Cyrus-IMAP Information for VU#238019
Cyrus SASL library buffer overflow vulnerability
- Vendor Information Help Date Notified:
- Statement Date: 12 May 2009
- Date Updated: 13 May 2009
No statement is currently available from the vendor regarding this vulnerability.
While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation:
/* base64 encode
* in -- input data
* inlen -- input data length
* out -- output buffer (will be NUL terminated)
* outmax -- max size of output buffer
* outlen -- gets actual length of output buffer (optional)
* Returns SASL_OK on success, SASL_BUFOVER if result won't fit
LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
char *out, unsigned outmax,
Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the
buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable.
Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.