailutils
Severity: grave
Tags: security
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


In /auth/sql.c there is a function sql_escape_string (...) which does
escaping of "bad" characters before feding them to DB. The problem is that
function only escapes characters ' and " (strchr ("'\"", *p)), but not \ .
Which results in problems like ... username = foo\' something being
"escaped" to username = foo \\' something which makes \ character literal
but allows escape and subsequent injection.

Solution: add \ to list of characters to be escaped.

Primoz Bratanic 


- -- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCfLr1HOuqnSwJthERAtZ7AJ4smJo9XKnoerYg0kpbhE/m6hig/QCg7TMl
5QeXbrluYR7K/r0bS4+zYnk=
=RcZc
-----END PGP SIGNATURE-----

Message #10 received at 308031@bugs.debian.org (full text, mbox, reply):

From: Primoz Bratanic <primoz@slo-tech.com>

To: Debian Bug Tracking System <308031@bugs.debian.org>

Subject: mailutils: woody is affected too

Date: Fri, 13 May 2005 04:17:21 +0200

Package: mailutils
Followup-For: Bug #308031

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Woody is affected too. Just check MySql/MySql.c (just that there is no
escaping ... )

- -- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFChA4xHOuqnSwJthERAhb7AJ97PcIJ67bBUjuQAoUtwhu9WM6MzgCgwiX4
W9PGqqHxXp0PVui+7SjABYs=
=R+Zi
-----END PGP SIGNATURE-----

Message #21 received at 308031@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@stanford.edu>

To: 308031@bugs.debian.org

Subject: Re: Bug#308031: mailutils: sql injection vulnerability in sql authentication module

Date: Fri, 13 May 2005 19:22:27 -0700

tags 308031 patch
thanks

I'm not sure that this is a lot of help, as the fix really is as
straightforward as stated in the original report, but at least this is
another pair of eyes looking at it.  This fix looks good to me, and I've
confirmed that the package still builds, although I'm not in a position to
test this particular auth module.

Here's a patch for convenience.

--- auth/sql.c.orig	2005-03-08 14:24:11.000000000 -0800
+++ auth/sql.c	2005-05-13 19:12:38.000000000 -0700
@@ -74,7 +74,7 @@
   
   for (p = (const unsigned char *) ustr; *p; p++)
     {
-      if (strchr ("'\"", *p))
+      if (strchr ("'\"\\", *p))
 	len++;
     }
 
@@ -84,7 +84,7 @@
 
   for (p = (const unsigned char *) ustr, q = str; *p; p++)
     {
-      if (strchr ("'\"", *p))
+      if (strchr ("'\"\\", *p))
 	*q++ = '\\';
       *q++ = *p;
     }

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Message #28 received at 308031@bugs.debian.org (full text, mbox, reply):

From: Jordi Mallach <jordi@debian.org>

To: Primoz Bratanic <primoz@slo-tech.com>, 308031@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#308031: mailutils: woody is affected too

Date: Sun, 15 May 2005 18:53:22 +0200

[Message part 1 (text/plain, inline)]

tags 308031 - woody
thanks

Hey Primoz,

On Fri, May 13, 2005 at 04:17:21AM +0200, Primoz Bratanic wrote:
> Woody is affected too. Just check MySql/MySql.c (just that there is no
> escaping ... )

I just logged into merkel and checked some of the binaries and the
source package for the woody version: they don't depend or build-depend on
either postgresql or mysql libs, so even if the code is vulnerable, the
binaries aren't, AFAICT. I enabled mysql auth when I started working on
the package after the woody release.

I don't think this will need a DSA. Please double-check!

Fix for unstable/testing is uploading.

Thanks,
Jordi
-- 
Jordi Mallach Pérez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 308031-close@bugs.debian.org (full text, mbox, reply):

From: Jordi Mallach <jordi@debian.org>

To: 308031-close@bugs.debian.org

Subject: Bug#308031: fixed in mailutils 1:0.6.1-2

Date: Sun, 15 May 2005 13:17:04 -0400

Source: mailutils
Source-Version: 1:0.6.1-2

We believe that the bug you reported is fixed in the latest version of
mailutils, which is due to be installed in the Debian FTP archive:

libmailutils0-dev_0.6.1-2_i386.deb
  to pool/main/m/mailutils/libmailutils0-dev_0.6.1-2_i386.deb
libmailutils0_0.6.1-2_i386.deb
  to pool/main/m/mailutils/libmailutils0_0.6.1-2_i386.deb
mailutils-comsatd_0.6.1-2_i386.deb
  to pool/main/m/mailutils/mailutils-comsatd_0.6.1-2_i386.deb
mailutils-doc_0.6.1-2_all.deb
  to pool/main/m/mailutils/mailutils-doc_0.6.1-2_all.deb
mailutils-imap4d_0.6.1-2_i386.deb
  to pool/main/m/mailutils/mailutils-imap4d_0.6.1-2_i386.deb
mailutils-mh_0.6.1-2_i386.deb
  to pool/main/m/mailutils/mailutils-mh_0.6.1-2_i386.deb
mailutils-pop3d_0.6.1-2_i386.deb
  to pool/main/m/mailutils/mailutils-pop3d_0.6.1-2_i386.deb
mailutils_0.6.1-2.diff.gz
  to pool/main/m/mailutils/mailutils_0.6.1-2.diff.gz
mailutils_0.6.1-2.dsc
  to pool/main/m/mailutils/mailutils_0.6.1-2.dsc
mailutils_0.6.1-2_i386.deb
  to pool/main/m/mailutils/mailutils_0.6.1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 308031@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated mailutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 15 May 2005 17:35:58 +0200
Source: mailutils
Binary: mailutils-mh mailutils-imap4d mailutils-comsatd mailutils libmailutils0-dev libmailutils0 mailutils-pop3d mailutils-doc
Architecture: source i386 all
Version: 1:0.6.1-2
Distribution: unstable
Urgency: high
Maintainer: Jordi Mallach <jordi@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description: 
 libmailutils0 - GNU Mail abstraction library
 libmailutils0-dev - Development files for GNU mailutils
 mailutils  - GNU mailutils utilities for handling mail
 mailutils-comsatd - GNU mailutils-based comsatd daemon
 mailutils-doc - Documentation for GNU mailutils
 mailutils-imap4d - GNU mailutils-based IMAP4 Daemon
 mailutils-mh - GNU mailutils-based MH utilities
 mailutils-pop3d - GNU mailutils-based POP3 Daemon
Closes: 265490 300869 308031
Changes: 
 mailutils (1:0.6.1-2) unstable; urgency=HIGH
 .
   * debian/patches/01_mail_metamail.patch: patch from CVS to allow decoding
     of mail without interpreting MIME parts if "metamail" is unset. Sergey
     thinks that this is the cause for the random testsuite failures
     (closes: #265490).
   * [SECURITY] debian/patches/02_sql_injection.patch: add "\" to the list
     of escaped characters, to fix a sql injection vulnerability in the
     SQL authentication module (thanks, Primoz Bratanic; closes: #308031).
   * debian/patches/03_imap4d_gcc4_ftbfs.patch: patch from Andreas Jochens to
     fix a FTBFS on amd64/gcc-4.0 (closes: #300869).
Files: 
 df6f0e7a8dfdd01571c9723eb80497da 1093 libs optional mailutils_0.6.1-2.dsc
 05d1fd3d877a0d697c87166cbef9cfd2 26522 libs optional mailutils_0.6.1-2.diff.gz
 6c1022b1d8eea60296220ed2201a9754 284986 doc optional mailutils-doc_0.6.1-2_all.deb
 d6498509b7799798cbf9aab636e475ae 546082 libs optional libmailutils0_0.6.1-2_i386.deb
 3d2b799e83a5c6cffabaecb7887ae6d5 367898 libdevel optional libmailutils0-dev_0.6.1-2_i386.deb
 029c10fd6d4ad5b1f6202b3d7542f8a6 143196 mail optional mailutils_0.6.1-2_i386.deb
 1a5d95cda66e00acd7c872b71ac72898 74478 net optional mailutils-imap4d_0.6.1-2_i386.deb
 821280b478529a3403ff1c202c943e44 60122 net optional mailutils-pop3d_0.6.1-2_i386.deb
 d25f6c517d4ae139d0bf6bb5fbd58f8a 46222 net optional mailutils-comsatd_0.6.1-2_i386.deb
 c43075f68861b53849de547e9193e058 647820 mail optional mailutils-mh_0.6.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCh38SJYSUupF6Il4RApb5AJ9+qGP1g3CBdQXzlxadBgWbNusrywCghkq4
RzlyeY+GjbqoHB4ElCFQaEs=
=AguP
-----END PGP SIGNATURE-----

Message #40 received at 308031@bugs.debian.org (full text, mbox, reply):

From: Primoz <primoz@slo-tech.com>

To: Jordi Mallach <jordi@debian.org>

Cc: 308031@bugs.debian.org, security@debian.org

Subject: Re: Bug#308031: mailutils: woody is affected too

Date: Sun, 15 May 2005 22:11:27 +0200

[Message part 1 (text/plain, inline)]

Hello,

> I don't think this will need a DSA. Please double-check!

Default compile option is without mysql and you didn't change that (so
your binaries are not vulnerable, even if source is)

Primoz

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.