!54 【openEuler-20.03-LTS-SP4】Fix heap corruption

From: @yixiangzhike 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch

@@ -0,0 +1,82 @@
+From 9eff746c9daecbcc0041b09a5a51ba30738cdcbc Mon Sep 17 00:00:00 2001
+From: Klaus Espenlaub <klaus@espenlaub.com>
+Date: Tue, 8 Feb 2022 20:34:40 +0000
+Subject: [PATCH] CVE-2022-24407 Escape password for SQL insert/update
+ commands.
+
+Signed-off-by: Klaus Espenlaub <klaus@espenlaub.com>
+---
+ plugins/sql.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/sql.c b/plugins/sql.c
+index 31b54a7..6ac81c2 100644
+--- a/plugins/sql.c
++++ b/plugins/sql.c
+@@ -1151,6 +1151,7 @@ static int sql_auxprop_store(void *glob_context,
+     char *statement = NULL;
+     char *escap_userid = NULL;
+     char *escap_realm = NULL;
++    char *escap_passwd = NULL;
+     const char *cmd;
+     
+     sql_settings_t *settings;
+@@ -1222,6 +1223,11 @@ static int sql_auxprop_store(void *glob_context,
+ 			    "Unable to begin transaction\n");
+     }
+     for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
++	/* Free the buffer, current content is from previous loop. */
++	if (escap_passwd) {
++	    sparams->utils->free(escap_passwd);
++	    escap_passwd = NULL;
++	}
+ 
+ 	if (cur->name[0] == '*') {
+ 	    continue;
+@@ -1243,19 +1249,32 @@ static int sql_auxprop_store(void *glob_context,
+ 	}
+ 	sparams->utils->free(statement);
+ 
++	if (cur->values[0]) {
++	    escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
++	    if (!escap_passwd) {
++		ret = SASL_NOMEM;
++		break;
++	    }
++	    settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
++	}
++
+ 	/* create a statement that we will use */
+ 	statement = sql_create_statement(cmd, cur->name, escap_userid,
+ 					 escap_realm,
+-					 cur->values && cur->values[0] ?
+-					 cur->values[0] : SQL_NULL_VALUE,
++					 escap_passwd ?
++					 escap_passwd : SQL_NULL_VALUE,
+ 					 sparams->utils);
++	if (!statement) {
++	    ret = SASL_NOMEM;
++	    break;
++	}
+ 	
+ 	{
+ 	    char *log_statement =
+ 		sql_create_statement(cmd, cur->name,
+ 				     escap_userid,
+ 				     escap_realm,
+-				     cur->values && cur->values[0] ?
++				     escap_passwd ?
+ 				     "<omitted>" : SQL_NULL_VALUE,
+ 				     sparams->utils);
+ 	    sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
+@@ -1288,6 +1307,7 @@ static int sql_auxprop_store(void *glob_context,
+   done:
+     if (escap_userid) sparams->utils->free(escap_userid);
+     if (escap_realm) sparams->utils->free(escap_realm);
++    if (escap_passwd) sparams->utils->free(escap_passwd);
+     if (conn) settings->sql_engine->sql_close(conn);
+     if (userid) sparams->utils->free(userid);
+     if (realm) sparams->utils->free(realm);
+-- 
+1.8.3.1
+

backport-Fix-heap-corruption.patch

@@ -0,0 +1,33 @@
+From e04a67610adeea29541078cbc9e0cf9dab659e6b Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Date: Fri, 1 Dec 2023 16:19:27 +0100
+Subject: [PATCH] Fix heap corruption
+
+Calculation of resultlen is wrong. E.g. if server allows
+only one mechanism SCRAM-SHA-256, the expected string for the
+mechlist_buf is "SCRAM-SHA-256-PLUS SCRAM-SHA-256" with a required
+size of 33 bytes and not 32 bytes.
+Note that (strlen(mysep) * (s_conn->mech_length - 1) * 2) = 0
+when s_conn->mech_length = 1.
+
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+---
+ lib/server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/server.c b/lib/server.c
+index c69e58b8..b44155f4 100644
+--- a/lib/server.c
++++ b/lib/server.c
+@@ -1764,7 +1764,7 @@ int _sasl_server_listmech(sasl_conn_t *conn,
+       INTERROR(conn, SASL_NOMECH);
+ 
+   resultlen = (prefix ? strlen(prefix) : 0)
+-            + (strlen(mysep) * (s_conn->mech_length - 1) * 2)
++            + (strlen(mysep) * (s_conn->mech_length * 2 - 1))
+ 	    + (mech_names_len(s_conn->mech_list) * 2) /* including -PLUS variant */
+ 	    + (s_conn->mech_length * (sizeof("-PLUS") - 1))
+             + (suffix ? strlen(suffix) : 0)
+-- 
+2.33.0
+

backport-Use-int-instead-of-char-for-variable-c.patch

@@ -0,0 +1,29 @@
+From 4013caeda28f67980df1bc8fcd95e80135d248e8 Mon Sep 17 00:00:00 2001
+From: yixiangzhike <yixiangzhike007@163.com>
+Date: Mon, 16 Jan 2023 20:28:28 +0800
+Subject: [PATCH] Use int instead of char for variable c
+
+In some systems, char is compiled as unsigned char by default,
+as a result, testsuite always fails in abnormal process.
+
+Signed-off-by: yixiangzhike <yixiangzhike007@163.com>
+---
+ utils/testsuite.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/testsuite.c b/utils/testsuite.c
+index 12da7f74..79e861d2 100644
+--- a/utils/testsuite.c
++++ b/utils/testsuite.c
+@@ -2938,7 +2938,7 @@ void usage(void)
+ 
+ int main(int argc, char **argv)
+ {
+-    char c;
++    int c;
+     int random_tests = -1;
+     int do_all = 0;
+     int skip_do_correct = 0;
+-- 
+2.33.0
+

cyrus-sasl.spec

@@ -6,7 +6,7 @@
 
 Name: cyrus-sasl
 Version: 2.1.27
-Release: 12
+Release: 17
 Summary: The Cyrus SASL API Implementation
 
 License: BSD with advertising
@@ -18,13 +18,14 @@ Source2: saslauthd.sysconfig
 Patch0: 0003-Prevent-double-free-of-RC4-context.patch
 Patch1: fix-CVE-2019-19906.patch
 Patch2: backport-db_gdbm-fix-gdbm_errno-overlay-from-gdbm_close.patch
+Patch3: backport-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
+Patch4: backport-Use-int-instead-of-char-for-variable-c.patch
+Patch5: backport-Fix-heap-corruption.patch
 
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
 BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
 BuildRequires: mariadb-connector-c-devel, postgresql-devel, zlib-devel
-%if ! %{bootstrap_cyrus_sasl}
-BuildRequires: openldap-devel
-%endif
+
 %{?systemd_requires}
 
 Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
@@ -34,21 +35,6 @@ Requires: systemd >= 211
 
 Provides: user(%username)
 Provides: group(%username)
-Provides: %{name}-gssapi = %{version}-%{release}
-Provides: %{name}-gssapi%{?_isa} = %{version}-%{release}
-Provides: %{name}-plain  = %{version}-%{release}
-Provides: %{name}-md5 = %{version}-%{release}
-Provides: %{name}-ntlm = %{version}-%{release}
-Provides: %{name}-ldap = %{version}-%{release}
-Provides: %{name}-scram = %{version}-%{release}
-Provides: %{name}-gs2 = %{version}-%{release}
-Obsoletes: %{name}-gssapi  < %{version}-%{release}
-Obsoletes: %{name}-plain  < %{version}-%{release}
-Obsoletes: %{name}-md5 < %{version}-%{release}
-Obsoletes: %{name}-ntlm < %{version}-%{release}
-Obsoletes: %{name}-ldap < %{version}-%{release}
-Obsoletes: %{name}-scram < %{version}-%{release}
-Obsoletes: %{name}-gs2 < %{version}-%{release}
 
 %description
 The %{name} package contains the Cyrus implementation of SASL.
@@ -65,6 +51,75 @@ Requires: pkgconf
 The %{name}-devel package contains files needed for developing and
 compiling applications which use the Cyrus SASL library.
 
+%if ! %{bootstrap_cyrus_sasl}
+
+%package ldap
+BuildRequires: openldap-devel
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Conflicts: %{name} < 2.1.27-13
+Summary: LDAP auxprop support for Cyrus SASL
+
+%description ldap
+The %{name}-ldap package contains the Cyrus SASL plugin which supports using
+a directory server, accessed using LDAP, for storing shared secrets.
+
+%endif
+
+%package gssapi
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Conflicts: %{name} < 2.1.27-13
+Summary: GSSAPI authentication support for Cyrus SASL
+
+%description gssapi
+The %{name}-gssapi package contains the Cyrus SASL plugins which
+support GSSAPI authentication. GSSAPI is commonly used for Kerberos
+authentication.
+
+%package plain
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Conflicts: %{name} < 2.1.27-13
+Summary: PLAIN and LOGIN authentication support for Cyrus SASL
+
+%description plain
+The %{name}-plain package contains the Cyrus SASL plugins which support
+PLAIN and LOGIN authentication schemes.
+
+%package md5
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Conflicts: %{name} < 2.1.27-13
+Summary: CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL
+
+%description md5
+The %{name}-md5 package contains the Cyrus SASL plugins which support
+CRAM-MD5 and DIGEST-MD5 authentication schemes.
+
+%package ntlm
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Conflicts: %{name} < 2.1.27-13
+Summary: NTLM authentication support for Cyrus SASL
+
+%description ntlm
+The %{name}-ntlm package contains the Cyrus SASL plugin which supports
+the NTLM authentication scheme.
+
+%package scram
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Conflicts: %{name} < 2.1.27-13
+Summary: SCRAM auxprop support for Cyrus SASL
+
+%description scram
+The %{name}-scram package contains the Cyrus SASL plugin which supports
+the SCRAM authentication scheme.
+
+%package gs2
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Conflicts: %{name} < 2.1.27-13
+Summary: GS2 support for Cyrus SASL
+
+%description gs2
+The %{name}-gs2 package contains the Cyrus SASL plugin which supports
+the GS2 authentication scheme.
+
 %package lib
 Summary: Shared libraries needed by applications which use Cyrus SASL
 
@@ -214,18 +269,6 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %{_sbindir}/pluginviewer
 %{_sbindir}/saslauthd
 %{_sbindir}/testsaslauthd
-%dir %{_libdir}/sasl2/
-%{_libdir}/sasl2/*plain*.so*
-%{_libdir}/sasl2/*login*.so*
-%if ! %{bootstrap_cyrus_sasl}
-%{_libdir}/sasl2/*ldapdb*.so*
-%endif
-%{_libdir}/sasl2/*crammd5*.so*
-%{_libdir}/sasl2/*digestmd5*.so*
-%{_libdir}/sasl2/*ntlm*.so*
-%{_libdir}/sasl2/*gssapi*.so*
-%{_libdir}/sasl2/libscram.so*
-%{_libdir}/sasl2/libgs2.so*
 %config(noreplace) /etc/sysconfig/saslauthd
 %{_unitdir}/saslauthd.service
 %ghost /run/saslauthd
@@ -248,10 +291,35 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %{_libdir}/libsasl*.*so
 %{_libdir}/pkgconfig/*.pc
 
+%if ! %{bootstrap_cyrus_sasl}
+%files ldap
+%{_libdir}/sasl2/*ldapdb*.so*
+%endif
+
 %files sql
 %defattr(-,root,root)
 %{_libdir}/sasl2/*sql*.so*
 
+%files plain
+%{_libdir}/sasl2/*plain*.so*
+%{_libdir}/sasl2/*login*.so*
+
+%files md5
+%{_libdir}/sasl2/*crammd5*.so*
+%{_libdir}/sasl2/*digestmd5*.so*
+
+%files ntlm
+%{_libdir}/sasl2/*ntlm*.so*
+
+%files gssapi
+%{_libdir}/sasl2/*gssapi*.so*
+
+%files scram
+%{_libdir}/sasl2/libscram.so*
+
+%files gs2
+%{_libdir}/sasl2/libgs2.so*
+
 %files help
 %defattr(-,root,root)
 %doc doc/html/*.html saslauthd/LDAP_SASLAUTHD
@@ -260,6 +328,22 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 
 
 %changelog
+* Thu Dec 19 2024 yixiangzhike <yixiangzhike007@163.com> - 2.1.27-17
+- backport upstream patch to fix heap corruption
+
+* Fri Oct 11 2024 yixiangzhike <yixiangzhike007@163.com> - 2.1.27-16
+- backport upstream patch to fix char overflow
+
+* Fri Nov 24 2023 yixiangzhike <yixiangzhike007@163.com> - 2.1.27-15
+- saslauthd always restart with 1s
+
+* Thu Feb 24 2022 yixiangzhike <yixiangzhike007@163.com> - 2.1.27-14
+- fix CVE-2022-24407
+
+* Wed Oct 13 2021 liyanan <liyanan32@huawei.com> - 2.1.27-13
+- Split cyrus-sasl-ldap cyrus-sasl-gs2 cyrus-sasl-scram cyrus-sasl-gssapi
+  cyrus-sasl-md5 cyrus-sasl-ntlm cyrus-sasl-plain sub-package
+
 * Wed May 12 2021 wangchen <wangchen137@huawei.com> - 2.1.27-12
 - fix gdbm_errno overlay from gdbm_close
 

saslauthd.service

@@ -6,6 +6,8 @@ Type=forking
 EnvironmentFile=/etc/sysconfig/saslauthd
 ExecStart=/usr/sbin/saslauthd -m /run/saslauthd -a pam $FLAGS
 RuntimeDirectory=saslauthd
+Restart=always
+RestartSec=1s
 
 [Install]
 WantedBy=multi-user.target