oss-sec mailing list archives
Re: CVE request: Cyrus-sasl NULL ptr. dereference
From: Solar Designer <solar () openwall com>
Date: Fri, 12 Jul 2013 19:35:07 +0400
On Fri, Jul 12, 2013 at 03:27:18PM +0000, mancha wrote:
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/ NULL return) if the salt violates specifications. Additionally, on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords passed to crypt() fail with EPERM (w/ NULL return). When authenticating against Cyrus-sasl via mechanisms that use glibc's crypt (e.g. getpwent or shadow auth. mechs), and this crypt() returns a NULL as glibc 2.17+ does on above-described input, the client crashes the authentication daemon resulting in a DoS.
Does this really crash the entire daemon process rather than just one of its children (where a new one would be spawned for another request)? I think this needs to be clarified, and the answer will affect whether we have a security issue (CVE-worthy) or not. Alexander
Current thread:
- CVE request: Cyrus-sasl NULL ptr. dereference mancha (Jul 12)
- Re: CVE request: Cyrus-sasl NULL ptr. dereference Solar Designer (Jul 12)
- Re: CVE request: Cyrus-sasl NULL ptr. dereference Sebastian Krahmer (Jul 15)
- <Possible follow-ups>
- Re: CVE request: Cyrus-sasl NULL ptr. dereference mancha (Jul 12)
- Re: CVE request: Cyrus-sasl NULL ptr. dereference Solar Designer (Jul 12)
- Re: CVE request: Cyrus-sasl NULL ptr. dereference Kurt Seifried (Jul 12)
- Re: CVE request: Cyrus-sasl NULL ptr. dereference Solar Designer (Jul 12)