lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m1CI6tL-000pvXC__23738.7363137261$1097780121$gmane$org@finlandia.Infodrom.North.DE>
Date: Thu, 14 Oct 2004 16:47:43 +0200 (CEST)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 563-3] New cyrus-sasl packages fix arbitrary code execution on sparc and arm


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 563-3                     security@...ian.org
http://www.debian.org/security/                             Martin Schulze
October 14th, 2004                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : cyrus-sasl
Vulnerability  : unsanitised input
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-0884
Debian Bug     : 275498

This advisory is an addition to DSA 563-1 and 563-2 which weren't able
to supersede the library on sparc and arm due to a different version
number for them in the stable archive.  Other architectures were
updated properly.  Another problem was reported in connection with
sendmail, though, which should be fixed with this update as well.

For the stable distribution (woody) this problem has been fixed in
version 1.5.27-3.1woody5.

For reference the advisory text follows:

  A vulnerability has been discovered in the Cyrus implementation of
  the SASL library, the Simple Authentication and Security Layer, a
  method for adding authentication support to connection-based
  protocols.  The library honors the environment variable SASL_PATH
  blindly, which allows a local user to link against a malicious
  library to run arbitrary code with the privileges of a setuid or
  setgid application.

  For the unstable distribution (sid) this problem has been fixed in
  version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of
  cyrus-sasl2.

We recommend that you upgrade your libsasl packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3.1woody5.dsc
      Size/MD5 checksum:      715 cdce985e2ba692a11997a311d656511d
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3.1woody5.diff.gz
      Size/MD5 checksum:    40625 ae2eeaa949464a5dd01a4e52183476b2
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27.orig.tar.gz
      Size/MD5 checksum:   528252 76ea426e2e2da3b8d2e3a43af5488f3b

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_alpha.deb
      Size/MD5 checksum:    76224 f90bf340c1af2cc6e784b86b9a3e6225
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_alpha.deb
      Size/MD5 checksum:    19096 ea4dfe8c7a234b694fab1520fc7b591f
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_alpha.deb
      Size/MD5 checksum:    14948 13dd74ae0ccea40bcb318020f347bfc3
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_alpha.deb
      Size/MD5 checksum:   172500 e2ae41a1297a905fda5413bfa1480358
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_alpha.deb
      Size/MD5 checksum:    13414 0aca9803f883f2851a7e95e7fe16a6a5

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_arm.deb
      Size/MD5 checksum:    70164 b04b21e09ae3f4b37d8cafacf35e5b96
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_arm.deb
      Size/MD5 checksum:    15034 56f66723aa826cec0b60c4b69634741d
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_arm.deb
      Size/MD5 checksum:    12452 1ca90c2ef0e47722b9203b916a07865a
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_arm.deb
      Size/MD5 checksum:   166076 230b02c4b07e68e764aec818d911ea30
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_arm.deb
      Size/MD5 checksum:    10852 fa3611896617bb8b2bc6265fe60860cd

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_i386.deb
      Size/MD5 checksum:    65282 fe8d68f5699c2dd6328f5d6fb41de5d4
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_i386.deb
      Size/MD5 checksum:    13298 23a049e4a683d11d6c92612770842188
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_i386.deb
      Size/MD5 checksum:    11754 ee44568f4553c8b6806d493df239cd99
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_i386.deb
      Size/MD5 checksum:   163072 200b522a92855b1572f5d53309cb0bfd
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_i386.deb
      Size/MD5 checksum:    11074 83ea7692d1fed99516ea2f08ae73e3ce

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_ia64.deb
      Size/MD5 checksum:    83806 e8f27c46ef888331580e59008cd4f533
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_ia64.deb
      Size/MD5 checksum:    23258 c4df4204fb933e8ce4bbe10ce1e3d846
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_ia64.deb
      Size/MD5 checksum:    19968 26b57ac5df155751a966984ec539af31
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_ia64.deb
      Size/MD5 checksum:   181160 ed31278983fd1a3e8e3e191ce32cd8d9
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_ia64.deb
      Size/MD5 checksum:    14238 eacda3d67cfc61955c26f5fe863fd108

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_hppa.deb
      Size/MD5 checksum:    75324 2388e3c7f5ba71d78f03546aaba947ec
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_hppa.deb
      Size/MD5 checksum:    18280 742d3d2fe02e89788c16f83f5b8b9d54
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_hppa.deb
      Size/MD5 checksum:    15472 d42224aa421bfeac9f69ab04113bee8f
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_hppa.deb
      Size/MD5 checksum:   171404 e4142d2e1c09d03bd0a9f5ffe68f8398
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_hppa.deb
      Size/MD5 checksum:    11898 b3ff997a5f5491eadde89a7c59aa04c9

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_m68k.deb
      Size/MD5 checksum:    64732 01ae04bd3b1d07159fdaeb64e7776166
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_m68k.deb
      Size/MD5 checksum:    13100 3d333541bf051b2a21cfcc3f35970bed
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_m68k.deb
      Size/MD5 checksum:    11816 0a75c3fd4adf34744717645c9ce221ee
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_m68k.deb
      Size/MD5 checksum:   163014 5993adc4d530c757ce78c1008ed660a1
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_m68k.deb
      Size/MD5 checksum:    10914 aa2847845ee8c2e5915ebc1dbb4c9f63

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_mips.deb
      Size/MD5 checksum:    72966 39493c455b3479b68251442b18795c10
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_mips.deb
      Size/MD5 checksum:    15952 8029feb6a73d7226587d8b0ebeec5609
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_mips.deb
      Size/MD5 checksum:    13356 9c77752f52b1c6c83c682f1a2151e5b1
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_mips.deb
      Size/MD5 checksum:   165986 87080a2d4162278375cd06846b855016
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_mips.deb
      Size/MD5 checksum:    11328 fbab396a82f75e54229b9b98384bc28f

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_mipsel.deb
      Size/MD5 checksum:    72958 1009be2e56d8220fb89308a0e82a6390
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_mipsel.deb
      Size/MD5 checksum:    16264 6251983b36ffa717324636f08cb5364d
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_mipsel.deb
      Size/MD5 checksum:    13294 35084b2fa187ea16f1eb38cd27104ac9
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_mipsel.deb
      Size/MD5 checksum:   166084 e52f619b46efa2e23bf052fffdd180fe
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_mipsel.deb
      Size/MD5 checksum:    11276 91ffc4127fa188554c85874d62bba324

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_powerpc.deb
      Size/MD5 checksum:    70908 f15b7029f4a773fa36c940a6e14bccd0
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_powerpc.deb
      Size/MD5 checksum:    16078 7d8717e5e283fc74b36a35469c689b61
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_powerpc.deb
      Size/MD5 checksum:    13466 784762c96e5c81f0c6965f747c3bf6a7
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_powerpc.deb
      Size/MD5 checksum:   166736 b7842830fa2ca08c414cfc952ba020e1
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_powerpc.deb
      Size/MD5 checksum:    11008 6cee75d3d3c3a6c27bd67382a206933b

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_s390.deb
      Size/MD5 checksum:    67032 cf1ba87e9c3afa4316463531213f150a
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_s390.deb
      Size/MD5 checksum:    14412 0091427ab3484061f6fc1410fdae417d
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_s390.deb
      Size/MD5 checksum:    12398 09305abf4c88d12d13e24c5d9f84982c
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_s390.deb
      Size/MD5 checksum:   165576 980aef7a0f1ce2f7f3cf6defce90066c
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_s390.deb
      Size/MD5 checksum:    11624 2cb2cf59611128ac6f9c87127f262f51

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_sparc.deb
      Size/MD5 checksum:    68230 d4f0f5168cabe10572b5a6a8e9bf99e9
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_sparc.deb
      Size/MD5 checksum:    14804 2a2a5b233f29cc93863dc979cb8f0d33
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_sparc.deb
      Size/MD5 checksum:    11904 c25a7179e95f0d446dfaec535ca851c1
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_sparc.deb
      Size/MD5 checksum:   165040 ee69d095b42b9ee2c0b693ac697833ca
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_sparc.deb
      Size/MD5 checksum:    13558 3b8b78d3d43bbf35a9945bed06a5f3e0


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBbpGPW5ql+IAeqTIRAhJUAJ9Z3oOzxmUQ24/na8BcA97ldViBigCguAqD
ve87G1ZuBQ7oPjN6iPWtcWI=
=lv0q
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ