Any info on CVE-2006-1721 ?
Alexey Melnikov
alexey.melnikov at isode.com
Tue Oct 10 10:01:43 EDT 2006
Biswatosh wrote:
>Alexei,
>
>1)Any reason for this validation:
>(text->realm[0] != 0)) ?
>
>2)What if,
> (a) realm != NULL
> and (b) strcmp(realm,text->realm) != 0
> and (c) text->realm[0] == 0 , are all true?
>If a,b and c are true then it won't return
>SASL_BADAUTH
>and won't set error to "realm changed: authentication
>aborted". But then, has not the realm actually changed
>because of (b)? Should we not throw an error then?
>
>
In practice text->realm is always non-empty string, the
get_server_realm() function guaranties that (*).
What the code should really be doing is this:
if (realm == NULL) {
if (text->realm[0] != '\0') {
SETERROR(sparams->utils,
"realm changed: authentication aborted");
result = SASL_BADAUTH;
goto FreeAllMem;
}
} else if ((strcmp(realm, text->realm) != 0)) {
SETERROR(sparams->utils,
"realm changed: authentication aborted");
result = SASL_BADAUTH;
goto FreeAllMem;
}
I.e. "realm == NULL" must be treated as realm being "" (as per RFC 2831).
This is almost what is in 2.1.22. 2.1.22 contains:
} else if ((strcmp(realm, text->realm) != 0) &&
(text->realm[0] != 0)) {
but the second test should be removed, as it is meaningless anyway.
(*) well, it will return an empty string if params->serverFQDN is the
empty string, but this should not happen.
>Thanks
>Biswatosh
>
>--- Alexey Melnikov <alexey.melnikov at isode.com> wrote:
>
>
>>Biswatosh wrote:
>>
>>
>>>Thanks Alexei.
>>>
>>>Cud u or anybody else point out the CMU SASL page
>>>where I can get info about what to set CVSROOT to
>>>
>>>
>>>and etc?
>>>Must I become a member of sasl-cvs? And,then what?
>>>
>>>Or,to cut it short, please just tell me the lines
>>>changed in digestmd5.c for that bug.
>>>
>>>
>>The patch attached.
>>
>>
>>>Index: digestmd5.c
>>>
>>>
>===================================================================
>
>
>>RCS file: /cvs/src/sasl/plugins/digestmd5.c,v
>>retrieving revision 1.173
>>retrieving revision 1.175
>>diff -u -r1.173 -r1.175
>>--- digestmd5.c 29 Jul 2004 19:21:57 -0000 1.173
>>+++ digestmd5.c 27 Dec 2004 21:30:43 -0000 1.175
>>@@ -2242,7 +2242,8 @@
>> }
>>
>> /* Sanity check the parameters */
>>- if (strcmp(realm, text->realm) != 0) {
>>+ if (((realm != NULL) && (strcmp(realm,
>>text->realm) != 0)) &&
>>+ (text->realm[0] != 0)) {
>> SETERROR(sparams->utils,
>> "realm changed: authentication aborted");
>> result = SASL_BADAUTH;
>>
>>
More information about the Cyrus-sasl
mailing list