Any info on CVE-2006-1721 ?

Alexey Melnikov alexey.melnikov at isode.com
Tue Oct 3 13:38:01 EDT 2006


Biswatosh wrote:

>Thanks Alexei.
>
>Cud u or anybody else point out the CMU SASL page
>where I can get info about what to set CVSROOT to and
>etc?
>Must I become a member of sasl-cvs? And,then what?
>
>Or,to cut it short, please just tell me the lines
>changed in digestmd5.c for that bug.
>  
>
The patch attached.


-------------- next part --------------
Index: digestmd5.c
===================================================================
RCS file: /cvs/src/sasl/plugins/digestmd5.c,v
retrieving revision 1.173
retrieving revision 1.175
diff -u -r1.173 -r1.175
--- digestmd5.c	29 Jul 2004 19:21:57 -0000	1.173
+++ digestmd5.c	27 Dec 2004 21:30:43 -0000	1.175
@@ -2242,7 +2242,8 @@
     }
 
     /* Sanity check the parameters */
-    if (strcmp(realm, text->realm) != 0) {
+    if (((realm != NULL) && (strcmp(realm, text->realm) != 0)) &&
+	(text->realm[0] != 0)) {
 	SETERROR(sparams->utils,
 		 "realm changed: authentication aborted");
 	result = SASL_BADAUTH;


More information about the Cyrus-sasl mailing list