Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#36906 - [cyrus-sasl] security patch for CVE-2013-4122

Attached to Project: Arch Linux
Opened by RbN (RbN) - Thursday, 12 September 2013, 16:53 GMT
Last edited by Jan de Groot (JGC) - Monday, 30 September 2013, 09:24 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description from oss-sec [2]:
> Starting with glibc 2.17 (eglibc 2.17), crypt() fails with
> EINVAL (w/ NULL return) if the salt violates specifications.
> Additionally, on FIPS-140 enabled Linux systems, DES/MD5-encrypted
> passwords passed to crypt() fail with EPERM (w/ NULL return).
>
> When authenticating against Cyrus-sasl via mechanisms that use
> glibc's crypt (e.g. getpwent or shadow auth. mechs), and this
> crypt() returns a NULL as glibc 2.17+ does on above-described
> input, the client crashes the authentication daemon resulting
> in a DoS.

Resolution:
upstream patch [1]

[1] http://git.cyrusimap.org/cyrus-sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d
[2] http://www.openwall.com/lists/oss-security/2013/07/12/3

not tested
This task depends upon

Closed by  Jan de Groot (JGC)
Monday, 30 September 2013, 09:24 GMT
Reason for closing:  Fixed
Additional comments about closing:  Will be in -6.
Comment by RbN (RbN) - Thursday, 12 September 2013, 16:54 GMT
(if you think i should improve something in the bug i report conerning security issues, telle me ;)

Loading...