Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution
From: Dominic Hargreaves <dom@earth.li>
Date: Mon, 15 Jun 2009 15:42:21 +0100
Message-id: <[🔎] 20090615144221.GM10621@urchin.earth.li>
In-reply-to: <20090601124210.GA27624@ngolde.de>
References: <20090601124210.GA27624@ngolde.de>

On Mon, Jun 01, 2009 at 02:42:10PM +0200, Nico Golde wrote:

> James Ralston discovered that the sasl_encode64() function of cyrus-sasl2,
> a free library implementing the Simple Authentication and Security Layer,
> suffers from a missing null termination in certain situations.  This causes
> several buffer overflows in situations where cyrus-sasl2 itself requires
> the string to be null terminated which can lead to denial of service or
> arbitrary code execution.

> For the oldstable distribution (etch), this problem will be fixed soon.

2.1.22.dfsg1-8+etch1 has now appeared in the security archive which
appears to fix this problem, but no subsequent advisory has been released.
Is this an oversight?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Re: Screensaver in KDE 4.2
Next by Date: Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution
Previous by thread: Re: Screensaver in KDE 4.2
Next by thread: Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution
Index(es):
- Date
- Thread