cyrus-sasl2: CVE-2019-19906: Off-by-one in _sasl_add_string function

Debian Bug report logs - #947043
cyrus-sasl2: CVE-2019-19906: Off-by-one in _sasl_add_string function

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function

Date: Thu, 19 Dec 2019 21:19:19 +0100

Source: cyrus-sasl2
Version: 2.1.27+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/cyrusimap/cyrus-sasl/issues/587
Control: found -1 2.1.27~101-g0780600+dfsg-3

Hi,

The following vulnerability was published for cyrus-sasl2.

CVE-2019-19906[0]:
Off by one in _sasl_add_string function

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-19906
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
[1] https://github.com/cyrusimap/cyrus-sasl/issues/587

Regards,
Salvatore

Message #14 received at 947043@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 947043@bugs.debian.org

Subject: Re: Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function

Date: Thu, 19 Dec 2019 22:56:58 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Hi,

On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote:
> Source: cyrus-sasl2
> Version: 2.1.27+dfsg-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://github.com/cyrusimap/cyrus-sasl/issues/587
> Control: found -1 2.1.27~101-g0780600+dfsg-3
> 
> Hi,
> 
> The following vulnerability was published for cyrus-sasl2.
> 
> CVE-2019-19906[0]:
> Off by one in _sasl_add_string function
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-19906
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
> [1] https://github.com/cyrusimap/cyrus-sasl/issues/587

Attached patch for this issue.

Regards,
Salvatore

[0021-CVE-2019-19906.patch (text/x-diff, attachment)]

Message #21 received at 947043@bugs.debian.org (full text, mbox, reply):

From: Roberto C. Sánchez <roberto@debian.org>

To: Debian Cyrus Team <team+cyrus@tracker.debian.org>

Cc: 947043@bugs.debian.org, team@security.debian.org, carnil@debian.org

Subject: Re: Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function

Date: Thu, 19 Dec 2019 20:06:19 -0500

On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote:
> 
> The following vulnerability was published for cyrus-sasl2.
> 
> CVE-2019-19906[0]:
> Off by one in _sasl_add_string function
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
Hi Team,

Is anybody already working on this update?  If not, I can start on it
possibly tomorrow or perhaps the day after.

Salvatore,

If I (or someone else on the team) prepares the upload, do we go ahead
and make the upload then let the security team handle the DSA
publication?

Regards,

-Roberto

-- 
Roberto C. Sánchez

Message #26 received at 947043@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Roberto C. Sánchez <roberto@debian.org>, 947043@bugs.debian.org

Cc: Debian Cyrus Team <team+cyrus@tracker.debian.org>, team@security.debian.org

Subject: Re: Bug#947043: cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function

Date: Fri, 20 Dec 2019 08:36:00 +0100

Hi Roberto,

On Thu, Dec 19, 2019 at 08:06:19PM -0500, Roberto C. Sánchez wrote:
> On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote:
> > 
> > The following vulnerability was published for cyrus-sasl2.
> > 
> > CVE-2019-19906[0]:
> > Off by one in _sasl_add_string function
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> Hi Team,
> 
> Is anybody already working on this update?  If not, I can start on it
> possibly tomorrow or perhaps the day after.
> 
> Salvatore,
> 
> If I (or someone else on the team) prepares the upload, do we go ahead
> and make the upload then let the security team handle the DSA
> publication?

I already started yesterday, and have buster and stretch packages,
will likely release the DSA later today or tomorrow. So far tested
just lightly for stretch but will double check explicitly against
openldap.

unstable would need an update as well yet.

Can you later import then the changes in the packaging repository in
the appropriate branches?

Regards,
Salvatore

Send a report that this bug log contains spam.