[Pkg-sogo-maintainers] Bug#1136070: trixie-pu: package sogo/5.12.1-3+deb13u2
Peter Wienemann
wiene at debian.org
Sat May 9 07:41:13 BST 2026
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: sogo at packages.debian.org, team at security.debian.org
Control: affects -1 + src:sogo
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
This applies a security fix introduced by upstream release
5.12.7 to version 5.12.1 distributed with Trixie. I am not aware of any
CVE identifier for it. Upstream recommends to update immediately
provided one of the following setups is used [0]:
1. At least one user source is a PostgreSQL database.
2. a) At least one user source is an SQL database (MariaDB or PostgreSQL)
b) Passwords are stored in plain text
[ Impact ]
Unfortunately upstream does not provide any information on what type of
issue is addressed and what the implications are. Luckily there are only
four non-merge commits between version 5.12.6 and 5.12.7 and two of them
handle i18n stuff. Combining the information in the release notes with the
commit history, I consider it highly likely that the relevant commit fixing
the issue referred to above is [1]. I am not familiar enough with the
codebase to fully understand all details of this commit but it seems that
at least part of the fix addresses a (second order) SQL injection
vulnerability in the credentials handling part of the code.
[ Tests ]
Given the uncertainties mentioned above, it is difficult to perform
meaningful tests to verify that the patched version actually fixes the
issue.
I am running version 5.12.7 provided by upstream for a couple of weeks
in production - without any issues, but I did not have a vulnerable
setup (user source is LDAP rather than SQL database). Therefore this is
only of limited informative value.
[ Risks ]
As indicated in the patch header, the applied patch is cherry-picked from
the upstream repository. Upstream distributes the fix for more than a month
now. Therefore I consider it likely that it has already been deployed by a
sizable number of sites obtaining packages from upstream.
Given the urgency of the warning in the release notes doing nothing obviously
also comes with a risk for affected sites.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Applying changes from upstream commit [1] as explained above.
[ Other info ]
After a discussion with a security team member it was suggested to address
this issue via an upload to s-p-u.
I do not plan to address the issue in bookworm (which is also vulnerable)
because the upstream fix cannot be applied to version 5.8.0 without adaptions.
Given the test situation described above I do not want to blindly backport it.
Best regards,
Peter
[0] https://www.sogo.nu/news/2026/sogo-v5127-released.html
[1] https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21
-------------- next part --------------
diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog
--- sogo-5.12.1/debian/changelog 2025-12-31 11:33:39.000000000 +0100
+++ sogo-5.12.1/debian/changelog 2026-05-08 16:18:12.000000000 +0200
@@ -1,3 +1,10 @@
+sogo (5.12.1-3+deb13u2) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * Add patch to ensure proper SQL adaptor is used for user source
+
+ -- Peter Wienemann <wiene at debian.org> Fri, 08 May 2026 16:18:12 +0200
+
sogo (5.12.1-3+deb13u1) trixie; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru sogo-5.12.1/debian/patches/fix-sql-use-proper-sql-adaptor-for-usr-source.patch sogo-5.12.1/debian/patches/fix-sql-use-proper-sql-adaptor-for-usr-source.patch
--- sogo-5.12.1/debian/patches/fix-sql-use-proper-sql-adaptor-for-usr-source.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/fix-sql-use-proper-sql-adaptor-for-usr-source.patch 2026-05-08 16:18:12.000000000 +0200
@@ -0,0 +1,176 @@
+From: Hivert Quentin <quentin.hivert.fr at gmail.com>
+Date: Tue, 24 Mar 2026 15:26:37 +0100
+Subject: fix(sql): use proper sql adaptor for usr source
+
+Origin: https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21.diff
+---
+ SoObjects/SOGo/SQLSource.m | 70 ++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 49 insertions(+), 21 deletions(-)
+
+diff --git a/SoObjects/SOGo/SQLSource.m b/SoObjects/SOGo/SQLSource.m
+index 93e8a81..2a4a950 100644
+--- a/SoObjects/SOGo/SQLSource.m
++++ b/SoObjects/SOGo/SQLSource.m
+@@ -225,9 +225,16 @@
+ */
+ - (NSString *) _encryptPassword: (NSString *) plainPassword
+ {
+- NSString *pass;
++ NSString *pass, *passwordScheme;
+ NSString* result;
+
++ // if ([_userPasswordAlgorithm caseInsensitiveCompare: @"none"] == NSOrderedSame ||
++ // [_userPasswordAlgorithm caseInsensitiveCompare: @"plain"] == NSOrderedSame ||
++ // [_userPasswordAlgorithm caseInsensitiveCompare: @"cleartext"] == NSOrderedSame)
++ // {
++ // pass = [pass stringByReplacingString: @"'" withString: @"''"];
++ // }
++
+ pass = [plainPassword asCryptedPassUsingScheme: _userPasswordAlgorithm
+ keyPath: _keyPath];
+
+@@ -272,6 +279,7 @@
+ grace: (int *) _grace
+ disablepasswordPolicyCheck: (BOOL) _disablepasswordPolicyCheck
+ {
++ EOAdaptor *adaptor;
+ EOAdaptorChannel *channel;
+ EOQualifier *qualifier;
+ GCSChannelManager *cm;
+@@ -281,11 +289,13 @@
+
+ rc = NO;
+
+- _login = [_login stringByReplacingString: @"'" withString: @"''"];
+ cm = [GCSChannelManager defaultChannelManager];
+ channel = [cm acquireOpenChannelForURL: _viewURL];
+ if (channel)
+ {
++ EOAdaptorContext *adaptorCtx;
++ adaptorCtx = [channel adaptorContext];
++ adaptor = [adaptorCtx adaptor];
+ if (_loginFields)
+ {
+ NSMutableArray *qualifiers;
+@@ -324,7 +334,8 @@
+ nil];
+ [qualifier autorelease];
+ }
+- [qualifier appendSQLToString: sql];
++ [qualifier appendSQLToString: sql
++ withAdaptor: adaptor];
+
+ ex = [channel evaluateExpressionX: sql];
+ if (!ex)
+@@ -430,9 +441,11 @@
+ {
+ BOOL didChange, isOldPwdOk, isPolicyOk;
+ EOAdaptorChannel *channel;
++ EOAdaptor *adaptor;
++ EOQualifier *qualifier_login, *qualifier_pwd;
+ GCSChannelManager *cm;
+ NSException *ex;
+- NSString *sqlstr;
++ NSMutableString *sqlstr;
+
+ *perr = -1;
+ isOldPwdOk = NO;
+@@ -455,16 +468,28 @@
+ return NO;
+
+ // Save new password
+- login = [login stringByReplacingString: @"'" withString: @"''"];
++ // login = [login stringByReplacingString: @"'" withString: @"''"];
+ cm = [GCSChannelManager defaultChannelManager];
+ channel = [cm acquireOpenChannelForURL: _viewURL];
+ if (channel)
+ {
+- sqlstr = [NSString stringWithFormat: (@"UPDATE %@"
+- @" SET c_password = '%@'"
+- @" WHERE c_uid = '%@'"),
+- [_viewURL gcsTableName], encryptedPassword, login];
+-
++ EOAdaptorContext *adaptorCtx;
++ adaptorCtx = [channel adaptorContext];
++ adaptor = [adaptorCtx adaptor];
++ sqlstr = [NSMutableString stringWithFormat: @"UPDATE %@ SET ",
++ [_viewURL gcsTableName]];
++
++ qualifier_pwd = [[EOKeyValueQualifier alloc] initWithKey: @"c_password"
++ operatorSelector: EOQualifierOperatorEqual
++ value: encryptedPassword];
++ [qualifier_pwd appendSQLToString: sqlstr
++ withAdaptor: adaptor];
++ [sqlstr appendString: @" WHERE "];
++ qualifier_login = [[EOKeyValueQualifier alloc] initWithKey: @"c_uid"
++ operatorSelector: EOQualifierOperatorEqual
++ value: login];
++ [qualifier_login appendSQLToString: sqlstr
++ withAdaptor: adaptor];
+ ex = [channel evaluateExpressionX: sqlstr];
+ if (!ex)
+ {
+@@ -998,7 +1023,9 @@
+ inDomain: (NSString *)domain
+ limit: (int)limit
+ {
++ EOAdaptor *adaptor;
+ EOAdaptorChannel *channel;
++ EOQualifier *qualifier;
+ NSEnumerator *criteriaList;
+ NSMutableArray *fields, *results;
+ GCSChannelManager *cm;
+@@ -1014,12 +1041,14 @@
+ channel = [cm acquireOpenChannelForURL: _viewURL];
+ if (channel)
+ {
++ EOAdaptorContext *adaptorCtx;
++ adaptorCtx = [channel adaptorContext];
++ adaptor = [adaptorCtx adaptor];
+ fields = [NSMutableArray array];
+ if ([filter length])
+ {
+- lowerFilter = [filter lowercaseString];
+- lowerFilter = [lowerFilter asSafeSQLLikeString];
+- filterFormat = [NSString stringWithFormat: @"LOWER(%%@) LIKE '%%%%%@%%%%'", lowerFilter];
++ filter = [[filter asSafeSQLString] stringByReplacingString: @"\%" withString: @"%%"];
++ filterFormat = [NSString stringWithFormat: @"(%%@ isCaseInsensitiveLike: '*%@*')", filter];
+ if (criteria)
+ criteriaList = [criteria objectEnumerator];
+ else
+@@ -1044,7 +1073,9 @@
+ if ([fields count])
+ {
+ qs = [[[fields uniqueObjects] stringsWithFormat: filterFormat] componentsJoinedByString: @" OR "];
+- [sql appendString: qs];
++ qualifier = [EOQualifier qualifierWithQualifierFormat: qs];
++ [qualifier appendSQLToString: sql
++ withAdaptor: adaptor];
+ }
+ else
+ [sql appendString: @"1 = 1"];
+@@ -1108,7 +1139,7 @@
+ andSortOrdering: (EOSortOrdering *) ordering
+ inDomain: (NSString *) domain
+ {
+- static EOAdaptor *adaptor = nil;
++ EOAdaptor *adaptor;
+ NSException *ex;
+ NSMutableArray *results;
+ NSMutableString *sql;
+@@ -1123,12 +1154,9 @@
+ channel = [cm acquireOpenChannelForURL: _viewURL];
+ if (channel)
+ {
+- if (!adaptor)
+- {
+- EOAdaptorContext *adaptorCtx;
+- adaptorCtx = [channel adaptorContext];
+- adaptor = [adaptorCtx adaptor];
+- }
++ EOAdaptorContext *adaptorCtx;
++ adaptorCtx = [channel adaptorContext];
++ adaptor = [adaptorCtx adaptor];
+ sql = [NSMutableString stringWithFormat: @"SELECT c_name FROM %@ WHERE (", [_viewURL gcsTableName]];
+
+ if (qualifier)
diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series
--- sogo-5.12.1/debian/patches/series 2025-12-31 11:33:39.000000000 +0100
+++ sogo-5.12.1/debian/patches/series 2026-05-08 16:18:12.000000000 +0200
@@ -17,3 +17,4 @@
upstream_use_openid_libcurl.patch
CVE-2025-63499.patch
CVE-2025-63498.patch
+fix-sql-use-proper-sql-adaptor-for-usr-source.patch
More information about the Pkg-sogo-maintainers
mailing list