Articles / Red Hat: Updated cyrus-sasl…

Red Hat: Updated cyrus-sasl packages fix security flaw

The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. At application startup, libsasl and libsasl2 attempts to build a list of all available SASL plug-ins which are available on the system. To do so, the libraries search for and attempt to load every shared library found within the plug-in directory. This location can be set with the SASL_PATH environment variable. In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. Fixed packages are available from updates.redhat.com.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated cyrus-sasl packages fix security flaw
Advisory ID:       RHSA-2004:546-01
Issue date:        2004-10-07
Updated on:        2004-10-07
Product:           Red Hat Enterprise Linux
Keywords:          environment
CVE Names:         CAN-2004-0884
- ---------------------------------------------------------------------

1. Summary:

Updated cyrus-sasl packages that fix a setuid and setgid application
vulnerability are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The cyrus-sasl package contains the Cyrus implementation of SASL.  SASL is
the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.

At application startup, libsasl and libsasl2 attempts to build a list
of all available SASL plug-ins which are available on the system.  To do
so, the libraries search for and attempt to load every shared library found
within the plug-in directory.  This location can be set with the SASL_PATH
environment variable.

In situations where an untrusted local user can affect the environment of a
privileged process, this behavior could be exploited to run arbitrary code
with the privileges of a setuid or setgid application.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0884 to this issue.

Users of cyrus-sasl should upgrade to these updated packages, which contain
backported patches and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/cyrus-sasl-1.5.24-26.src.rpm
adf38e226dfa211bb2e7e83c5c5418b9  cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f  cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44  cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338  cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb  cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925  cyrus-sasl-plain-1.5.24-26.i386.rpm

ia64:
97497be93ad3074862be30b3eaf9fe46  cyrus-sasl-1.5.24-26.ia64.rpm
6c4362bc42c9c41f7eb07b61ee733320  cyrus-sasl-devel-1.5.24-26.ia64.rpm
bd3a433063c18f2384bc9249a58d8504  cyrus-sasl-gssapi-1.5.24-26.ia64.rpm
6d34fc4ff8ffda80308d02e82bcefc64  cyrus-sasl-md5-1.5.24-26.ia64.rpm
1eb867b4419336e95ffffec0a88fe01f  cyrus-sasl-plain-1.5.24-26.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/cyrus-sasl-1.5.24-26.src.rpm
adf38e226dfa211bb2e7e83c5c5418b9  cyrus-sasl-1.5.24-26.src.rpm

ia64:
97497be93ad3074862be30b3eaf9fe46  cyrus-sasl-1.5.24-26.ia64.rpm
6c4362bc42c9c41f7eb07b61ee733320  cyrus-sasl-devel-1.5.24-26.ia64.rpm
bd3a433063c18f2384bc9249a58d8504  cyrus-sasl-gssapi-1.5.24-26.ia64.rpm
6d34fc4ff8ffda80308d02e82bcefc64  cyrus-sasl-md5-1.5.24-26.ia64.rpm
1eb867b4419336e95ffffec0a88fe01f  cyrus-sasl-plain-1.5.24-26.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/cyrus-sasl-1.5.24-26.src.rpm
adf38e226dfa211bb2e7e83c5c5418b9  cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f  cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44  cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338  cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb  cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925  cyrus-sasl-plain-1.5.24-26.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/cyrus-sasl-1.5.24-26.src.rpm
adf38e226dfa211bb2e7e83c5c5418b9  cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f  cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44  cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338  cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb  cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925  cyrus-sasl-plain-1.5.24-26.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cyrus-sasl-2.1.15-9.src.rpm
aaf9ffaec315e592644d6daae68aae82  cyrus-sasl-2.1.15-9.src.rpm

i386:
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
6919e5fcd850ee85f783309cb1470aa5  cyrus-sasl-devel-2.1.15-9.i386.rpm
e9ad63b5a0afe14540367226f0433f4b  cyrus-sasl-gssapi-2.1.15-9.i386.rpm
1f88d0820350da52c6366cb1212b8936  cyrus-sasl-md5-2.1.15-9.i386.rpm
8be156532f450097531cb90774a10385  cyrus-sasl-plain-2.1.15-9.i386.rpm

ia64:
6bbbc7ee16697a0cb1009b3730fef0ba  cyrus-sasl-2.1.15-9.ia64.rpm
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
d2580374e50340bf14d956974a3fb451  cyrus-sasl-devel-2.1.15-9.ia64.rpm
37fcb197c372282ee31dff7d2d81566c  cyrus-sasl-gssapi-2.1.15-9.ia64.rpm
444f44cdba6333e1343e23e6d67e6ce6  cyrus-sasl-md5-2.1.15-9.ia64.rpm
8d4d75121ec2e6987f319381ac601716  cyrus-sasl-plain-2.1.15-9.ia64.rpm

ppc:
0dc0857831f3e90217f8f3fd27da70eb  cyrus-sasl-2.1.15-9.ppc.rpm
383e13e965189970e5a5f826c6c03af2  cyrus-sasl-devel-2.1.15-9.ppc.rpm
04c195d25dd2d29e808c61f32361428c  cyrus-sasl-gssapi-2.1.15-9.ppc.rpm
782939ca66fdae0de95696cd4e903d40  cyrus-sasl-md5-2.1.15-9.ppc.rpm
c9549f71008205a824ed0426c3b873cb  cyrus-sasl-plain-2.1.15-9.ppc.rpm

ppc64:
053c8601822ab5206cdc7db1e35e0ea0  cyrus-sasl-2.1.15-9.ppc64.rpm

s390:
adcb50ec0fb14951af6bfe006bc7a295  cyrus-sasl-2.1.15-9.s390.rpm
8dab6edb113343ea0b5550ff7635cded  cyrus-sasl-devel-2.1.15-9.s390.rpm
a6c9955bb6df5a16a1012ded6df2eb27  cyrus-sasl-gssapi-2.1.15-9.s390.rpm
9873745733c8ad088251b09bec06a376  cyrus-sasl-md5-2.1.15-9.s390.rpm
07d56edf20dd4d7cf705c8e246329466  cyrus-sasl-plain-2.1.15-9.s390.rpm

s390x:
111e650ab71231c95143847f60a7237b  cyrus-sasl-2.1.15-9.s390x.rpm
adcb50ec0fb14951af6bfe006bc7a295  cyrus-sasl-2.1.15-9.s390.rpm
2b0b6453e0738875aaef6a8958ced9fc  cyrus-sasl-devel-2.1.15-9.s390x.rpm
72a6318fe8f7a7af727698d98ffc3b0e  cyrus-sasl-gssapi-2.1.15-9.s390x.rpm
a45b9c7802f581e14f17d0daa04e8340  cyrus-sasl-md5-2.1.15-9.s390x.rpm
5ee2ddc76df85de40f8fb7d9a42fe81c  cyrus-sasl-plain-2.1.15-9.s390x.rpm

x86_64:
7008444c7feb4516e29f4af965be2d3c  cyrus-sasl-2.1.15-9.x86_64.rpm
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
f063da2d593dfca9bbffed47e74992a6  cyrus-sasl-devel-2.1.15-9.x86_64.rpm
bced324f78f7d7453d3756e7d23a461b  cyrus-sasl-gssapi-2.1.15-9.x86_64.rpm
1261e9ccb900f36592ddfa09c64ba354  cyrus-sasl-md5-2.1.15-9.x86_64.rpm
4ea63d22a136b332f5c405a5c43e1f96  cyrus-sasl-plain-2.1.15-9.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cyrus-sasl-2.1.15-9.src.rpm
aaf9ffaec315e592644d6daae68aae82  cyrus-sasl-2.1.15-9.src.rpm

i386:
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
6919e5fcd850ee85f783309cb1470aa5  cyrus-sasl-devel-2.1.15-9.i386.rpm
e9ad63b5a0afe14540367226f0433f4b  cyrus-sasl-gssapi-2.1.15-9.i386.rpm
1f88d0820350da52c6366cb1212b8936  cyrus-sasl-md5-2.1.15-9.i386.rpm
8be156532f450097531cb90774a10385  cyrus-sasl-plain-2.1.15-9.i386.rpm

x86_64:
7008444c7feb4516e29f4af965be2d3c  cyrus-sasl-2.1.15-9.x86_64.rpm
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
f063da2d593dfca9bbffed47e74992a6  cyrus-sasl-devel-2.1.15-9.x86_64.rpm
bced324f78f7d7453d3756e7d23a461b  cyrus-sasl-gssapi-2.1.15-9.x86_64.rpm
1261e9ccb900f36592ddfa09c64ba354  cyrus-sasl-md5-2.1.15-9.x86_64.rpm
4ea63d22a136b332f5c405a5c43e1f96  cyrus-sasl-plain-2.1.15-9.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cyrus-sasl-2.1.15-9.src.rpm
aaf9ffaec315e592644d6daae68aae82  cyrus-sasl-2.1.15-9.src.rpm

i386:
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
6919e5fcd850ee85f783309cb1470aa5  cyrus-sasl-devel-2.1.15-9.i386.rpm
e9ad63b5a0afe14540367226f0433f4b  cyrus-sasl-gssapi-2.1.15-9.i386.rpm
1f88d0820350da52c6366cb1212b8936  cyrus-sasl-md5-2.1.15-9.i386.rpm
8be156532f450097531cb90774a10385  cyrus-sasl-plain-2.1.15-9.i386.rpm

ia64:
6bbbc7ee16697a0cb1009b3730fef0ba  cyrus-sasl-2.1.15-9.ia64.rpm
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
d2580374e50340bf14d956974a3fb451  cyrus-sasl-devel-2.1.15-9.ia64.rpm
37fcb197c372282ee31dff7d2d81566c  cyrus-sasl-gssapi-2.1.15-9.ia64.rpm
444f44cdba6333e1343e23e6d67e6ce6  cyrus-sasl-md5-2.1.15-9.ia64.rpm
8d4d75121ec2e6987f319381ac601716  cyrus-sasl-plain-2.1.15-9.ia64.rpm

x86_64:
7008444c7feb4516e29f4af965be2d3c  cyrus-sasl-2.1.15-9.x86_64.rpm
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
f063da2d593dfca9bbffed47e74992a6  cyrus-sasl-devel-2.1.15-9.x86_64.rpm
bced324f78f7d7453d3756e7d23a461b  cyrus-sasl-gssapi-2.1.15-9.x86_64.rpm
1261e9ccb900f36592ddfa09c64ba354  cyrus-sasl-md5-2.1.15-9.x86_64.rpm
4ea63d22a136b332f5c405a5c43e1f96  cyrus-sasl-plain-2.1.15-9.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cyrus-sasl-2.1.15-9.src.rpm
aaf9ffaec315e592644d6daae68aae82  cyrus-sasl-2.1.15-9.src.rpm

i386:
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
6919e5fcd850ee85f783309cb1470aa5  cyrus-sasl-devel-2.1.15-9.i386.rpm
e9ad63b5a0afe14540367226f0433f4b  cyrus-sasl-gssapi-2.1.15-9.i386.rpm
1f88d0820350da52c6366cb1212b8936  cyrus-sasl-md5-2.1.15-9.i386.rpm
8be156532f450097531cb90774a10385  cyrus-sasl-plain-2.1.15-9.i386.rpm

ia64:
6bbbc7ee16697a0cb1009b3730fef0ba  cyrus-sasl-2.1.15-9.ia64.rpm
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
d2580374e50340bf14d956974a3fb451  cyrus-sasl-devel-2.1.15-9.ia64.rpm
37fcb197c372282ee31dff7d2d81566c  cyrus-sasl-gssapi-2.1.15-9.ia64.rpm
444f44cdba6333e1343e23e6d67e6ce6  cyrus-sasl-md5-2.1.15-9.ia64.rpm
8d4d75121ec2e6987f319381ac601716  cyrus-sasl-plain-2.1.15-9.ia64.rpm

x86_64:
7008444c7feb4516e29f4af965be2d3c  cyrus-sasl-2.1.15-9.x86_64.rpm
ee9649ea378ae6e28af20b2dffaca059  cyrus-sasl-2.1.15-9.i386.rpm
f063da2d593dfca9bbffed47e74992a6  cyrus-sasl-devel-2.1.15-9.x86_64.rpm
bced324f78f7d7453d3756e7d23a461b  cyrus-sasl-gssapi-2.1.15-9.x86_64.rpm
1261e9ccb900f36592ddfa09c64ba354  cyrus-sasl-md5-2.1.15-9.x86_64.rpm
4ea63d22a136b332f5c405a5c43e1f96  cyrus-sasl-plain-2.1.15-9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

6. References:

https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/lib/common.c.diff?r1=1.103&r2=1.104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0884

7. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBZVnwXlSAg2UNWIIRAiFIAKC5LyaTd3UtgsnkMBvHNIJ/wOkhsgCgkGLu
xEtqqBoy1yXnrT7xiUkQnuk=
=k9ul
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.