Hi I attached the complete NMU patch. It uses the upstream patch from 0.60.6.
Cheers Steffen
diff -u courier-authlib-0.60.1/debian/changelog courier-authlib-0.60.1/debian/changelog
--- courier-authlib-0.60.1/debian/changelog
+++ courier-authlib-0.60.1/debian/changelog
@@ -1,3 +1,13 @@
+courier-authlib (0.60.1-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix sql injection vulnerability by changing to use
+ mysql_set_character_set instead of SET NAMES
+ (Change was introduced by upstream in 0.60.6)
+ (Closes: #485424)
+
+ -- Steffen Joeris <[EMAIL PROTECTED]> Mon, 09 Jun 2008 15:29:23 +0000
+
courier-authlib (0.60.1-2) unstable; urgency=low
* added LSB dependency info to init scripts (Closes: #460221, thanks to
only in patch2:
unchanged:
--- courier-authlib-0.60.1.orig/authmysqllib.c
+++ courier-authlib-0.60.1/authmysqllib.c
@@ -110,6 +110,43 @@
static MYSQL *mysql=0;
+static void set_session_options(void)
+/*
+* session variables can be set once for the whole session
+*/
+{
+/* Anton Dobkin <[EMAIL PROTECTED]>, VIAN, Ltd. */
+#if MYSQL_VERSION_ID >= 41000
+ const char *character_set=read_env("MYSQL_CHARACTER_SET"), *check;
+
+ if(character_set){
+
+ /*
+ * This function works like the SET NAMES statement, but also sets
+ * the value of mysql->charset, and thus affects the character set
+ * used by mysql_real_escape_string()
+ *
+ * (return value apparently work the opposite of what is documented)
+ */
+ mysql_set_character_set(mysql, character_set);
+ check = mysql_character_set_name(mysql);
+ if (strcmp(character_set, check) != 0)
+ {
+ err("Cannot set MySQL character set \"%s\", working with \"%s\"\n",
+ character_set, check);
+ }
+ else
+ {
+ DPRINTF("Install of a character set for MySQL: %s", character_set);
+ }
+ }
+#endif /* 41000 */
+}
+
+
+
+
+
static int do_connect()
{
const char *server;
@@ -236,6 +273,17 @@
mysql=0;
return (-1);
}
+
+ DPRINTF("authmysqllib: connected. Versions: "
+ "header %lu, "
+ "client %lu, "
+ "server %lu",
+ (long)MYSQL_VERSION_ID,
+ mysql_get_client_version(),
+ mysql_get_server_version(mysql));
+
+ set_session_options();
+
return (0);
}
@@ -779,42 +827,6 @@
}
}
-/* Anton Dobkin <[EMAIL PROTECTED]>, VIAN, Ltd. */
-#if MYSQL_VERSION_ID >= 41000
- const char *character_set=read_env("MYSQL_CHARACTER_SET");
-
- if(character_set){
-
- char *character_set_buf;
-
- character_set_buf=malloc(strlen(character_set)+11);
-
- if (!character_set_buf)
- {
- perror("malloc");
- return (0);
- }
-
- strcpy(character_set_buf, "SET NAMES ");
- strcat(character_set_buf, character_set);
-
- DPRINTF("Install of a character set for MySQL. SQL query: SET NAMES %s", character_set);
-
- if(mysql_query (mysql, character_set_buf))
- {
- err("Install of a character set for MySQL is failed: %s MYSQL_CHARACTER_SET: may be invalid character set", mysql_error(mysql));
- auth_mysql_cleanup();
-
- if (do_connect())
- {
- free(character_set_buf);
- return (0);
- }
- }
-
- free(character_set_buf);
- }
-#endif
DPRINTF("SQL query: %s", querybuf);
if (mysql_query (mysql, querybuf))
signature.asc
Description: This is a digitally signed message part.
