Debian Security Advisory

DSA-1807-1 cyrus-sasl2, cyrus-sasl2-heimdal -- buffer overflow

Date Reported:
01 Jun 2009
Affected Packages:
cyrus-sasl2, cyrus-sasl2-heimdal
Security database references:
In the Debian bugtracking system: Bug 528749.
In Mitre's CVE dictionary: CVE-2009-0688.
CERT's vulnerabilities, advisories and incident notes: VU#238019.
More information:

James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution.

Important notice (Quoting from US-CERT): While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation:

/* base64 encode
* in -- input data
* inlen -- input data length
* out -- output buffer (will be NUL terminated)
* outmax -- max size of output buffer
* result:
* outlen -- gets actual length of output buffer (optional)
* Returns SASL_OK on success, SASL_BUFOVER if result won't fit
LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
char *out, unsigned outmax,
unsigned *outlen);

Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable.

Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.

For the oldstable distribution (etch), this problem has been fixed in version 2.1.22.dfsg1-8+etch1 of cyrus-sasl2.

For the stable distribution (lenny), this problem has been fixed in version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 2.1.23.dfsg1-1 of cyrus-sasl2 and cyrus-sasl2-heimdal.

We recommend that you upgrade your cyrus-sasl2/cyrus-sasl2-heimdal packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.