Bugzilla – Bug 65901
VUL-0: CVE-2005-0373: cyrus-sasl: buffer overflow in digestmda5.c
Last modified: 2021-10-27 08:46:17 UTC
Hi, we received this through vensor-sec. From: Thierry Carrez <koon@gentoo.org> User-Agent: Mozilla Thunderbird 1.0 (X11/20041209) To: Josh Bressers <bressers@redhat.com> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] Looking for some information about CAN-2005-0373 Errors-To: vendor-sec-admin@lst.de Date: Wed, 16 Feb 2005 12:04:35 +0100 [-- PGP Ausgabe folgt (aktuelle Zeit: Mi 16 Feb 2005 12:32:48 CET) --] gpg: Unterschrift vom Mi 16 Feb 2005 12:04:39 CET, DSA SchlÃŒssel ID B6A55F4F gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] Josh Bressers wrote: > I'm digging through my backlog of security issues and came across this > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0373 > > Description : Buffer overflow in digestmda5.c in Cyrus-SASL before > 2.1.18-r1 allows remote attackers to execute arbitrary code. > > This issue sounds pretty bad, and it's scary old now. > > The links from MITRE are pretty bare. It seems Gentoo found/fixed this (I > know you're out there), so I was hoping they, or anyone else could help me > shed some light on this. Hi Josh, What I can remember from this bug is quite fuzzy. IIRC, one of our developers found an issue in cyrus-sasl and sent it upstream, without informing us. That developer had troubles handling upstream, on questions like delays, other security bugs that apparently upstream wanted to fix silently. Finally the patches for all things went public and we got involved to issue the GLSA... This was before we joined vendor-sec. There are two issues : SASL_PATH abuse (CAN-2004-0884) Potential buffer overflow in digestmda5.c (recently CAN-2005-0373) I think everyone got the first one (patch in lib/common.c). The second one was fixed in 2.1.19. Back when we handled this, we applied the following patch to 2.1.18 : https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.167&r2=1.172 That's about all I know :) Hope this helps, if you have any more questions... -- Thierry Carrez Gentoo Linux Security
<!-- SBZ_reproduce --> -
I checked in all relevant sasl packages
Hm, are the suse-dist mails are missing?
done
SM-Tracker-413
/work/src/done/PATCHINFO/cyrus-sasl.patch.box /work/src/done/PATCHINFO/cyrus-sasl.patch.maintained
advisory and updated packages released.
Hello Marcus, This is a false alarm. The buffer overflow only exists in rev.1.170 of digestmd5.c and was fixed in rev.1.171. See below message for details. Please contact Alexey directly for details. Also compare RH bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148871 . Regards, Leonard den Ottolander. -----Forwarded Message----- From: Alexey Melnikov <alexey.melnikov@isode.com> To: Leonard den Ottolander <leonard@den.ottolander.nl> Subject: Re: CAN-2005-0373 Date: Tue, 01 Mar 2005 17:23:14 +0000 Leonard den Ottolander wrote: >Hello Alexey, > >(Hope you don't mind me contacting you without having been introduced >before.) > >I'm investigation CAN-2005-0373. > >https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c +#rev1.171 : > * plugins/digestmd5.c: Fix potential buffer overflow, call > add_to_challenge in 2 more places (Alexey Melnikov > >Does this mean the sprintf(text->outbuf)s are the issue? Or is it >the quoting that is introduced in this revision that fixes the overflow? > > I've intoruduced a buffer overflow in revision 1.170, because not enough space was allocated when quoting was required. I've fixed that in 1.171. 1.170 is an intermediate revision, which was not part of any official release, so people shouldn't be worried. Alexey
CVE-2005-0373: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)