Bug 30085 - cyrus-sasl new security issue CVE-2022-24407
Summary: cyrus-sasl new security issue CVE-2022-24407
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-02-23 18:32 CET by David Walser
Modified: 2022-03-23 09:37 CET (History)
5 users (show)

See Also:
Source RPM: cyrus-sasl-2.1.27-3.mga8.src.rpm
CVE: CVE-2022-24407
Status comment:


Attachments

Description David Walser 2022-02-23 18:32:02 CET
RedHat has issued an advisory today (February 23):
https://access.redhat.com/errata/RHSA-2022:0658

The issue is fixed upstream in 2.1.28:
https://github.com/cyrusimap/cyrus-sasl/releases/tag/cyrus-sasl-2.1.28
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28

Mageia 8 is also affected.
David Walser 2022-02-23 18:32:13 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.1.28

Comment 1 David Walser 2022-02-23 18:43:12 CET
Ubuntu has issued an advisory for this on February 22:
https://ubuntu.com/security/notices/USN-5301-1
Comment 2 Lewis Smith 2022-02-23 21:02:41 CET
A homeless SRPM necessitating global assignment for this update.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2022-02-24 11:27:59 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. (CVE-2022-24407)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
https://ubuntu.com/security/notices/USN-5301-1
========================

Updated packages in core/updates_testing:
========================
lib(64)sasl2-plug-srp-2.1.27-3.1.mga8
lib(64)sasl2-plug-gssapi-2.1.27-3.1.mga8
lib(64)sasl2-plug-otp-2.1.27-3.1.mga8
lib(64)sasl2_3-2.1.27-3.1.mga8
lib(64)sasl2-devel-2.1.27-3.1.mga8
lib(64)sasl2-plug-plain-2.1.27-3.1.mga8
lib(64)sasl2-plug-ldapdb-2.1.27-3.1.mga8
lib(64)sasl2-plug-digestmd5-2.1.27-3.1.mga8
lib(64)sasl2-plug-anonymous-2.1.27-3.1.mga8
lib(64)sasl2-plug-sqlite3-2.1.27-3.1.mga8
lib(64)sasl2-plug-scram-2.1.27-3.1.mga8
lib(64)sasl2-plug-mysql-2.1.27-3.1.mga8
lib(64)sasl2-plug-pgsql-2.1.27-3.1.mga8
lib(64)sasl2-plug-sasldb-2.1.27-3.1.mga8
lib(64)sasl2-plug-crammd5-2.1.27-3.1.mga8
lib(64)sasl2-plug-login-2.1.27-3.1.mga8
lib(64)sasl2-plug-ntlm-2.1.27-3.1.mga8
cyrus-sasl-2.1.27-3.1.mga8

from SRPM:
cyrus-sasl-2.1.27-3.1.mga8.src.rpm

Status comment: Fixed upstream in 2.1.28 => (none)
CVE: (none) => CVE-2022-24407
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Source RPM: cyrus-sasl-2.1.27-4.mga9.src.rpm => cyrus-sasl-2.1.27-3.mga8.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 8

Comment 4 Herman Viaene 2022-02-24 15:03:08 CET
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Ref bug 25914 for testing.
# systemctl -l status saslauthd
● saslauthd.service - SASL authentication daemon.
     Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled)
     Active: inactive (dead)

# systemctl -l start saslauthd
# systemctl -l status saslauthd
● saslauthd.service - SASL authentication daemon.
     Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-02-24 14:55:40 CET; 9s ago
    Process: 15838 ExecStart=/usr/sbin/saslauthd -m /run/saslauthd -a $SASL_AUTHMECH $SASLAUTHD_OPTS (code=exited, status=0/SUCCESS)
   Main PID: 15839 (saslauthd)
      Tasks: 5 (limit: 9397)
     Memory: 1.3M
        CPU: 4ms
     CGroup: /system.slice/saslauthd.service
             ├─15839 /usr/sbin/saslauthd -m /run/saslauthd -a pam
             ├─15840 /usr/sbin/saslauthd -m /run/saslauthd -a pam
             ├─15841 /usr/sbin/saslauthd -m /run/saslauthd -a pam
             ├─15842 /usr/sbin/saslauthd -m /run/saslauthd -a pam
             └─15843 /usr/sbin/saslauthd -m /run/saslauthd -a pam

feb 24 14:55:40 mach5.hviaene.thuis systemd[1]: Starting SASL authentication daemon....
feb 24 14:55:40 mach5.hviaene.thuis saslauthd[15839]:                 : master pid is: 15839
feb 24 14:55:40 mach5.hviaene.thuis saslauthd[15839]:                 : listening on socket: /run/saslauthd/mux
feb 24 14:55:40 mach5.hviaene.thuis systemd[1]: Started SASL authentication daemon..

Also wanted to test with smb
# mount -t cifs //mach1/beelden /mnt/beeldensmb/ -o username=herman
Password for herman@//mach1/beelden: 
The mount worked: I can see the share in dolphin, but
# smbtree -S
does not return anything at all. I don't get it.

CC: (none) => herman.viaene

Comment 5 David Walser 2022-03-09 17:53:20 CET
Fedora has issued an advisory for this on March 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/
Comment 6 Thomas Andrews 2022-03-22 20:08:26 CET
I'm fumbling around in the dark on this, Herman, so I don't have a clue of what to tell you.

But, the stuff before the smb trial agrees with what your test in Bug 25914 showed. It was good enough for that update, so I'm going to hope it's good enough this time, too.

I'm going to send this on its way. I'm sure that if that's the wrong thing to do, someone will let us know.

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-03-23 00:30:21 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-03-23 09:37:33 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0111.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.