Bug 501243

Summary: (CVE-2009-0688) CVE-2009-0688 cyrus-sasl: sasl_encode64() does not reliably null-terminate its output
Product: Red Hat Enterprise Linux 5 Reporter: Jan F. Chadima <jchadima>
Component: postfixAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED NOTABUG QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3   
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-22 09:41:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan F. Chadima 2009-05-18 08:26:06 UTC 
Description of problem:

The Cyrus SASL library contains a buffer overflow vulnerability
that could allow an attacker to execute code or cause a vulnerable
program to crash. The sasl_encode64() function converts a string
into base64. On some conditions sasl_encode64() does not terminate his output by nul character. Especially in this case: sasl_encode64 (in, inlen, out, outmax, &outlen) with outhmax exactly the size of output according to inlen (without the training zero)


Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Miroslav Lichvar 2009-05-22 09:41:54 UTC 
Postfix allocates the buffer correctly, the length is computed to include also the trailing zero.