Bug 152909 - Remote buffer overflow in the digestmd5.c
Remote buffer overflow in the digestmd5.c
Status: CLOSED NOTABUG
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.cve.mitre.org/cgi-bin/cven...
1, LEGACY, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-27 05:37 EST by David Lawrence
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:31:44 EST
Patch for 2.1.18 can be found at
ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo-portage/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.18-cvs-1.172.patch


A patch for 1.5.28 should be created from this patch.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-27 13:41:21 ----

Looks to me like the buffer overflow was introduced in:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.169&r2=1.170

and fixed in:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171

So, this is only a problem in 2.1.18 AFAICT.

It shouldn't affect rh73, rh9 or FC1.

Can someone else make sure?



------- Additional Comments From leonard@den.ottolander.nl 2005-02-28 10:55:21 ----

Where exactly is the overflow introduced according to you?




------- Additional Comments From leonard@den.ottolander.nl 2005-02-28 12:05:50 ----

https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c#rev1.171
:

        * plugins/digestmd5.c: Fix potential buffer overflow, call
          add_to_challenge in 2 more places (Alexey Melnikov

So indeed the issue seems to be the sprintf(text->outbuf)s, not the quoting.

I'll verify whether this issue exists in 1.5.




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-28 12:58:03 ----

This is the offending code:
strcat(*str, quoted);

it puts the value it just quoted back into the original location, without making
the original location bigger.





------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-28 13:26:30 ----

See:

https://bugzilla.redhat.com/beta/show_bug.cgi?id=148871

and

http://www.irbs.net/internet/cyrus-sasl/0408/0059.html



------- Additional Comments From leonard@den.ottolander.nl 2005-03-01 12:04:34 ----

Alexey Melnikov verified that this issue only exists in rev 1.170 of
digestmd5.c. Official releases are hence not vulnerable.

Closing INVALID (NOTABUG).




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2441 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2441
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P1. Setting to default priority "normal".
Unknown severity critical. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was leonard@den.ottolander.nl.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.