Cyrus-SASL SASL_PATH environment variable

cyrus-sasl-saslpath (17643)

High Risk

Description:

Carnegie Mellon University's Cyrus-SASL library could allow a local attacker to supply a specially-crafted SASL_PATH environment variable and possibly execute arbitrary code on the system.

Consequences:

Gain Privileges

Remedy:

For Gentoo Linux:
Upgrade to the latest version of Cyrus-SASL (2.1.18-r2 or later), as listed in GLSA 200410-05 / Cyrus-SASL. See References.

For Red Hat Linux:
Upgrade to the latest cyrus-sasl package, as listed below. Refer to RHSA-2004:546-18 for more information. See References.

Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 2.1.15-10 or later

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), Advanced Workstation (v.2.1): 1.5.24-26 or later

For Mandrake Linux:
Upgrade to the latest cyrus-sasl package, as listed below. Refer to Mandrakesoft Security Advisory MDKSA-2004:106 for more information. See References.

Mandrake Linux 9.2: 2.1.15-4.1.92mdk or later
Mandrake Linux 10.0: 2.1.15-10.1.100mdk or later
Mandrake Linux Corporate Server 2.1: 1.5.27-5.1.C21mdk or later

For Trustix Secure Linux:
Upgrade to the latest cyrus-sasl package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0053 for more information. See References.

Trustix Secure Linux 2.0: 2.1.15-5tr or later
Trustix Secure Linux 2.1 and Enterprise Linux 2: 2.1.15-8tr or later

For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest cyrus-sasl package (1.5.27-3.1woody5 or later), as listed in DSA-563-3. See References.

For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest cyrus-sasl-mit package (1.5.24-15woody3 or later), as listed in DSA-568-1. See References.

For Trustix Secure Linux:
Upgrade to the latest cyrus-sasl package, as listed in Trustix Secure Linux Security Advisory #2004-0054 for more information. See References.

For Conectiva Linux:
Upgrade to the latest sasl2 package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:889 for more information. See References.

Conectiva Linux 10.0: 2.1.18-63272U10_2cl or later
Conectiva Linux 9: 2.1.12-23677U90_2cl or later

For OpenPKG:
Upgrade to the latest sasl package, as listed in OpenPKG Security Advisory OpenPKG-SA-2005.004. See References.

OpenPKG CURRENT: 2.2.11-20050214 or later
OpenPKG 2.2: 2.2.8-2.2.2 or later
OpenPKG 2.1: 2.1.18-2.1.1 or later

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• CIAC Information Bulletin P-003: Updated Cyrus-SASL Packages Fix Security Flaw.
• CIAC INFORMATION BULLETIN P-156: Apple Security Update 2005-003.
• Conectiva Linux Security Announcement CLSA-2004:889: Fix for buffer overflow vulnerability.
• Trustix Secure Linux Security Advisory #2004-0053: Insecure handling of environment variable.
• Trustix Secure Linux Security Advisory #2004-0054: Multiple security vulnerabilities.
• BID-11347: Cyrus SASL Multiple Remote And Local Vulnerabilities
• CVE-2004-0884: The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.
• DSA-563: cyrus-sasl -- unsanitised input
• DSA-568: cyrus-sasl-mit -- unsanitised input
• GLSA-200410-05: Cyrus-SASL: Buffer overflow and SASL_PATH vulnerabilities
• MDKSA-2004:106: Updated cyrus-sasl packages fix local vulnerability
• OpenPKG-SA-2005.004: SASL
• RHSA-2004-546: cyrus-sasl security update
• SUSE-SA:2004:037: kernel: remote denial of service

Platforms Affected:

• Carnegie Mellon University Cyrus-SASL
• Conectiva Linux 10
• Conectiva Linux 9.0
• Debian Debian Linux 3.0
• Gentoo Linux
• MandrakeSoft Mandrake Linux 10.0 AMD64
• MandrakeSoft Mandrake Linux 10.0
• MandrakeSoft Mandrake Linux 9.2
• MandrakeSoft Mandrake Linux 9.2 AMD64
• MandrakeSoft Mandrake Linux Corporate Server 2.1
• MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
• OpenPKG OpenPKG 2.1
• OpenPKG OpenPKG 2.2
• OpenPKG OpenPKG CURRENT
• RedHat Enterprise Linux 2.1 AS
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 2.1 WS
• RedHat Enterprise Linux 2.1 AW
• RedHat Enterprise Linux 3 Desktop
• RedHat Enterprise Linux 3 ES
• RedHat Enterprise Linux 3 WS
• RedHat Enterprise Linux 3 AS
• RedHat Linux Advanced Workstation 2.1 Itanium
• SuSE Linux Enterprise Server 9
• SUSE SuSE Linux 8.1
• SUSE SuSE Linux 9.1
• Trustix Enterprise Server 2
• Trustix Secure Linux 2.0
• Trustix Secure Linux 2.1

Reported:

Oct 07, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page