Secure testing team - Jun 2008 - Bug#485424: courier-authlib: possible sql injection

Package: courier-authlib
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

It was announced that courier-authlib suffers from a sql injection
vulnerability with MySQL databases that use non-Latin character 
sets.
For more information see this link[0]. There is also a follow-up here[1].
A CVE id is already requested and will be added to this bugreport, once
it is available.

The patch is attached, please review and consider including it.

Cheers
Steffen

[0]: http://marc.info/?l=courier-users&m=121293814822605&w=2

[1]: http://marc.info/?l=courier-users&m=121294465330832
-------------- next part --------------
--- courier-authlib-0.60.1.orig/authmysqllib.c
+++ courier-authlib-0.60.1/authmysqllib.c
@@ -110,6 +110,43 @@
 
 static MYSQL *mysql=0;
 
+static void set_session_options(void)
+/*
+* session variables can be set once for the whole session
+*/
+{
+/* Anton Dobkin <anton at viansib.ru>, VIAN, Ltd. */
+#if MYSQL_VERSION_ID >= 41000
+       const char *character_set=read_env("MYSQL_CHARACTER_SET"),
*check;
+
+        if(character_set){
+
+            /*
+            * This function works like the SET NAMES statement, but also sets
+            * the value of mysql->charset, and thus affects the character
set
+            * used by mysql_real_escape_string()
+            *
+            * (return value apparently work the opposite of what is documented)
+            */
+            mysql_set_character_set(mysql, character_set);
+            check = mysql_character_set_name(mysql);
+            if (strcmp(character_set, check) != 0)
+            {
+                err("Cannot set MySQL character set \"%s\",
working with \"%s\"\n",
+                    character_set, check);
+            }
+            else
+            {
+                DPRINTF("Install of a character set for MySQL: %s",
character_set);
+            }
+        }
+#endif /* 41000 */
+}
+
+
+
+
+
 static int do_connect()
 {
 const	char *server;
@@ -236,6 +273,17 @@
 		mysql=0;
 		return (-1);
 	}
+
+        DPRINTF("authmysqllib: connected. Versions: "
+                "header %lu, "
+                "client %lu, "
+                "server %lu",
+                (long)MYSQL_VERSION_ID,
+                mysql_get_client_version(),
+                mysql_get_server_version(mysql));
+ 
+        set_session_options();
+
 	return (0);
 }
 
@@ -779,42 +827,6 @@
 		}
 	}
 
-/* Anton Dobkin <anton at viansib.ru>, VIAN, Ltd. */
-#if MYSQL_VERSION_ID >= 41000    
-	const char *character_set=read_env("MYSQL_CHARACTER_SET");
-    
-        if(character_set){
-            
-    	    char *character_set_buf;
-        	
-            character_set_buf=malloc(strlen(character_set)+11);
-        	        
-    	    if (!character_set_buf)
-            {
-		perror("malloc");
-        	return (0);
-    	    }
-        	    				    
-    	    strcpy(character_set_buf, "SET NAMES ");
-           strcat(character_set_buf, character_set);
-        	    						
-            DPRINTF("Install of a character set for MySQL. SQL query: SET
NAMES %s", character_set);
-        	    							
-            if(mysql_query (mysql, character_set_buf))
-    	     {    
-                err("Install of a character set for MySQL is failed: %s
MYSQL_CHARACTER_SET: may be invalid character set", mysql_error(mysql));
-    	        auth_mysql_cleanup();
-        		    
-    		if (do_connect())
-        	{
-        	    free(character_set_buf);
-        	    return (0);
-        	}
-    	     }
-    	    
-    	    free(character_set_buf);
-        }
-#endif	
 
 	DPRINTF("SQL query: %s", querybuf);
 	if (mysql_query (mysql, querybuf))