security advisory regarding cyrus-sasl?
Marcus Meissner
meissner at suse.de
Tue Apr 18 06:01:52 EDT 2006
On Thu, Apr 13, 2006 at 04:05:56PM +0200, Marcel Holtmann wrote:
> Hi Alexey,
>
> > >the advisory speaks about cyrus-sasl-2.1.18 and is really vague. Can you
> > >tell us when it got fixed and point to actual patch in the CVS. I assume
> > >that this issue has already been fixed in version 2.1.20, but I might be
> > >wrong.
> > >
> > >
> > Yes, 2.1.20 should do. 2.1.21 doesn't segfault. I didn't test any
> > versions in between.
>
> can you point us to the fix in the CVS for this problem, it would be
> terrific to know for sure how it has been fixed.
It is apparently:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.173&r2=1.175
(Thanks to the guy who mailed me off-list ;)
> Do you also have some code for testing this, so we can verify this
> problem by ourself?
Lack of realm component can cause a NULL pointer deref (I think).
Ciao, Marcus
More information about the Cyrus-sasl
mailing list