270261 – (CVE-2009-0688) <dev-libs/cyrus-sasl-2.1.23 sasl_encode64() Buffer overflow (CVE-2009-0688)

Bug 270261 (CVE-2009-0688) - <dev-libs/cyrus-sasl-2.1.23 sasl_encode64() Buffer overflow (CVE-2009-0688)

Summary: <dev-libs/cyrus-sasl-2.1.23 sasl_encode64() Buffer overflow (CVE-2009-0688)

Status:	RESOLVED FIXED

Alias:	CVE-2009-0688

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Gentoo Security

URL:	http://www.kb.cert.org/vuls/id/238019
Whiteboard:	A1? [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-05-18 09:23 UTC by Conrad Kostecki
Modified:	2009-07-12 17:51 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Conrad Kostecki gentoo-dev

2009-05-18 09:23:19 UTC

dev-libs/cyrus-sasl-2.1.23 is out!

This version includes a fix for a potential buffer 
overflow in sasl_encode64()

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 12:05:28 UTC

Quoting CERT:
The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.
II. Impact
A remote attacker might be able to execute code, or cause any programs relying on SASL to crash or be unavailable.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 12:25:47 UTC

Note that the new release has changed ABI without changing SONAME revisions properly. This might lead to crashes in existing code.

Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev

2009-05-18 16:24:38 UTC

2.1.23 is in CVS. It's p.masked for now - it needs more testing (only thing i could test so far is the berkdb backend).

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 17:54:43 UTC

CVE-2009-0688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0688):
  Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23
  might allow remote attackers to execute arbitrary code or cause a
  denial of service (application crash) via strings that are used as
  input to the sasl_encode64 function in lib/saslutil.c.

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev

2009-06-05 19:31:58 UTC

(In reply to comment #3)
> 2.1.23 is in CVS. It's p.masked for now - it needs more testing (only thing i
> could test so far is the berkdb backend).
> 

and now unmasked.

Comment 6 Alex Legler (RETIRED) archtester

2009-06-08 15:03:18 UTC

Let's call arches on the 10th.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2009-06-25 01:05:13 UTC

Arches, please test and mark stable:
=dev-libs/cyrus-sasl-2.1.23
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2009-06-25 11:32:57 UTC

 * Applying cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz ...

 * Failed Patch: cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz !
 *  ( /var/tmp/portage/dev-libs/cyrus-sasl-2.1.23/temp/23295.patch )
 *
 * Include in your bugreport the contents of:
 *
 *   /var/tmp/portage/dev-libs/cyrus-sasl-2.1.23/temp/cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz-23295.out

 *

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2009-06-25 13:57:55 UTC

(In reply to comment #8)
>  * Applying cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz ...

I think the "support" in USE=ntlm_unsupported_patch means "security support". ;)

Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev

2009-06-25 16:27:43 UTC

(In reply to comment #8)
>  * Applying cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz ...
> 
>  * Failed Patch: cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz !
>  *  ( /var/tmp/portage/dev-libs/cyrus-sasl-2.1.23/temp/23295.patch )
>  *
>  * Include in your bugreport the contents of:
>  *
>  *  
> /var/tmp/portage/dev-libs/cyrus-sasl-2.1.23/temp/cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz-23295.out
> 
>  *
> 
There's a bug about that, i'll try to fix it soonish (well, it worked for me?!?!? - *shrugs*)

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2009-06-25 18:43:50 UTC

Stable for HPPA.

Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev

2009-06-25 19:31:22 UTC

(In reply to comment #10)
> There's a bug about that, i'll try to fix it soonish (well, it worked for
> me?!?!? - *shrugs*)
> 

Fixed in CVS.

Comment 13 Christian Faulhammer (RETIRED) gentoo-dev

2009-06-26 13:31:56 UTC

(In reply to comment #12)
> (In reply to comment #10)
> > There's a bug about that, i'll try to fix it soonish (well, it worked for
> > me?!?!? - *shrugs*)
> > 
> 
> Fixed in CVS.
> 

 I cannot find that fix.

Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev

2009-06-26 16:04:25 UTC

(In reply to comment #13)
>  I cannot find that fix.

Args. Now it's really fixed.

Comment 15 Tobias Klausmann (RETIRED) gentoo-dev

2009-06-26 19:44:07 UTC

Stable on alpha.

Comment 16 Christian Faulhammer (RETIRED) gentoo-dev

2009-06-27 09:29:32 UTC

x86 stable

Comment 17 Brent Baude (RETIRED) gentoo-dev

2009-06-27 12:59:19 UTC

ppc64 done

Comment 18 Brent Baude (RETIRED) gentoo-dev

2009-06-27 12:59:25 UTC

ppc done

Comment 19 Richard Freeman gentoo-dev

2009-06-27 21:51:20 UTC

amd64 done

Comment 20 Raúl Porcel (RETIRED) gentoo-dev

2009-06-30 13:35:47 UTC

arm/ia64/s390/sh/sparc stable

Comment 21 Robert Buchholz (RETIRED) gentoo-dev

2009-07-12 17:51:06 UTC

GLSA 200907-09