Cyrus-SASL SASL_PATH environment variable

cyrus-sasl-saslpath (17643)

High Risk

Description:

Carnegie Mellon University's Cyrus-SASL library could allow a local attacker to supply a specially-crafted SASL_PATH environment variable and possibly execute arbitrary code on the system.

Platforms Affected:

• Carnegie Mellon University, Cyrus-SASL
• Conectiva, Linux 10
• Conectiva, Linux 9.0
• Debian, Debian Linux 3.0
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 10.0
• MandrakeSoft, Mandrake Linux 10.0 AMD64
• MandrakeSoft, Mandrake Linux 9.2 AMD64
• MandrakeSoft, Mandrake Linux 9.2
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• OpenPKG, OpenPKG 2.1
• OpenPKG, OpenPKG 2.2
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 AW
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SuSE, Linux Enterprise Server 9
• SuSE, SuSE Linux 8.1
• SuSE, SuSE Linux 9.1
• Trustix, Enterprise Server 2
• Trustix, Secure Linux 2.0
• Trustix, Secure Linux 2.1

Remedy:

For Gentoo Linux:
Upgrade to the latest version of Cyrus-SASL (2.1.18-r2 or later), as listed in GLSA 200410-05 / Cyrus-SASL. See References.

For Red Hat Linux:
Upgrade to the latest cyrus-sasl package, as listed below. Refer to RHSA-2004:546-18 for more information. See References.

Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 2.1.15-10 or later

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), Advanced Workstation (v.2.1): 1.5.24-26 or later

For Mandrake Linux:
Upgrade to the latest cyrus-sasl package, as listed below. Refer to Mandrakesoft Security Advisory MDKSA-2004:106 for more information. See References.

Mandrake Linux 9.2: 2.1.15-4.1.92mdk or later
Mandrake Linux 10.0: 2.1.15-10.1.100mdk or later
Mandrake Linux Corporate Server 2.1: 1.5.27-5.1.C21mdk or later

For Trustix Secure Linux:
Upgrade to the latest cyrus-sasl package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0053 for more information. See References.

Trustix Secure Linux 2.0: 2.1.15-5tr or later
Trustix Secure Linux 2.1 and Enterprise Linux 2: 2.1.15-8tr or later

For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest cyrus-sasl package (1.5.27-3.1woody5 or later), as listed in DSA-563-3. See References.

For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest cyrus-sasl-mit package (1.5.24-15woody3 or later), as listed in DSA-568-1. See References.

For Trustix Secure Linux:
Upgrade to the latest cyrus-sasl package, as listed in Trustix Secure Linux Security Advisory #2004-0054 for more information. See References.

For Conectiva Linux:
Upgrade to the latest sasl2 package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:889 for more information. See References.

Conectiva Linux 10.0: 2.1.18-63272U10_2cl or later
Conectiva Linux 9: 2.1.12-23677U90_2cl or later

For OpenPKG:
Upgrade to the latest sasl package, as listed in OpenPKG Security Advisory OpenPKG-SA-2005.004. See References.

OpenPKG CURRENT: 2.2.11-20050214 or later
OpenPKG 2.2: 2.2.8-2.2.2 or later
OpenPKG 2.1: 2.1.18-2.1.1 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

• CIAC Information Bulletin P-003, Updated Cyrus-SASL Packages Fix Security Flaw at http://www.ciac.org/ciac/bulletins/p-003.shtml.
• CIAC INFORMATION BULLETIN P-156, Apple Security Update 2005-003 at http://www.ciac.org/ciac/bulletins/p-156.shtml.
• Conectiva Linux Security Announcement CLSA-2004:889, Fix for buffer overflow vulnerability at http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000889.
• Trustix Secure Linux Security Advisory #2004-0053, Insecure handling of environment variable at http://www.trustix.net/errata/2004/0053/.
• Trustix Secure Linux Security Advisory #2004-0054, Multiple security vulnerabilities at http://www.trustix.net/errata/2004/0054/.
• BID-11347: Cyrus SASL Multiple Remote And Local Vulnerabilities
• CVE-2004-0884: The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.
• DSA-563: cyrus-sasl -- unsanitised input
• DSA-568: cyrus-sasl-mit -- unsanitised input
• GLSA-200410-05: Cyrus-SASL: Buffer overflow and SASL_PATH vulnerabilities
• MDKSA-2004:106: Updated cyrus-sasl packages fix local vulnerability
• OpenPKG-SA-2005.004: SASL
• RHSA-2004-546: cyrus-sasl security update
• SUSE-SA:2004:037: kernel: remote denial of service

Reported:

Oct 07, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page