[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] cyrus-sasl remote exploits



Topic
=====
buffer overflows in cyrus-sasl may be exploited remotely

Problem Description
===================
Cyrus SASL is an implementation of the Simple Authentication and Security
Layer, a method for adding authentication support to connection-based
protocols.  Cyrus SASL versions 2 prior to 2.1.10 include a number of
buffer overflow vulnerabilities:

Insufficient buffer length checking in user name canonicalization.  This
issue would be hard to exploit, but would allow a remote user to execute
arbitrary code on the system.

When performing authentication using LDAP, saslauthd does not allocate
enough memory when it needs to escape special characters in the username
and realm.  This issue may be easy to remotely exploit.

The Log writer might not have allocated memory for the trailing \0 in a
message. This issue is probably hard to exploit, although it is possible to
affect the logging data with at least anonymous authentication.

Affected Systems
================
Cyrus-SASL versions 2.x prior to 2.1.10

Not Affected
============
RedHat Linux prior to 8.0 (use Cyrus-SASL 1.5.x)

Solution
========
Upgrade to version 2.1.10 or patched version for your distribution.

RedHat 8.0
----------
rpm -Fvh cyrus-sasl-2.1.10-1.i386.rpm \
         cyrus-sasl-devel-2.1.10-1.i386.rpm \
         cyrus-sasl-gssapi-2.1.10-1.i386.rpm \
         cyrus-sasl-md5-2.1.10-1.i386.rpm \
         cyrus-sasl-plain-2.1.10-1.i386.rpm