561566 – dev-libs/cyrus-sasl-2.1.26 DoS Vulnerability (CVE-2013-4122)

Bug 561566 - dev-libs/cyrus-sasl-2.1.26 DoS Vulnerability (CVE-2013-4122)

Summary: dev-libs/cyrus-sasl-2.1.26 DoS Vulnerability (CVE-2013-4122)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.securityfocus.com/archive/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-09-26 14:47 UTC by Sam Jorna (wraeth)
Modified:	2015-09-26 14:48 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam Jorna (wraeth) gentoo-dev

2015-09-26 14:47:10 UTC

From NVD:
Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference.

Comment 1 Sam Jorna (wraeth) gentoo-dev

2015-09-26 14:48:50 UTC

Further searching showed this to have been already addressed, sorry for the noise.