Bug 1725061

Summary: cyrus-sasl: auth_rimap infinite loop when IMAP server closes connection leads to denial of service
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, arachman, asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, crypto-team, csutherl, darran.lofthouse, dfediuck, dosoudil, eedri, gzaronik, iweiss, jawilson, jclere, jfch, jjelen, jperkins, krathod, kwills, lgao, lveyde, mbabacek, mgoldboi, michal.skrivanek, mperina, msiddiqu, msochure, msvehla, myarboro, nwallace, plautrba, pmackay, psotirop, rguimara, rsvoboda, sbonazzo, sherold, smaestri, ssorce, tom.jenkinson, twalsh, vanmeeuwen+fedora, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cyrus-sasl 2.1.27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:45:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1725498, 1725542    
Bug Blocks: 1724625    

Description Dhananjay Arunesh 2019-06-28 10:51:49 UTC 
The while() loop at auth_rimap.c:496 (upstream) in cyrus-sasl2 2.1.26 has incorrect exit criteria -- if the socket is closed and the fd is at EOF the loop will not exit. This causes auth_rimap to go into an infinite loop as its criteria for if data is available on the socket is incorrect.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1636824
Comment 1 msiddiqu 2019-06-30 21:40:35 UTC 
Created cyrus-sasl tracking bugs for this issue:

Affects: fedora-all [bug 1725498]
Comment 2 Huzaifa S. Sidhpurwala 2019-07-01 05:20:30 UTC 
Analysis:

This issue only affects cyrus-sasl configured to authenticate via remote IMAP server. Other authentication methods are not affected by this flaw.

This bug was introduced by the patch for upstream bug #3211, included in cyrus-sasl2 2.1.26.  The while() loop at auth_rimap.c:496 (upstream) has incorrect exit criteria -- if the socket is closed and the fd is at EOF the loop will not exit.

This issue was fixed in the upstream version 2.1.27.
Comment 5 Joshua Padman 2019-07-07 13:23:35 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 5
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Enterprise Web Server 2

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 6 Doran Moppert 2019-07-08 01:15:51 UTC 
Statement:

Red Hat Virtualization Hypervisor includes the cyrus-sasl package as a dependency of postfix, but it is not enabled in the supported configuration.