cyrus-sasl2 buffer overflow vulnerability: CVE-2009-0688

Bug #383300 reported by Joel Ebel on 2009-06-03
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cyrus-sasl2 (Debian)
Fix Released
Unknown
cyrus-sasl2 (Ubuntu)
Medium
Unassigned
Dapper
Medium
Kees Cook
Hardy
Medium
Kees Cook
Intrepid
Medium
Kees Cook
Jaunty
Medium
Kees Cook
Karmic
Medium
Unassigned

Bug Description

According to CVE-2009-0688: "Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c." Please consider updating cyrus-sasl2 to 2.1.23, or patching the buffer overflows if possible in all active releases including dapper, hardy, intrepid, jaunty, and karmic.

CVE References

Joel Ebel (jbebel) wrote :

This appears to be patched in debian lenny, version 2.1.22.dfsg1-23+lenny1

Joel Ebel (jbebel) wrote :

Some additional details from one of our security engineers:

The Cyrus SASL function The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.

Cyrus SASL 2.1.23 has been released to address this issue, however, Cyrus released this warning:

While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation:
/* base64 encode
* in -- input data
* inlen -- input data length
* out -- output buffer (will be NUL terminated)
* outmax -- max size of output buffer
* result:
* outlen -- gets actual length of output buffer (optional)
*
* Returns SASL_OK on success, SASL_BUFOVER if result won't fit
*/
LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
char *out, unsigned outmax,
unsigned *outlen);

Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the
buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable.

Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.

Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. Unfortunately, the upstream changes may break existing applications, so all applications using cyrus-sasl need to be verified to not break or patched.

visibility: private → public
Changed in cyrus-sasl2 (Ubuntu):
status: New → Confirmed
status: Confirmed → Triaged
Changed in cyrus-sasl2 (Ubuntu Dapper):
status: New → Triaged
importance: Undecided → Medium
Changed in cyrus-sasl2 (Ubuntu Hardy):
status: New → Triaged
importance: Undecided → Medium
Changed in cyrus-sasl2 (Ubuntu Intrepid):
status: New → Triaged
importance: Undecided → Medium
Changed in cyrus-sasl2 (Ubuntu Jaunty):
status: New → Triaged
importance: Undecided → Medium
Changed in cyrus-sasl2 (Ubuntu Karmic):
importance: Undecided → Medium
Changed in cyrus-sasl2 (Debian):
status: Unknown → Fix Released
Steve Langasek (vorlon) wrote :

This has been fixed in karmic with the merge of cyrus-sasl2 2.1.23.dfsg-1ubuntu1.

Changed in cyrus-sasl2 (Ubuntu Karmic):
status: Triaged → Fix Released
Andrew Pollock (apollock) wrote :

Is there an ETA for Hardy?

Kees Cook (kees) wrote :

Verified that programs in main are not affected by the ABI change:
  mutt
  postfix
  sendmail

Programs in universe may need additional review:
  beepcore-c
  cyrus21-imapd
  cyrus-imapd-2.2
  cyrus-sasl2-heimdal
  cyrus-sasl2-mit
  hotway
  inn2
  kolab-cyrus-imapd
  libetpan
  mail-notification
  nmh
  nufw
  pexts
  zmailer

Kees Cook (kees) on 2009-06-23
Changed in cyrus-sasl2 (Ubuntu Dapper):
assignee: nobody → Kees Cook (kees)
status: Triaged → Fix Committed
Changed in cyrus-sasl2 (Ubuntu Hardy):
assignee: nobody → Kees Cook (kees)
status: Triaged → Fix Committed
Changed in cyrus-sasl2 (Ubuntu Intrepid):
assignee: nobody → Kees Cook (kees)
status: Triaged → Fix Committed
Kees Cook (kees) wrote :
Changed in cyrus-sasl2 (Ubuntu Jaunty):
assignee: nobody → Kees Cook (kees)
status: Triaged → Fix Released
Changed in cyrus-sasl2 (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in cyrus-sasl2 (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in cyrus-sasl2 (Ubuntu Dapper):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.