security advisory regarding cyrus-sasl?
Marcus Meissner
meissner at suse.de
Wed Apr 12 15:02:49 EDT 2006
On Wed, Apr 12, 2006 at 08:41:09PM +0200, Marcel Holtmann wrote:
> Hi Alexey,
>
> > >We saw this advisory for cyrus-sasl, but can't see the problem
> > >or the real issue.
> > >
> > >http://labs.musecurity.com/advisories/MU-200604-01.txt
> > >
> > >Is this issue for real?
> > >
> > >
> > Yes, certain malformed input can cause segfault in the server side
> > DIGEST-MD5 plugin.
> > DIGEST-MD5 client side might be affected as well.
>
> the advisory speaks about cyrus-sasl-2.1.18 and is really vague. Can you
> tell us when it got fixed and point to an actual patch in the CVS. I
> assume that this issue has already been fixed in version 2.1.20, but
> also I might be wrong with this assumption.
I found this one:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171
a heap buffer overflow?
Ciao, Marcus
More information about the Cyrus-sasl
mailing list