7) MODERATE: Cyrus-SASL Buffer Overflow Affected: Cyrus-SASL version 2.1.18-r1 or prior Description: Simple Authentication and Security Layer (SASL) provides a general framework that can be used by protocols like IMAP or SMTP for authentication purposes. Cyrus-SASL library is a popular SASL implementation which is used by widely deployed software such as sendmail. The library contains a buffer overflow in processing MD5 digests that may be exploited to execute arbitrary code with the privileges of the application using the Cyrus-SASL library. The technical details regarding the overflow can be obtained by diffing the digestmda5.c file between the patched and the unpatched versions. References: Gentoo Linux Advisory http://www.securityfocus.com/archive/1/377775/2004-10-04/2004-10-10/0 Software using Cyrus-SASL http://asg.web.cmu.edu/sasl/sasl-projects.html Cyrus-SASL Homepage http://asg.web.cmu.edu/sasl/ SecurityFocus BID http://www.securityfocus.com/bid/11347 Status: Vendor confirmed, upgrade to version 2.1.19. Gentoo and other Linux distributions have also provided updated packages. ------- Additional Comments From michal 2004-10-12 11:44:07 ---- It is somewhat confusing. All quoted references talk about CAN-2004-0884, and https://bugzilla.fedora.us/show_bug.cgi?id=2137 is supposedly about that while CAN-2004-0884 is so far marked as **RESERVED** hence to me inaccesible. OTOH I do not see a code in patches to bug #2137 which would deal with digestmda5.c so this appears to be something new. ------- Additional Comments From michal 2004-10-12 12:26:07 ---- In a response to my comment on https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134657 mjc wrote "The digestmda5.c issue was separate to CAN-2004-0884 and did not affect any version of cyrus-sasl with Red Hat Enterprise Linux (or Fedora Core)." I guess that by an extension this applies to all sources we are interested in. This is based only on an mjc word. ------- Additional Comments From marcdeslauriers 2004-10-13 12:44:43 ---- Changelog to digestmda5.c is here: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c AFAICT, offending code was introduced in change 1.170 and fixed in 1.171, way after the versions of cyrus-sasl we have. I'm closing this. ------- Bug moved to this database by dkl 2005-03-30 18:28 ------- This bug previously known as bug 2153 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2153 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.