|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Cyrus-IMAP Information for VU#238019
| Date Notified: | |
| Date Updated: | 2009-05-13 |
| Statement Date: | 2009-05-12 |
| Status Summary: | Vulnerable |
Vendor StatementNo statement is currently available from the vendor regarding this vulnerability.Vendor InformationWhile this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation:
/* base64 encode
* in -- input data
* inlen -- input data length
* out -- output buffer (will be NUL terminated)
* outmax -- max size of output buffer
* result:
* outlen -- gets actual length of output buffer (optional)
*
* Returns SASL_OK on success, SASL_BUFOVER if result won't fit
*/
LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
char *out, unsigned outmax,
unsigned *outlen);
Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the
buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable.
Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.
AddendumThere are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
