Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366605 (CVE-2011-1720) - <mail-mta/postfix-{2.7.4,2.8.3}: Memory corruption in Cyrus SASL support (CVE-2011-1720)
Summary: <mail-mta/postfix-{2.7.4,2.8.3}: Memory corruption in Cyrus SASL support (CVE...
Alias: CVE-2011-1720
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
Depends on:
Reported: 2011-05-09 15:18 UTC by Michael Orlitzky
Modified: 2012-06-25 19:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2011-05-09 15:18:40 UTC
Announced on the mailing list this morning:

  The Postfix SMTP server has a memory corruption error when the Cyrus
  SASL library is used with authentication mechanisms other than PLAIN
  and LOGIN (the ANONYMOUS mechanism is unaffected but should not be
  enabled for different reasons). See below for instructions to
  determine what systems are affected.


  The problem is fixed in Postfix stable releases 2.5.13, 2.6.10,
  2.7.4, 2.8.3; in the Postfix 2.9 development release as of May 1,
  2011; patches exist for Postfix version 1.1 and later. All this is
  available from Postfix mirrors at

The full summary is supposed to be online at,

but doesn't appear to have been posted yet. In the meantime, you can reference,
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-05-09 15:52:17 UTC
@net-mail, 2.8.3 is fixed and in tree, but would you rather add 2.7.4 and stabilize that? Thank you.
Comment 2 Eray Aslan gentoo-dev 2011-05-10 05:18:33 UTC
Please stabilize =mail-mta/postfix-2.7.4.  Thank you.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-05-10 05:20:46 UTC
(In reply to comment #2)
> Please stabilize =mail-mta/postfix-2.7.4.  Thank you.

Great, thanks.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-05-10 11:21:48 UTC
amd64 ok
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-10 12:21:56 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-11 16:58:52 UTC
Stable for HPPA.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-05-11 18:20:38 UTC
amd64 done. Thanks Agostino
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-14 16:21:41 UTC
ppc/ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-05-14 19:29:03 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 20:01:13 UTC
Thanks folks, GLSA request exists.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 20:27:57 UTC
CVE-2011-1720 (
  The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before
  2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication
  methods are enabled, does not create a new server handle after client
  authentication fails, which allows remote attackers to cause a denial of
  service (heap memory corruption and daemon crash) or possibly execute
  arbitrary code via an invalid AUTH command with one method followed by an
  AUTH command with a different method.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-06-25 19:11:30 UTC
This issue was resolved and addressed in
 GLSA 201206-33 at
by GLSA coordinator Stefan Behte (craig).