Vulnerability Note VU#238019
Cyrus SASL library buffer overflow vulnerability
The Cyrus SASL library contains a buffer overflow vulnerability that could allow an attacker to execute code or cause a vulnerable program to crash.
SASL (Simple Authentication and Security Layer) is a method for adding authentication support to various protocols. SASL is commonly used by mail servers to request authentication from clients and by clients to authenticate to servers.
The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.
A remote attacker might be able to execute code, or cause any programs relying on SASL to crash or be unavailable.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Inc.||Affected||-||26 Aug 2009|
|Cyrus-IMAP||Affected||-||13 May 2009|
|Gentoo Linux||Affected||28 Apr 2009||20 May 2009|
|Red Hat, Inc.||Affected||28 Apr 2009||14 May 2009|
|Sun Microsystems, Inc.||Affected||28 Apr 2009||14 May 2009|
|The SCO Group||Affected||28 Apr 2009||15 May 2009|
|SafeNet||Not Affected||13 May 2009||15 Jun 2009|
|Conectiva Inc.||Unknown||28 Apr 2009||28 Apr 2009|
|Cray Inc.||Unknown||28 Apr 2009||28 Apr 2009|
|Debian GNU/Linux||Unknown||28 Apr 2009||28 Apr 2009|
|Engarde Secure Linux||Unknown||28 Apr 2009||28 Apr 2009|
|Fedora Project||Unknown||28 Apr 2009||28 Apr 2009|
|Hewlett-Packard Company||Unknown||28 Apr 2009||28 Apr 2009|
|IBM Corporation (zseries)||Unknown||28 Apr 2009||28 Apr 2009|
|IBM eServer||Unknown||28 Apr 2009||28 Apr 2009|
CVSS Metrics (Learn More)
Thanks to James Ralston for reporting this issue and providing technical information.
This document was written by Ryan Giobbi.
- CVE IDs: CVE-2009-0688
- Date Public: 08 Apr 2009
- Date First Published: 14 May 2009
- Date Last Updated: 26 Aug 2009
- Severity Metric: 4.04
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.