Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 561566

Summary: dev-libs/cyrus-sasl-2.1.26 DoS Vulnerability (CVE-2013-4122)
Product: Gentoo Security Reporter: Sam Jorna (wraeth) <wraeth>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/536548 , https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784112 , https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4122
Whiteboard:
Package list:
Runtime testing required: ---

Description Sam Jorna (wraeth) gentoo-dev 2015-09-26 14:47:10 UTC
From NVD:
Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference.
Comment 1 Sam Jorna (wraeth) gentoo-dev 2015-09-26 14:48:50 UTC
Further searching showed this to have been already addressed, sorry for the noise.