Bug#809855: jessie-pu: package yubiserver/0.5-2+deb8u1
Control: tag -1 moreinfo
On Mon, Jan 4, 2016 at 19:08:41 +0100, Salvatore Bonaccorso wrote:
> Hi Stable Release managers,
>
> yubiserver in jessie is affected by:
>
> CVE-2015-0842: SQL injection issues (potential auth bypass)
> CVE-2015-0843: Buffer overflows due to misuse of sprintf
>
> which got fixed in unstable by the 0.6-1 upload. These do not warrant
> a DSA but it would be nice to have it fixed in stable as well. I have
> extracted the diff for 0.5-2, but basically 0.6-1 is the release
> fixing the two CVEs.
>
> I would suggest to just release 0.6-1~deb8u1 beeing a rebuild of 0.6-1
> for jessie if you agree, otherwise the debdiff with only the needed
> changes is attached.
>
> A rebuild of 0.6-1 for jessie would additionally fix
>
> yubiserver (0.5-3) unstable; urgency=medium
> .
> * Handle -l switch correctly. Thanks to Clemens Lang
> for the bug report (Closes: Bug#781552).
> * Remove unowned directory after purge. Thanks to Andreas Beckmann for
> the bug report (Closes: Bug#770535).
>
> Is any of those fine with you?
>
A few observations:
- the 0.6-based diff has autom4te.cache noise, please get rid of it
- the sprintf→snprintf changes, apart from being quite noisy, look
weird, as none of them actually check snprintf's return value
- some places didn't get the sql injection fixes, e.g.:
> diff -Nru yubiserver-0.5/yubiserver-admin.c yubiserver-0.6/yubiserver-admin.c
> --- yubiserver-0.5/yubiserver-admin.c 2014-10-03 13:50:47.000000000 +0200
> +++ yubiserver-0.6/yubiserver-admin.c 2015-06-29 10:39:36.000000000 +0200
> @@ -170,7 +174,11 @@
> sqlite3_stmt *stmt;
>
> query = calloc(1, QUERY_SIZE);
> - sprintf(query, "SELECT * FROM %s WHERE nickname='%s'", table, user);
> + snprintf(query,
> + QUERY_SIZE,
> + "SELECT * FROM %s WHERE nickname='%s'",
> + table,
> + user);
>
> retval = sqlite3_prepare_v2(handle, query, -1, &stmt, 0);
>
> @@ -217,9 +225,11 @@
> }
>
> query = calloc(1, QUERY_SIZE);
> - sprintf(query, "SELECT * FROM %s WHERE nickname = '%s' AND active = '1'",
> - table,
> - user);
> + snprintf(query,
> + QUERY_SIZE,
> + "SELECT * FROM %s WHERE nickname = '%s' AND active = '1'",
> + table,
> + user);
>
> retval = sqlite3_prepare_v2(handle, query, -1, &stmt, 0);
>
> @@ -235,8 +245,12 @@
> break;
> case SQLITE_DONE:
> fprintf(stdout, "Trying to enable user '%s'\n", user);
> - sprintf(query, "UPDATE %s SET active = '1' WHERE "
> - "nickname = '%s'", table, user);
> + snprintf(query,
> + QUERY_SIZE,
> + "UPDATE %s SET active = '1' WHERE "
> + "nickname = '%s'",
> + table,
> + user);
> retval = sqlite3_exec(handle, query, 0, 0, 0);
> if (retval) {
> fprintf(stderr, "Updating DB data failed\n");
> @@ -276,9 +290,11 @@
>
> query = calloc(1, QUERY_SIZE);
>
> - sprintf(query, "SELECT * FROM %s WHERE nickname = '%s' AND active = '0'",
> - table,
> - user);
> + snprintf(query,
> + QUERY_SIZE,
> + "SELECT * FROM %s WHERE nickname = '%s' AND active = '0'",
> + table,
> + user);
>
> retval = sqlite3_prepare_v2(handle, query, -1, &stmt, 0);
>
> @@ -294,8 +310,12 @@
> break;
> case SQLITE_DONE:
> fprintf(stdout, "Trying to disable user '%s'\n", user);
> - sprintf(query, "UPDATE %s SET active = '0' WHERE "
> - "nickname = '%s'", table, user);
> + snprintf(query,
> + QUERY_SIZE,
> + "UPDATE %s SET active = '0' WHERE "
> + "nickname = '%s'",
> + table,
> + user);
> retval = sqlite3_exec(handle, query, 0, 0, 0);
> if (retval) {
> fprintf(stderr, "Failed to disable user\n");
> @@ -335,7 +355,11 @@
>
> query = calloc(1, QUERY_SIZE);
>
> - sprintf(query, "DELETE FROM %s WHERE nickname = '%s'", table, user);
> + snprintf(query,
> + QUERY_SIZE,
> + "DELETE FROM %s WHERE nickname = '%s'",
> + table,
> + user);
> retval = sqlite3_exec(handle, query, 0, 0, 0);
>
> if (retval) {
> @@ -358,7 +382,10 @@
> sqlite3_stmt *stmt;
>
> query = calloc(1, QUERY_SIZE);
> - sprintf(query, "SELECT id FROM %s ORDER BY id DESC LIMIT 1", table);
> + snprintf(query,
> + QUERY_SIZE,
> + "SELECT id FROM %s ORDER BY id DESC LIMIT 1",
> + table);
>
> retval = sqlite3_prepare_v2(handle, query, -1, &stmt, 0);
>
> @@ -394,8 +421,12 @@
> sqlite3_stmt *stmt;
>
> query = calloc(1, QUERY_SIZE);
> - sprintf(query,"SELECT * FROM %s WHERE nickname='%s' OR publicname='%s'",
> - table, user, pname);
> + snprintf(query,
> + QUERY_SIZE,
> + "SELECT * FROM %s WHERE nickname='%s' OR publicname='%s'",
> + table,
> + user,
> + pname);
>
> retval = sqlite3_prepare_v2(handle, query, -1, &stmt, 0);
>
> @@ -467,17 +498,19 @@
> cdatetime = calloc(1, 25);
> cdatetime_tmp = calloc(1, 20);
> strftime(cdatetime_tmp, 20, "%Y-%m-%dT%H:%M:%S", tmp);
> - sprintf(cdatetime, "%s.%.3dZ", cdatetime_tmp, tp.millitm);
> + snprintf(cdatetime, 25, "%s.%.3dZ", cdatetime_tmp, tp.millitm);
>
> query = calloc(1, QUERY_SIZE * 2);
> - sprintf(query, "INSERT INTO %s "
> - "VALUES('%s','%s','%s','%s','%s',1,1,1)",
> - table,
> - user,
> - ext_db ? Argv[6]: Argv[4],
> - cdatetime,
> - ext_db ? Argv[7]: Argv[5],
> - ext_db ? Argv[8]: Argv[6]);
> + snprintf(query,
> + QUERY_SIZE * 2,
> + "INSERT INTO %s "
> + "VALUES('%s','%s','%s','%s','%s',1,1,1)",
> + table,
> + user,
> + ext_db ? Argv[6]: Argv[4],
> + cdatetime,
> + ext_db ? Argv[7]: Argv[5],
> + ext_db ? Argv[8]: Argv[6]);
> free(cdatetime);
> free(cdatetime_tmp);
>
> @@ -543,16 +576,18 @@
> cdatetime = calloc(1, 25 + 1);
> cdatetime_tmp = calloc(1, 20 + 1);
> strftime(cdatetime_tmp, 20, "%Y-%m-%dT%H:%M:%S", tmp);
> - sprintf(cdatetime, "%s.%.3dZ", cdatetime_tmp, tp.millitm);
> + snprintf(cdatetime, 25, "%s.%.3dZ", cdatetime_tmp, tp.millitm);
>
> query = calloc(1, QUERY_SIZE * 2);
> - sprintf(query, "INSERT INTO %s "
> - "VALUES('%s','%s','%s','%s',1,1)",
> - table,
> - user,
> - ext_db ? Argv[6]: Argv[4],
> - cdatetime,
> - ext_db ? Argv[7]: Argv[5]);
> + snprintf(query,
> + QUERY_SIZE * 2,
> + "INSERT INTO %s "
> + "VALUES('%s','%s','%s','%s',1,1)",
> + table,
> + user,
> + ext_db ? Argv[6]: Argv[4],
> + cdatetime,
> + ext_db ? Argv[7]: Argv[5]);
> free(cdatetime);
> free(cdatetime_tmp);
>
> @@ -610,10 +645,12 @@
> }
>
> query = calloc(1, QUERY_SIZE);
> - sprintf(query, "INSERT INTO apikeys VALUES ('%s','%s','%d')",
> - user,
> - ext_db ? Argv[6] : Argv[4],
> - nextid);
> + snprintf(query,
> + QUERY_SIZE,
> + "INSERT INTO apikeys VALUES ('%s','%s','%d')",
> + user,
> + ext_db ? Argv[6] : Argv[4],
> + nextid);
>
> retval = sqlite3_exec(handle, query, 0, 0, 0);
>
Cheers,
Julien
Reply to: