366605 – (CVE-2011-1720) <mail-mta/postfix-{2.7.4,2.8.3}: Memory corruption in Cyrus SASL support (CVE-2011-1720)

Bug 366605 (CVE-2011-1720) - <mail-mta/postfix-{2.7.4,2.8.3}: Memory corruption in Cyrus SASL support (CVE-2011-1720)

Summary: <mail-mta/postfix-{2.7.4,2.8.3}: Memory corruption in Cyrus SASL support (CVE...

Status:	RESOLVED FIXED

Alias:	CVE-2011-1720

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.postfix.org/CVE-2011-1720....
Whiteboard:	A1 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-05-09 15:18 UTC by Michael Orlitzky
Modified:	2012-06-25 19:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2011-05-09 15:18:40 UTC

Announced on the mailing list this morning:

  The Postfix SMTP server has a memory corruption error when the Cyrus
  SASL library is used with authentication mechanisms other than PLAIN
  and LOGIN (the ANONYMOUS mechanism is unaffected but should not be
  enabled for different reasons). See below for instructions to
  determine what systems are affected.

  ...

  The problem is fixed in Postfix stable releases 2.5.13, 2.6.10,
  2.7.4, 2.8.3; in the Postfix 2.9 development release as of May 1,
  2011; patches exist for Postfix version 1.1 and later. All this is
  available from Postfix mirrors at http://www.postfix.org/download.html.

The full summary is supposed to be online at,

  http://www.postfix.org/CVE-2011-1720.html

but doesn't appear to have been posted yet. In the meantime, you can reference,

  http://article.gmane.org/gmane.mail.postfix.announce/127

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2011-05-09 15:52:17 UTC

@net-mail, 2.8.3 is fixed and in tree, but would you rather add 2.7.4 and stabilize that? Thank you.

Comment 2 Eray Aslan gentoo-dev

2011-05-10 05:18:33 UTC

Please stabilize =mail-mta/postfix-2.7.4.  Thank you.

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2011-05-10 05:20:46 UTC

(In reply to comment #2)
> Please stabilize =mail-mta/postfix-2.7.4.  Thank you.

Great, thanks.

Arches, please test and mark stable:
=mail-mta/postfix-2.7.4
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 4 Agostino Sarubbo gentoo-dev

2011-05-10 11:21:48 UTC

amd64 ok

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-05-10 12:21:56 UTC

x86 stable

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2011-05-11 16:58:52 UTC

Stable for HPPA.

Comment 7 Markos Chandras (RETIRED) gentoo-dev

2011-05-11 18:20:38 UTC

amd64 done. Thanks Agostino

Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-05-14 16:21:41 UTC

ppc/ppc64 stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2011-05-14 19:29:03 UTC

alpha/arm/ia64/s390/sh/sparc stable

Comment 10 Tim Sammut (RETIRED) gentoo-dev

2011-05-14 20:01:13 UTC

Thanks folks, GLSA request exists.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2011-06-13 20:27:57 UTC

CVE-2011-1720 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1720):
  The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before
  2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication
  methods are enabled, does not create a new server handle after client
  authentication fails, which allows remote attackers to cause a denial of
  service (heap memory corruption and daemon crash) or possibly execute
  arbitrary code via an invalid AUTH command with one method followed by an
  AUTH command with a different method.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2012-06-25 19:11:30 UTC

This issue was resolved and addressed in
 GLSA 201206-33 at http://security.gentoo.org/glsa/glsa-201206-33.xml
by GLSA coordinator Stefan Behte (craig).