Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[gentoo-security] GLSA: cyrus-sasl
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16113
Location: Colorado

PostPosted: Fri Dec 27, 2002 11:01 pm    Post subject: [gentoo-security] GLSA: cyrus-sasl Reply with quote

Daniel Ahlberg wrote:
- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200212-10
- - --------------------------------------------------------------------

PACKAGE : cyrus-sasl
SUMMARY : buffer overflows
DATE : 2002-12-27 22:12 UTC
EXPLOIT : remote

- - --------------------------------------------------------------------

- From advisory:

"Insufficient buffer length checking in user name canonicalization may allow attacker to execute arbitrary code on servers using Cyrus SASL library. Client side library also has the bug but since the user name is asked from the local user, there's probably not many applications that care about it, except maybe webmails and the like. This overflow only happens if default realm is set."

"LDAP authentication with saslauthd doesn't allocate enough memory when it needs to escape characters '*', '(', ')', '\' and '\0' in username and realm. This should be easily exploited with glibc's malloc implementation."

"Log writer might not have allocated memory for the trailing \0 in message. Probably hard to exploit, although you can affect the logging data with at least anonymous authentication."

Read the full advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=103946297703402&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running ev-libs/cyrus-sasl-2.1.9 update their systems as follows:

emerge rsync
emerge cyrus-sasl
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
raker@gentoo.org
- - --------------------------------------------------------------------


Mailing List Archive: Unavailable
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum