SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Cyrus SASL Vendors:   Carnegie Mellon University
(Fedora Issues Fix for FC2) Cyrus SASL SASL_PATH Environment Variable May Let Local Users Gain Elevated Privileges and Buffer Overflow May Permit Remote Code Execution
SecurityTracker Alert ID:  1011730
SecurityTracker URL:  http://securitytracker.com/id/1011730
CVE Reference:   CVE-2004-0884, CVE-2005-0373   (Links to External Site)
Date:  Oct 16 2004
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.1.19 and prior versions
Description:   Two vulnerabilities were reported in Cyrus SASL. A local user may be able to gain elevated privileges on the target system. A remote user may be able to execute arbitrary code on the target system.

The vendor reported that a local user may be able to modify the SASL_PATH environment variable to cause a privileged application to load alternate library files from an arbitrary user-specified directory, resulting in the execution of arbitrary code [CVE: CVE-2004-0884].

Gentoo reported that there is also a buffer overflow in 'digestmda5.c' [CVE: CVE-2005-0373]. A remote user may be able to execute arbitrary code on the target system.

Impact:   A local user may be able to gain elevated privileges on the target system.

A remote user may be able to execute arbitrary code on the target system.

Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

74c6c5f219ade64c4514ec64dab48376 SRPMS/cyrus-sasl-2.1.18-2.2.src.rpm
f3095f3563e54d3f6a8481560542ff64 x86_64/cyrus-sasl-2.1.18-2.2.x86_64.rpm
ab802d3faa874f078051109578b698e9 x86_64/cyrus-sasl-devel-2.1.18-2.2.x86_64.rpm
e9569f4c67f59de333fa6beca6260e7d x86_64/cyrus-sasl-gssapi-2.1.18-2.2.x86_64.rpm
5ab29e7ad1bbca0d098984ec73e8b6a8 x86_64/cyrus-sasl-plain-2.1.18-2.2.x86_64.rpm
b9b362e882c9950a5da33f15bb5207f0 x86_64/cyrus-sasl-md5-2.1.18-2.2.x86_64.rpm
270d6d4738a4a674ff79256cf42ea0a4 x86_64/debug/cyrus-sasl-debuginfo-2.1.18-2.2.x86_64.rpm
c8b8e3c700ef3e48b53eab20e6ee7f62 i386/cyrus-sasl-2.1.18-2.2.i386.rpm
1ae4633b8efae2f9c7b963398cee58c5 i386/cyrus-sasl-devel-2.1.18-2.2.i386.rpm
1e9062a935b0ae9482dd190ead4b099c i386/cyrus-sasl-gssapi-2.1.18-2.2.i386.rpm
40e096e298d95ce2a6d24b7cf4cf8ef1 i386/cyrus-sasl-plain-2.1.18-2.2.i386.rpm
fbea0811ec245e404637c651b10f1e64 i386/cyrus-sasl-md5-2.1.18-2.2.i386.rpm
9370a1bbf9ca58297a1d721f929113e4 i386/debug/cyrus-sasl-debuginfo-2.1.18-2.2.i386.rpm

Vendor URL:  asg.web.cmu.edu/sasl/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2

Message History:   This archive entry is a follow-up to the message listed below.
Oct 7 2004 Cyrus SASL SASL_PATH Environment Variable May Let Local Users Gain Elevated Privileges and Buffer Overflow May Permit Remote Code Execution



 Source Message Contents

Subject:  [SECURITY] Fedora Core 2 Update: cyrus-sasl-2.1.18-2.2



--===============1552360176==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX"
Content-Disposition: inline


--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-331
2004-10-08
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : cyrus-sasl
Version     : 2.1.18                     =20
Release     : 2.2                 =20
Summary     : The Cyrus SASL library.
Description :
The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.

---------------------------------------------------------------------
Update Information:

At application startup, libsasl and libsasl2 attempt to build a list
of all SASL plug-ins which are available on the system.  To do so,
the libraries search for and attempt to load every shared library
found within the plug-in directory.  This location can be set with
the SASL_PATH environment variable.

In situations where an untrusted local user can affect the
environment of a privileged process, this behavior could be exploited
to run arbitrary code with the privileges of a setuid or setgid
application.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0884 to this issue.

Users of cyrus-sasl should upgrade to these updated packages, which
contain backported patches and are not vulnerable to this issue.

---------------------------------------------------------------------

* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.2

- use notting's fix for incorrect patch for CAN-2004-0884 for 1.5.28

* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.1

- don't trust the environment in setuid/setgid contexts (CAN-2004-0884, #13=
4660)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

74c6c5f219ade64c4514ec64dab48376  SRPMS/cyrus-sasl-2.1.18-2.2.src.rpm
f3095f3563e54d3f6a8481560542ff64  x86_64/cyrus-sasl-2.1.18-2.2.x86_64.rpm
ab802d3faa874f078051109578b698e9  x86_64/cyrus-sasl-devel-2.1.18-2.2.x86_64=
.rpm
e9569f4c67f59de333fa6beca6260e7d  x86_64/cyrus-sasl-gssapi-2.1.18-2.2.x86_6=
4.rpm
5ab29e7ad1bbca0d098984ec73e8b6a8  x86_64/cyrus-sasl-plain-2.1.18-2.2.x86_64=
.rpm
b9b362e882c9950a5da33f15bb5207f0  x86_64/cyrus-sasl-md5-2.1.18-2.2.x86_64.r=
pm
270d6d4738a4a674ff79256cf42ea0a4  x86_64/debug/cyrus-sasl-debuginfo-2.1.18-=
2.2.x86_64.rpm
c8b8e3c700ef3e48b53eab20e6ee7f62  i386/cyrus-sasl-2.1.18-2.2.i386.rpm
1ae4633b8efae2f9c7b963398cee58c5  i386/cyrus-sasl-devel-2.1.18-2.2.i386.rpm
1e9062a935b0ae9482dd190ead4b099c  i386/cyrus-sasl-gssapi-2.1.18-2.2.i386.rpm
40e096e298d95ce2a6d24b7cf4cf8ef1  i386/cyrus-sasl-plain-2.1.18-2.2.i386.rpm
fbea0811ec245e404637c651b10f1e64  i386/cyrus-sasl-md5-2.1.18-2.2.i386.rpm
9370a1bbf9ca58297a1d721f929113e4  i386/debug/cyrus-sasl-debuginfo-2.1.18-2.=
2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------

--huq684BweRXVnRxX
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBZuxVN5vOV3hoi/URAth1AKCODEw3zhjNDQtHz1012QhOK2AQGwCgpOty
/vZn/9aAiUTI7zBZlZoQYys=
=ca6/
-----END PGP SIGNATURE-----

--huq684BweRXVnRxX--


--===============1552360176==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
--===============1552360176==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC