libsasl2: DIGEST-MD5 Pre-Auth DoS found in 2.1.18, likely to also be in 2.1.19 and 2.1.20

Debian Bug report logs - #361937
libsasl2: DIGEST-MD5 Pre-Auth DoS found in 2.1.18, likely to also be in 2.1.19 and 2.1.20

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven Mueller <debian@incase.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libsasl2: DIGEST-MD5 Pre-Auth DoS found in 2.1.18, likely to also be in 2.1.19 and 2.1.20

Date: Tue, 11 Apr 2006 13:04:38 +0200

Package: libsasl2
Version: 2.1.19-1.5
Severity: serious
Tags: security
Justification: Security problem

Please see http://labs.musecurity.com/advisories/MU-200604-01.txt for
more information.

Regrads,
Sven


-- System Information:
Debian Release: 3.1
  APT prefers stable
  APT policy: (990, 'stable'), (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages libsasl2 depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libdb4.2                    4.2.52-18    Berkeley v4.2 Database Libraries [

Versions of packages libsasl2 recommends:
ii  libsasl2-modules              2.1.19-1.5 Pluggable Authentication Modules f

-- no debconf information

Message #10 received at 361937@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Sven Mueller <debian@incase.de>, 361937@bugs.debian.org

Subject: Re: Bug#361937: libsasl2: DIGEST-MD5 Pre-Auth DoS found in 2.1.18, likely to also be in 2.1.19 and 2.1.20

Date: Tue, 11 Apr 2006 16:54:07 -0700

[Message part 1 (text/plain, inline)]

severity 361937 important
thanks

On Tue, Apr 11, 2006 at 01:04:38PM +0200, Sven Mueller wrote:
> Package: libsasl2
> Version: 2.1.19-1.5
> Severity: serious
> Tags: security
> Justification: Security problem

> Please see http://labs.musecurity.com/advisories/MU-200604-01.txt for
> more information.

DoS bugs are normally treated as severity: important, rather than severity:
grave.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 361937@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: 361937@bugs.debian.org

Subject: this is CVE-2006-1721

Date: Tue, 25 Apr 2006 09:41:31 -0600

This is CVE-2006-1721, for which I am about to upload an NMU with the
following patch.  I'm skipping the normal DELAYED queue because the
maintainer appears to be inactive and this is security issue.

diff -u cyrus-sasl2-2.1.19.dfsg1/debian/changelog cyrus-sasl2-2.1.19.dfsg1/debian/changelog
--- cyrus-sasl2-2.1.19.dfsg1/debian/changelog
+++ cyrus-sasl2-2.1.19.dfsg1/debian/changelog
@@ -1,3 +1,12 @@
+cyrus-sasl2 (2.1.19.dfsg1-0.2) unstable; urgency=high
+
+  * Non-maintainer upload
+  * Applied upstream patch to fix remote denial of service
+    [debian/patches/27_CVE-2006-1721.diff]
+    Closes: #361937.
+
+ -- dann frazier <dannf@debian.org>  Tue, 25 Apr 2006 09:39:43 -0600
+
 cyrus-sasl2 (2.1.19.dfsg1-0.1) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch4:
unchanged:
--- cyrus-sasl2-2.1.19.dfsg1.orig/debian/patches/27_CVE-2006-1721.diff
+++ cyrus-sasl2-2.1.19.dfsg1/debian/patches/27_CVE-2006-1721.diff
@@ -0,0 +1,13 @@
+diff -u -p -Nr --exclude CVS cyrus-sasl-2.1.19.dfsg1.orig/plugins/digestmd5.c cyrus-sasl-2.1.19.dfsg1/plugins/digestmd5.c
+--- cyrus-sasl-2.1.19.dfsg1.orig/plugins/digestmd5.c	2006-04-24 18:59:38.000000000 +0200
++++ cyrus-sasl-2.1.19.dfsg1/plugins/digestmd5.c	2006-04-24 19:01:13.000000000 +0200
+@@ -2242,7 +2242,8 @@ static int digestmd5_server_mech_step2(s
+     }
+ 
+     /* Sanity check the parameters */
+-    if (strcmp(realm, text->realm) != 0) {
++    if (((realm != NULL) && (strcmp(realm, text->realm) != 0)) &&
++       (text->realm[0] != 0)) {
+ 	SETERROR(sparams->utils,
+ 		 "realm changed: authentication aborted");
+ 	result = SASL_BADAUTH;

-- 
dann frazier | HP Open Source and Linux Organization

Message #26 received at 361937-close@bugs.debian.org (full text, mbox, reply):

From: Fabian Fagerholm <fabbe@debian.org>

To: 361937-close@bugs.debian.org

Subject: Bug#361937: fixed in cyrus-sasl-2.1 2.1.22-0~pre01

Date: Wed, 25 Oct 2006 06:49:16 -0700

Source: cyrus-sasl-2.1
Source-Version: 2.1.22-0~pre01

We believe that the bug you reported is fixed in the latest version of
cyrus-sasl-2.1, which is due to be installed in the Debian FTP archive:

cyrus-sasl-2.1-bin_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/cyrus-sasl-2.1-bin_2.1.22-0~pre01_i386.deb
cyrus-sasl-2.1-doc_2.1.22-0~pre01_all.deb
  to pool/main/c/cyrus-sasl-2.1/cyrus-sasl-2.1-doc_2.1.22-0~pre01_all.deb
cyrus-sasl-2.1_2.1.22-0~pre01.diff.gz
  to pool/main/c/cyrus-sasl-2.1/cyrus-sasl-2.1_2.1.22-0~pre01.diff.gz
cyrus-sasl-2.1_2.1.22-0~pre01.dsc
  to pool/main/c/cyrus-sasl-2.1/cyrus-sasl-2.1_2.1.22-0~pre01.dsc
cyrus-sasl-2.1_2.1.22.orig.tar.gz
  to pool/main/c/cyrus-sasl-2.1/cyrus-sasl-2.1_2.1.22.orig.tar.gz
libsasl2-2-dev_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-2-dev_2.1.22-0~pre01_i386.deb
libsasl2-2-modules-gssapi-mit_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-2-modules-gssapi-mit_2.1.22-0~pre01_i386.deb
libsasl2-2-modules-otp_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-2-modules-otp_2.1.22-0~pre01_i386.deb
libsasl2-2-modules-sql_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-2-modules-sql_2.1.22-0~pre01_i386.deb
libsasl2-2-modules_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-2-modules_2.1.22-0~pre01_i386.deb
libsasl2-2_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-2_2.1.22-0~pre01_i386.deb
libsasl2-dev_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-dev_2.1.22-0~pre01_i386.deb
libsasl2-modules-gssapi-heimdal_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-modules-gssapi-heimdal_2.1.22-0~pre01_i386.deb
libsasl2-modules-sql_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-modules-sql_2.1.22-0~pre01_i386.deb
libsasl2-modules_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2-modules_2.1.22-0~pre01_i386.deb
libsasl2_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/libsasl2_2.1.22-0~pre01_i386.deb
sasl2-bin_2.1.22-0~pre01_i386.deb
  to pool/main/c/cyrus-sasl-2.1/sasl2-bin_2.1.22-0~pre01_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 361937@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Fagerholm <fabbe@debian.org> (supplier of updated cyrus-sasl-2.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 19 Oct 2006 23:26:02 +0300
Source: cyrus-sasl-2.1
Binary: libsasl2-2 cyrus-sasl-2.1-bin libsasl2 libsasl2-2-dev sasl2-bin libsasl2-dev libsasl2-2-modules-gssapi-mit libsasl2-modules-gssapi-heimdal libsasl2-2-modules-otp cyrus-sasl-2.1-doc libsasl2-modules-sql libsasl2-2-modules-sql libsasl2-modules libsasl2-2-modules
Architecture: source i386 all
Version: 2.1.22-0~pre01
Distribution: experimental
Urgency: low
Maintainer: Fabian Fagerholm <fabbe@debian.org>
Changed-By: Fabian Fagerholm <fabbe@debian.org>
Description: 
 cyrus-sasl-2.1-bin - Administration programs for SASL users database
 cyrus-sasl-2.1-doc - Documentation for Cyrus SASL library and utilities
 libsasl2   - Authentication abstraction library
 libsasl2-2 - Authentication abstraction library
 libsasl2-2-dev - Development files for SASL authentication abstraction library
 libsasl2-2-modules - Pluggable Authentication Modules for SASL
 libsasl2-2-modules-gssapi-mit - Pluggable Authentication Modules for SASL (GSSAPI)
 libsasl2-2-modules-otp - Pluggable Authentication Modules for SASL (OTP)
 libsasl2-2-modules-sql - Pluggable Authentication Modules for SASL (SQL)
 libsasl2-dev - Development files for SASL authentication abstraction library
 libsasl2-modules - Pluggable Authentication Modules for SASL
 libsasl2-modules-gssapi-heimdal - Pluggable Authentication Modules for SASL (GSSAPI)
 libsasl2-modules-sql - Pluggable Authentication Modules for SASL (SQL)
 sasl2-bin  - Administration programs for SASL users database
Closes: 190658 202836 205589 211156 242184 245818 248333 251735 254298 256808 257181 257306 262339 265751 274087 274402 275498 276637 276849 282775 285605 286285 287313 296449 300710 302280 310438 314724 315177 316404 321760 324288 327479 328879 332703 336485 344686 345880 348685 354413 357527 361937 362511 365183 365287 368370 379846 392571
Changes: 
 cyrus-sasl-2.1 (2.1.22-0~pre01) experimental; urgency=low
 .
   * Acknowledged previous NMUs (Closes: #274087, #344686, #362511, #245818)
     (Closes: #276637, #285605, #332703, #336485, #345880, #357527, #379846)
     (Closes: #248333, #315177, #324288, #361937, #242184, #256808, #202836)
     (Closes: #262339, #265751, #275498, #276849)
   * Fabian Fagerholm
     - Adopted package (Closes: #368370)
     - Fixed static linking against libsasl2 (Closes: #282775)
     - Exit with an error if any of the auto* commands fail. (Closes: #321760)
     - New upstream version (Closes: #316404)
       + Fixed crash with DIGEST-MD5 (Closes: #286285, #314724)
       + Built with courier authdaemon support (Closes: #328879)
       + sql plugin respects log_level settings (Closes: #296449)
     - Included a watch file (Closes: #205589)
     - Switched from Heimdal to MIT Kerberos (Closes: #257306, #310438)
     - Repackaged upstream source to remove non-free docs (Closes: #365183)
     - Added symbol versioning (Closes: #327479)
     - Document why libsasl2-modules is recommended (Closes: #302280, #365287)
     - Strip rpath from binaries and shared libraries when build inserts one.
   * Roberto C. Sanchez
     - Added myself to Uploaders field
     - Added missing Build-Depends on groff-base
     - Changed build dependency from db4.2 to db4.4 (Closes: #354413)
     - Made it so that README.configure-options is actually populated
     - Fixed debian/rules so that bogus ldconfig calls are not in post(inst|rm)
     - Added manual page for testsaslauthd(8)
     - Improved socket and pidfile location flexibility
       (Closes: #254298, #300710, #287313)
     - Changed -modules-sql to depend on -modules (Closes: #392571)
     - Put /etc/sasl at start of the config search path (Closes: #211156)
     - Split OTP plugin into its own package (Closes: #251735)
     - Made modules suggest modules-{sql,otp,gssapi-heimdal} (Closes: #348685)
     - Fixed saslauthd init script so it gives useful error (Closes: #257181)
     - Added NTLM to -modules description (Closes: #274402)
     - Added necessary config.h and Makefile to build samples (Closes: #190658)
Files: 
 1b59eac130f785c1f390d751c50eb9cb 1320 libs important cyrus-sasl-2.1_2.1.22-0~pre01.dsc
 47424be7f2f976b40de959fe821308e2 1612191 libs important cyrus-sasl-2.1_2.1.22.orig.tar.gz
 72122bac75b27fe4f82f3ff3570594ac 38623 libs important cyrus-sasl-2.1_2.1.22-0~pre01.diff.gz
 c6ec6775496cee74d1269b8c93306495 96586 doc important cyrus-sasl-2.1-doc_2.1.22-0~pre01_all.deb
 35b71f2bb85f205c043662b773a63388 96044 utils important cyrus-sasl-2.1-bin_2.1.22-0~pre01_i386.deb
 c8fe4c25365b963903a57cf8496fffed 38696 libs important sasl2-bin_2.1.22-0~pre01_i386.deb
 244106234aac3adc1d1f7e952e4d93dc 38684 oldlibs important libsasl2_2.1.22-0~pre01_i386.deb
 45ff84eb7261a35708586449da9b90a4 97556 libs important libsasl2-2_2.1.22-0~pre01_i386.deb
 fbe701feab3406f8f81463ef0e5ba4bd 38706 oldlibs important libsasl2-modules_2.1.22-0~pre01_i386.deb
 485f5b121078de5b6cc31c536fc2a6b6 144452 libs important libsasl2-2-modules_2.1.22-0~pre01_i386.deb
 1791ba0603100e48c129af5a4910669d 69586 libs optional libsasl2-2-modules-otp_2.1.22-0~pre01_i386.deb
 5ab82e92327e2971e671071fec383e1b 38714 oldlibs important libsasl2-modules-sql_2.1.22-0~pre01_i386.deb
 ae5826556e94222904e0e40bd0218df8 58720 libs optional libsasl2-2-modules-sql_2.1.22-0~pre01_i386.deb
 3b09f26d0b41be509b4fbc8305462dc7 38740 oldlibs important libsasl2-modules-gssapi-heimdal_2.1.22-0~pre01_i386.deb
 bb2afbbb23630128d7bf384cc19cb90b 60464 libs optional libsasl2-2-modules-gssapi-mit_2.1.22-0~pre01_i386.deb
 fb7d5bbba30cc041b1bf6d2da7b216f1 38706 oldlibs important libsasl2-dev_2.1.22-0~pre01_i386.deb
 407a2c1962d232bfe0125ab6aa938d5f 254872 libdevel optional libsasl2-2-dev_2.1.22-0~pre01_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFN+WE76VUNpZBmeIRAiSoAJ9CwVgUjeRTu8olBC3aME1YdW3OngCfUQtr
4O8S+CUd53fCiIMCZOFcZhc=
=tnmS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.