Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Jul 2013 15:27:18 +0000
From: "mancha" <mancha1@...h.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Cyrus-sasl NULL ptr. dereference

Starting with glibc 2.17 (eglibc 2.17), crypt() fails with
EINVAL (w/ NULL return) if the salt violates specifications.
Additionally, on FIPS-140 enabled Linux systems, DES/MD5-encrypted
passwords passed to crypt() fail with EPERM (w/ NULL return).

When authenticating against Cyrus-sasl via mechanisms that use
glibc's crypt (e.g. getpwent or shadow auth. mechs), and this
crypt() returns a NULL as glibc 2.17+ does on above-described
input, the client crashes the authentication daemon resulting
in a DoS.

Upstream fix:
http://git.cyrusimap.org/cyrus-
sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d

Backported fixes (versions 2.1.23 & 2.1.26):
http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus
-sasl-2.1.23-glibc217-crypt.diff
http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus
-sasl-2.1.26-glibc217-crypt.diff

Many thanks,

--mancha

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ