Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 270261 (CVE-2009-0688)

Summary: <dev-libs/cyrus-sasl-2.1.23 sasl_encode64() Buffer overflow (CVE-2009-0688)
Product: Gentoo Security Reporter: Conrad Kostecki <conikost>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.kb.cert.org/vuls/id/238019
Whiteboard: A1? [glsa]
Package list:
Runtime testing required: ---

Description Conrad Kostecki gentoo-dev 2009-05-18 09:23:19 UTC
dev-libs/cyrus-sasl-2.1.23 is out!

This version includes a fix for a potential buffer 
overflow in sasl_encode64()
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 12:05:28 UTC
Quoting CERT:
The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.
II. Impact
A remote attacker might be able to execute code, or cause any programs relying on SASL to crash or be unavailable.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 12:25:47 UTC
Note that the new release has changed ABI without changing SONAME revisions properly. This might lead to crashes in existing code.
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-18 16:24:38 UTC
2.1.23 is in CVS. It's p.masked for now - it needs more testing (only thing i could test so far is the berkdb backend).
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 17:54:43 UTC
CVE-2009-0688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0688):
  Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23
  might allow remote attackers to execute arbitrary code or cause a
  denial of service (application crash) via strings that are used as
  input to the sasl_encode64 function in lib/saslutil.c.

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2009-06-05 19:31:58 UTC
(In reply to comment #3)
> 2.1.23 is in CVS. It's p.masked for now - it needs more testing (only thing i
> could test so far is the berkdb backend).
> 

and now unmasked.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-08 15:03:18 UTC
Let's call arches on the 10th.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-06-25 01:05:13 UTC
Arches, please test and mark stable:
=dev-libs/cyrus-sasl-2.1.23
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-25 11:32:57 UTC
 * Applying cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz ...

 * Failed Patch: cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz !
 *  ( /var/tmp/portage/dev-libs/cyrus-sasl-2.1.23/temp/23295.patch )
 *
 * Include in your bugreport the contents of:
 *
 *   /var/tmp/portage/dev-libs/cyrus-sasl-2.1.23/temp/cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz-23295.out

 *
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-25 13:57:55 UTC
(In reply to comment #8)
>  * Applying cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz ...

I think the "support" in USE=ntlm_unsupported_patch means "security support". ;)
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2009-06-25 16:27:43 UTC
(In reply to comment #8)
>  * Applying cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz ...
> 
>  * Failed Patch: cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz !
>  *  ( /var/tmp/portage/dev-libs/cyrus-sasl-2.1.23/temp/23295.patch )
>  *
>  * Include in your bugreport the contents of:
>  *
>  *  
> /var/tmp/portage/dev-libs/cyrus-sasl-2.1.23/temp/cyrus-sasl-2.1.22-ntlm_impl-spnego.patch.gz-23295.out
> 
>  *
> 
There's a bug about that, i'll try to fix it soonish (well, it worked for me?!?!? - *shrugs*)
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-25 18:43:50 UTC
Stable for HPPA.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2009-06-25 19:31:22 UTC
(In reply to comment #10)
> There's a bug about that, i'll try to fix it soonish (well, it worked for
> me?!?!? - *shrugs*)
> 

Fixed in CVS.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-26 13:31:56 UTC
(In reply to comment #12)
> (In reply to comment #10)
> > There's a bug about that, i'll try to fix it soonish (well, it worked for
> > me?!?!? - *shrugs*)
> > 
> 
> Fixed in CVS.
> 

 I cannot find that fix.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2009-06-26 16:04:25 UTC
(In reply to comment #13)
>  I cannot find that fix.

Args. Now it's really fixed. 

Comment 15 Tobias Klausmann (RETIRED) gentoo-dev 2009-06-26 19:44:07 UTC
Stable on alpha.
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-27 09:29:32 UTC
x86 stable
Comment 17 Brent Baude (RETIRED) gentoo-dev 2009-06-27 12:59:19 UTC
ppc64 done
Comment 18 Brent Baude (RETIRED) gentoo-dev 2009-06-27 12:59:25 UTC
ppc done
Comment 19 Richard Freeman gentoo-dev 2009-06-27 21:51:20 UTC
amd64 done
Comment 20 Raúl Porcel (RETIRED) gentoo-dev 2009-06-30 13:35:47 UTC
arm/ia64/s390/sh/sparc stable
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-07-12 17:51:06 UTC
GLSA 200907-09