Debian Bug report logs - #528749
Cyrus SASL library buffer overflow vulnerability

version graph

Package: cyrus-sasl2; Maintainer for cyrus-sasl2 is Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org>;

Reported by: "Thijs Kinkhorst" <thijs@debian.org>

Date: Fri, 15 May 2009 08:54:05 UTC

Severity: serious

Tags: security

Found in version 2.1.22.dfsg1-8

Fixed in version cyrus-sasl2/2.1.23.dfsg1-1

Done: Fabian Fagerholm <fabbe@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org>:
Bug#528749; Package cyrus-sasl2. (Fri, 15 May 2009 08:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org>. (Fri, 15 May 2009 08:54:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: submit@bugs.debian.org
Subject: Cyrus SASL library buffer overflow vulnerability
Date: Fri, 15 May 2009 10:49:40 +0200
Package: cyrus-sasl2
Severity: serious
Tags: security


Hi,

The following vulnerability has been published for Cyrus SASL:

Cyrus SASL library buffer overflow vulnerability

Overview

The Cyrus SASL library contains a buffer overflow vulnerability that could
allow an attacker to execute code or cause a vulnerable program to crash.

I. Description
SASL (Simple Authentication and Security Layer) is a method for adding
authentication support to various protocols. SASL is commonly used by mail
servers to request authentication from clients and by clients to
authenticate to servers.

The sasl_encode64() function converts a string into base64. The Cyrus SASL
library contains buffer overflows that occur because of unsafe use of the
sasl_encode64() function.

II. Impact
A remote attacker might be able to execute code, or cause any programs
relying on SASL to crash or be unavailable.

III. Solution: Upgrade
Cyrus SASL 2.1.23 has been released to address this issue. Before
releasing fixed binaries, maintainers are encouraged to review the Cyrus
vendor statement associated with this note.

See also: http://www.kb.cert.org/vuls/id/RGII-7RYLZQ

This is CVE-2009-0688 and VU#238019.
Please mention these references in your changelogs.

Can you provide updated packages for sid, and assess whether etch/lenny
are affected?


thanks,
Thijs





Bug marked as found in version 2.1.22.dfsg1-8. Request was from Fabian Fagerholm <fabbe@paniq.net> to control@bugs.debian.org. (Sun, 24 May 2009 09:06:12 GMT) Full text and rfc822 format available.

Reply sent to Fabian Fagerholm <fabbe@debian.org>:
You have taken responsibility. (Sun, 24 May 2009 18:39:11 GMT) Full text and rfc822 format available.

Notification sent to "Thijs Kinkhorst" <thijs@debian.org>:
Bug acknowledged by developer. (Sun, 24 May 2009 18:39:11 GMT) Full text and rfc822 format available.

Message #12 received at 528749-close@bugs.debian.org (full text, mbox):

From: Fabian Fagerholm <fabbe@debian.org>
To: 528749-close@bugs.debian.org
Subject: Bug#528749: fixed in cyrus-sasl2 2.1.23.dfsg1-1
Date: Sun, 24 May 2009 18:17:07 +0000
Source: cyrus-sasl2
Source-Version: 2.1.23.dfsg1-1

We believe that the bug you reported is fixed in the latest version of
cyrus-sasl2, which is due to be installed in the Debian FTP archive:

cyrus-sasl2-dbg_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.23.dfsg1-1_i386.deb
cyrus-sasl2-doc_2.1.23.dfsg1-1_all.deb
  to pool/main/c/cyrus-sasl2/cyrus-sasl2-doc_2.1.23.dfsg1-1_all.deb
cyrus-sasl2_2.1.23.dfsg1-1.diff.gz
  to pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.23.dfsg1-1.diff.gz
cyrus-sasl2_2.1.23.dfsg1-1.dsc
  to pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.23.dfsg1-1.dsc
cyrus-sasl2_2.1.23.dfsg1.orig.tar.gz
  to pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.23.dfsg1.orig.tar.gz
libsasl2-2_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/libsasl2-2_2.1.23.dfsg1-1_i386.deb
libsasl2-dev_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/libsasl2-dev_2.1.23.dfsg1-1_i386.deb
libsasl2-modules-gssapi-mit_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.23.dfsg1-1_i386.deb
libsasl2-modules-ldap_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.23.dfsg1-1_i386.deb
libsasl2-modules-otp_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.23.dfsg1-1_i386.deb
libsasl2-modules-sql_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.23.dfsg1-1_i386.deb
libsasl2-modules_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/libsasl2-modules_2.1.23.dfsg1-1_i386.deb
sasl2-bin_2.1.23.dfsg1-1_i386.deb
  to pool/main/c/cyrus-sasl2/sasl2-bin_2.1.23.dfsg1-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528749@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Fagerholm <fabbe@debian.org> (supplier of updated cyrus-sasl2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 24 May 2009 20:56:01 +0300
Source: cyrus-sasl2
Binary: sasl2-bin cyrus-sasl2-doc libsasl2-2 libsasl2-modules libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql libsasl2-modules-gssapi-mit libsasl2-dev cyrus-sasl2-dbg
Architecture: source all i386
Version: 2.1.23.dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Fabian Fagerholm <fabbe@debian.org>
Changed-By: Fabian Fagerholm <fabbe@debian.org>
Description: 
 cyrus-sasl2-dbg - Cyrus SASL - debugging symbols
 cyrus-sasl2-doc - Cyrus SASL - documentation
 libsasl2-2 - Cyrus SASL - authentication abstraction library
 libsasl2-dev - Cyrus SASL - development files for authentication abstraction lib
 libsasl2-modules - Cyrus SASL - pluggable authentication modules
 libsasl2-modules-gssapi-mit - Cyrus SASL - pluggable authentication modules (GSSAPI)
 libsasl2-modules-ldap - Cyrus SASL - pluggable authentication modules (LDAP)
 libsasl2-modules-otp - Cyrus SASL - pluggable authentication modules (OTP)
 libsasl2-modules-sql - Cyrus SASL - pluggable authentication modules (SQL)
 sasl2-bin  - Cyrus SASL - administration programs for SASL users database
Closes: 528749
Changes: 
 cyrus-sasl2 (2.1.23.dfsg1-1) unstable; urgency=high
 .
   * New upstream release
     - Security fix for CVE-2009-0688 (Closes: #528749).
     - debian/patches/0020_saslauthd_manpage.dpatch: Remove, integrated
       upstream.
     - debian/rules: Change chrpath invocation to match new version number of
       libsql.so.
Checksums-Sha1: 
 3517d69615bde721ddafadc6e4915a6f4df98bfd 1889 cyrus-sasl2_2.1.23.dfsg1-1.dsc
 b2543c780833c4e67edb0d7318eeb4a26d0bc39c 1415183 cyrus-sasl2_2.1.23.dfsg1.orig.tar.gz
 83eaa2643598dd2a140004aad4d78055948f432d 91788 cyrus-sasl2_2.1.23.dfsg1-1.diff.gz
 7241070fbe1222bf4866c2db06753ac91ced8512 104436 cyrus-sasl2-doc_2.1.23.dfsg1-1_all.deb
 d11c51685c12ad7fb946abb4e179c1e3c0c98deb 146550 sasl2-bin_2.1.23.dfsg1-1_i386.deb
 393e313854a0494474e05b7a29df079197ba6a13 106774 libsasl2-2_2.1.23.dfsg1-1_i386.deb
 ae228ce1a8f296b1cbbfa893597a9017f39864cd 147048 libsasl2-modules_2.1.23.dfsg1-1_i386.deb
 9760498d8dcb48c820e2c8b863d9173f3b9b0d24 58056 libsasl2-modules-ldap_2.1.23.dfsg1-1_i386.deb
 134bb97f98c0e8c4cc469c2fdb2dbac575ed5840 76494 libsasl2-modules-otp_2.1.23.dfsg1-1_i386.deb
 1b9346df497744d3159aa469084f4b1690b9a507 64786 libsasl2-modules-sql_2.1.23.dfsg1-1_i386.deb
 1f6f9aa5c0266e6829a8bf809ee8c8b4c7044442 66078 libsasl2-modules-gssapi-mit_2.1.23.dfsg1-1_i386.deb
 5f2ec6c6753af2436c237a9364ee5e2f33b39ff8 259852 libsasl2-dev_2.1.23.dfsg1-1_i386.deb
 b36701d5d11d07d9dc152cf93fe02819d59d68b8 573834 cyrus-sasl2-dbg_2.1.23.dfsg1-1_i386.deb
Checksums-Sha256: 
 c5948772ad267b7b470c8b62d766fef15d10170b276d800a33105aa6cff20fa1 1889 cyrus-sasl2_2.1.23.dfsg1-1.dsc
 ee463586f233a27d19ad922c8f321241558646a6c64b46c438cd58d37a9e69f5 1415183 cyrus-sasl2_2.1.23.dfsg1.orig.tar.gz
 d513f7ee205eb8436db3297bc4a1ae4250eaf06c4216ea951d36ab9cc1f46f58 91788 cyrus-sasl2_2.1.23.dfsg1-1.diff.gz
 4b32e63147a189fbe844f037328902e5f72e99a4abde1b9e832f6caf8739179c 104436 cyrus-sasl2-doc_2.1.23.dfsg1-1_all.deb
 1e058de9d8bb777a1f363f5a9038ee198fd275b03f07dce2387f3f9e69070c39 146550 sasl2-bin_2.1.23.dfsg1-1_i386.deb
 26dda23bb819ddebd93dfcb7b93c615bbde0a0f89ef6b2e3d5463e9819c8cd97 106774 libsasl2-2_2.1.23.dfsg1-1_i386.deb
 b60d39e7990b3563091d57078bab6515e9b56610e3f6bc47aea43528d53d72f7 147048 libsasl2-modules_2.1.23.dfsg1-1_i386.deb
 a3974e0581349070cad1078572de02c626d819d346885d3774dc6865447ae323 58056 libsasl2-modules-ldap_2.1.23.dfsg1-1_i386.deb
 dcb3f7e907946d9d9d78e18cd5715e8ab8bdb54f1aec583680c264533ff34aa8 76494 libsasl2-modules-otp_2.1.23.dfsg1-1_i386.deb
 e84f93c6b470603700b53539413279ade1bd067254b9987b2115a14cd330b073 64786 libsasl2-modules-sql_2.1.23.dfsg1-1_i386.deb
 fd8f7cc307ffbf29afdc774773865fce2144d7d6f56b3b837513230949b1a402 66078 libsasl2-modules-gssapi-mit_2.1.23.dfsg1-1_i386.deb
 2cd017c25934353a63709b916be470cd87123c02fd87bb55bf38c5c84ce27ccc 259852 libsasl2-dev_2.1.23.dfsg1-1_i386.deb
 276ee0bd8dd1f0473ffa014b590a453947c397a70b09f5e074c36cba02a8581c 573834 cyrus-sasl2-dbg_2.1.23.dfsg1-1_i386.deb
Files: 
 54582d6facbc90d08c004cbd0ab12cd1 1889 libs important cyrus-sasl2_2.1.23.dfsg1-1.dsc
 6822689e9ef9791c1a1948314aa3445b 1415183 libs important cyrus-sasl2_2.1.23.dfsg1.orig.tar.gz
 4e29c55762a082cf3fbba0ba1a167e36 91788 libs important cyrus-sasl2_2.1.23.dfsg1-1.diff.gz
 2790c6125438cf9985539df1f1f00c88 104436 doc optional cyrus-sasl2-doc_2.1.23.dfsg1-1_all.deb
 1b46a3da33972a081a6511873dbf6a30 146550 utils optional sasl2-bin_2.1.23.dfsg1-1_i386.deb
 71eb477f81236509c0d72b5efcaca77f 106774 libs important libsasl2-2_2.1.23.dfsg1-1_i386.deb
 14e93af47c97dd94dbc4894973827cad 147048 libs optional libsasl2-modules_2.1.23.dfsg1-1_i386.deb
 1525a5a39e20b9b1af20a0aa0e3c51cb 58056 libs extra libsasl2-modules-ldap_2.1.23.dfsg1-1_i386.deb
 9b1ef11245f1243366b7275fbab18ff3 76494 libs extra libsasl2-modules-otp_2.1.23.dfsg1-1_i386.deb
 cccd90bd4dcdaf1e299bc45a9802f75d 64786 libs extra libsasl2-modules-sql_2.1.23.dfsg1-1_i386.deb
 f4b0634769e6b89fb65d3e08f4dab5f5 66078 libs extra libsasl2-modules-gssapi-mit_2.1.23.dfsg1-1_i386.deb
 15a5ebe591c1e3b6b2ddbb35e7d24fca 259852 libdevel optional libsasl2-dev_2.1.23.dfsg1-1_i386.deb
 1d79f67c8e59d63b1b6e463832491574 573834 debug extra cyrus-sasl2-dbg_2.1.23.dfsg1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoZjQkACgkQ76VUNpZBmeKjpwCeKz2IxgT2hq3czn4/2RpMbc/V
2DwAnRi/a39dchn/5xXt15aDJCFT/sU9
=D1v1
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 16 Mar 2011 07:43:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 15:38:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.