Any info on CVE-2006-1721 ?

Alexey Melnikov alexey.melnikov at isode.com
Tue Oct 10 10:01:43 EDT 2006 

Biswatosh wrote:

>Alexei,
>
>1)Any reason for this validation:
>(text->realm[0] != 0)) ?
>
>2)What if, 
>         (a) realm != NULL 
>     and (b) strcmp(realm,text->realm) != 0
>     and (c) text->realm[0] == 0 ,  are all true?
>If a,b and c are true then it won't return
>SASL_BADAUTH
>and won't set error to "realm changed: authentication
>aborted". But then, has not the realm actually changed
>because of (b)? Should we not throw an error then?
>  
>
In practice text->realm is always non-empty string, the 
get_server_realm() function guaranties that (*).
What the code should really be doing is this:

    if (realm == NULL) {
        if (text->realm[0] != '\0') {
            SETERROR(sparams->utils,
                     "realm changed: authentication aborted");
            result = SASL_BADAUTH;
            goto FreeAllMem;
        }

    } else if ((strcmp(realm, text->realm) != 0)) {
        SETERROR(sparams->utils,
                 "realm changed: authentication aborted");
        result = SASL_BADAUTH;
        goto FreeAllMem;
    }

I.e. "realm == NULL" must be treated as realm being "" (as per RFC 2831).

This is almost what is in 2.1.22. 2.1.22 contains:
    } else if ((strcmp(realm, text->realm) != 0) &&
              (text->realm[0] != 0)) {
but the second test should be removed, as it is meaningless anyway.

(*) well, it will return an empty string if params->serverFQDN is the 
empty string, but this should not happen.

>Thanks
>Biswatosh
>
>--- Alexey Melnikov <alexey.melnikov at isode.com> wrote:
>  
>
>>Biswatosh wrote:
>>    
>>
>>>Thanks Alexei.
>>>
>>>Cud u or anybody else point out the CMU SASL page
>>>where I can get info about what to set CVSROOT to
>>>      
>>>
>>>and etc?
>>>Must I become a member of sasl-cvs? And,then what?
>>>
>>>Or,to cut it short, please just tell me the lines
>>>changed in digestmd5.c for that bug.
>>>      
>>>
>>The patch attached.
>>    
>>
>>>Index: digestmd5.c
>>>      
>>>
>===================================================================
>  
>
>>RCS file: /cvs/src/sasl/plugins/digestmd5.c,v
>>retrieving revision 1.173
>>retrieving revision 1.175
>>diff -u -r1.173 -r1.175
>>--- digestmd5.c	29 Jul 2004 19:21:57 -0000	1.173
>>+++ digestmd5.c	27 Dec 2004 21:30:43 -0000	1.175
>>@@ -2242,7 +2242,8 @@
>>     }
>> 
>>     /* Sanity check the parameters */
>>-    if (strcmp(realm, text->realm) != 0) {
>>+    if (((realm != NULL) && (strcmp(realm,
>>text->realm) != 0)) &&
>>+	(text->realm[0] != 0)) {
>> 	SETERROR(sparams->utils,
>> 		 "realm changed: authentication aborted");
>> 	result = SASL_BADAUTH;
>>    
>>

More information about the Cyrus-sasl mailing list