Bug 1791854 (CVE-2019-19906)

Summary: CVE-2019-19906 cyrus-sasl: denial of service in _sasl_add_string function
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, crypto-team, csutherl, gzaronik, jclere, jfch, jjelen, jwon, krathod, lgao, mbabacek, myarboro, pjindal, plautrba, ssorce, vanmeeuwen+fedora, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:24:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1804034, 1804035, 1804036    
Bug Blocks: 1781007    

Description Dhananjay Arunesh 2020-01-16 15:49:11 UTC 
A vulnerability was found in cyrus-sasl 2.1.27, where off-by-one error was detected in function _sasl_add_string in common.c.

Reference:
https://github.com/cyrusimap/cyrus-sasl/issues/587
http://www.openldap.org/its/index.cgi/Incoming?id=9123
Comment 2 Huzaifa S. Sidhpurwala 2020-02-18 04:50:58 UTC 
Analysis:

This is essentially an off-by-one, causing a heap OOB read by 1 byte. Arbitrary code execution seems difficult because of the assertions in place, so all it can do is cause remote DoS of the SASL service. Currently there is no upstream patch for this.
Comment 3 Huzaifa S. Sidhpurwala 2020-02-18 04:54:01 UTC 
Created cyrus-sasl tracking bugs for this issue:

Affects: fedora-all [bug 1804034]
Comment 5 Fedora Update System 2020-04-01 00:16:36 UTC 
FEDORA-2020-51d591d035 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Fedora Update System 2020-04-01 16:31:45 UTC 
FEDORA-2020-51d591d035 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 7 errata-xmlrpc 2020-11-04 01:29:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4497 https://access.redhat.com/errata/RHSA-2020:4497
Comment 8 Product Security DevOps Team 2020-11-04 02:24:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19906