Bug 65901 (CVE-2005-0373)

Summary: VUL-0: CVE-2005-0373: cyrus-sasl: buffer overflow in digestmda5.c
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Carsten Hoeger <choeger>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0373: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-02-16 19:33:57 UTC 
Hi, 
we received this through vensor-sec. 
 
From: Thierry Carrez <koon@gentoo.org> 
User-Agent: Mozilla Thunderbird 1.0 (X11/20041209) 
To: Josh Bressers <bressers@redhat.com> 
Cc: vendor-sec@lst.de 
Subject: Re: [vendor-sec] Looking for some information about 
CAN-2005-0373 
Errors-To: vendor-sec-admin@lst.de 
Date: Wed, 16 Feb 2005 12:04:35 +0100 
 
[-- PGP Ausgabe folgt (aktuelle Zeit: Mi 16 Feb 2005 12:32:48 CET) --] 
gpg: Unterschrift vom Mi 16 Feb 2005 12:04:39 CET, DSA SchlÃŒssel ID 
B6A55F4F 
gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel 
nicht gefunden 
[-- Ende der PGP-Ausgabe --] 
 
[-- Die folgenden Daten sind signiert --] 
 
Josh Bressers wrote: 
 
> I'm digging through my backlog of security issues and came across this 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0373 
> 
> Description : Buffer overflow in digestmda5.c in Cyrus-SASL before 
>     2.1.18-r1 allows remote attackers to execute arbitrary code. 
> 
> This issue sounds pretty bad, and it's scary old now. 
> 
> The links from MITRE are pretty bare.  It seems Gentoo found/fixed this (I 
> know you're out there), so I was hoping they, or anyone else could help 
me 
> shed some light on this. 
 
Hi Josh, 
 
What I can remember from this bug is quite fuzzy. IIRC, one of our 
developers found an issue in cyrus-sasl and sent it upstream, without 
informing us. That developer had troubles handling upstream, on 
questions like delays, other security bugs that apparently upstream 
wanted to fix silently. Finally the patches for all things went public 
and we got involved to issue the GLSA... This was before we joined 
vendor-sec. 
 
There are two issues : 
 
SASL_PATH abuse (CAN-2004-0884) 
Potential buffer overflow in digestmda5.c (recently CAN-2005-0373) 
 
I think everyone got the first one (patch in lib/common.c). The second 
one was fixed in 2.1.19. Back when we handled this, we applied the 
following patch to 2.1.18 : 
 
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.167&r2=1.172 
 
That's about all I know :) Hope this helps, if you have any more 
questions... 
 
-- 
Thierry Carrez 
Gentoo Linux Security
Comment 1 Thomas Biege 2005-02-16 19:33:57 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Carsten Hoeger 2005-02-17 18:36:01 UTC 
I checked in all relevant sasl packages
Comment 3 Thomas Biege 2005-02-17 23:19:33 UTC 
Hm, are the suse-dist mails are missing?
Comment 4 Carsten Hoeger 2005-02-17 23:22:43 UTC 
done
Comment 5 Thomas Biege 2005-02-17 23:40:03 UTC 
 SM-Tracker-413
Comment 6 Thomas Biege 2005-02-17 23:51:32 UTC 
/work/src/done/PATCHINFO/cyrus-sasl.patch.box 
/work/src/done/PATCHINFO/cyrus-sasl.patch.maintained
Comment 7 Marcus Meissner 2005-03-03 14:27:49 UTC 
advisory and updated packages released.
Comment 8 Marcus Meissner 2005-03-04 12:52:50 UTC 
Hello Marcus, 
 
This is a false alarm. The buffer overflow only exists in rev.1.170 of 
digestmd5.c and was fixed in rev.1.171. See below message for details. 
Please contact Alexey directly for details. Also compare RH bugzilla 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148871 . 
 
Regards, 
Leonard den Ottolander. 
 
-----Forwarded Message----- 
From: Alexey Melnikov <alexey.melnikov@isode.com> 
To: Leonard den Ottolander <leonard@den.ottolander.nl> 
Subject: Re: CAN-2005-0373 
Date: Tue, 01 Mar 2005 17:23:14 +0000 
 
Leonard den Ottolander wrote: 
 
>Hello Alexey, 
> 
>(Hope you don't mind me contacting you without having been introduced 
>before.) 
> 
>I'm investigation CAN-2005-0373. 
> 
>https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c 
+#rev1.171 : 
>        * plugins/digestmd5.c: Fix potential buffer overflow, call 
>          add_to_challenge in 2 more places (Alexey Melnikov 
> 
>Does this mean the sprintf(text->outbuf)s are the issue? Or is it 
>the quoting that is introduced in this revision that fixes the overflow? 
> 
> 
I've intoruduced a buffer overflow in revision 1.170, because not enough 
space was allocated when quoting was required. 
I've fixed that in 1.171. 
1.170 is an intermediate revision, which was not part of any official 
release, so people shouldn't be worried. 
 
Alexey
Comment 9 Thomas Biege 2009-10-13 21:07:05 UTC 
CVE-2005-0373: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)