From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA-1807-1
[email protected] http://www.debian.org/security/ Nico Golde
June 1st, 2009
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : cyrus-sasl2, cyrus-sasl2-heimdal
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
Debian bug : 528749
CERT advisory : VU#238019
CVE ID : CVE-2009-0688
James Ralston discovered that the sasl_encode64() function of cyrus-sasl2,
a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires
the string to be null terminated which can lead to denial of service or arbitrary code execution.
Important notice (Quoting from US-CERT):
While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation:
/* base64 encode
* in -- input data
* inlen -- input data length
* out -- output buffer (will be NUL terminated)
* outmax -- max size of output buffer
* result:
* outlen -- gets actual length of output buffer (optional)
*
* Returns SASL_OK on success, SASL_BUFOVER if result won't fit
*/
LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
char *out, unsigned outmax,
unsigned *outlen);
Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable.
Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.
For the oldstable distribution (etch), this problem will be fixed soon.
For the stable distribution (lenny), this problem has been fixed in
version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 2.1.23.dfsg1-1 of cyrus-sasl2 and cyrus-sasl2-heimdal.
We recommend that you upgrade your cyrus-sasl2/cyrus-sasl2-heimdal packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1-23+lenny1.dsc
Size/MD5 checksum: 1775 510a3befa02a034758711c4bf329082e
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1-23+lenny1.diff.gz
Size/MD5 checksum: 76458 85b876ee4b8d33a804f1164d727a5281
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1-23+lenny1.dsc
Size/MD5 checksum: 1930 6939422cb0ce3455ce5a1a494692fd68
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1.orig.tar.gz
Size/MD5 checksum: 1370731 f196299b2c07f822c8c56db71b7dc7db
http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1.orig.tar.gz
Size/MD5 checksum: 1370731 f196299b2c07f822c8c56db71b7dc7db
http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1-23+lenny1.diff.gz
Size/MD5 checksum: 27834 dae4de4ce221e8d5f9ca9fbc8376f1ba
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-doc_2.1.22.dfsg1-23+lenny1_all.deb
Size/MD5 checksum: 104228 c5b2a9dac2683208cbc7fe0aeaf9e276
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_alpha.deb
Size/MD5 checksum: 84954 9d18b6afabcdb581ba692b0de7abc489
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-23+lenny1_alpha.deb
Size/MD5 checksum: 603214 764f256abbe3cfc91a4c0392d79a8262
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-23+lenny1_alpha.deb
Size/MD5 checksum: 123794 e2d71664b9f4dbf586366a1ed21e8c23
http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/libsasl2-modules-gssapi-heimdal_2.1.22.dfsg1-23+lenny1_alpha.deb
Size/MD5 checksum: 76294 4e15f169d2b45fa179cdf4a919ab4316
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-23+lenny1_alpha.deb
Size/MD5 checksum: 198230 2b8a7bf7981b5f5d999a0a5d671ea401
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-23+lenny1_alpha.deb
Size/MD5 checksum: 75114 0da83acb9fbf8b7dc51989cd2c1f3e78
http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-23+lenny1_alpha.deb
Size/MD5 checksum: 61754 6291c4405e6cbd3507737f866d6a53ee
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)