PublicDateAtUSN: 2013-07-18 Candidate: CVE-2013-4122 PublicDate: 2013-10-27 00:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4122 http://openwall.com/lists/oss-security/2013/07/12/3 http://git.cyrusimap.org/cyrus-sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d https://ubuntu.com/security/notices/USN-1988-1 https://ubuntu.com/security/notices/USN-2755-1 Description: Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference. Ubuntu-Description: Notes: seth-arnold> NULL return from crypt() if the salt isn't sane seth-arnold> Upgraded to medium, bug report shows remote attackers can disable the sasl service by repeating the attack; THREADS=0 configuration is a work-around that may help to prevent abuse. mdeslaur> eglibc only returns NULL from crypt() in 2.17+, so quantal mdeslaur> and older are not affected. mdeslaur> 2015-09-25: patch was dropped by mistake in debian's mdeslaur> 2.1.26 package, fixed again in 2.1.26.dfsg1-14 Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716835 https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001 Priority: medium Discovered-by: Assigned-to: mdeslaur CVSS: Patches_cyrus-sasl2: upstream: http://git.cyrusimap.org/cyrus-sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d (trunk) other: http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.23-glibc217-crypt.diff (2.1.23) other: http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.26-glibc217-crypt.diff (2.1.26) upstream_cyrus-sasl2: released (2.1.26.dfsg1-14) lucid_cyrus-sasl2: not-affected precise_cyrus-sasl2: not-affected quantal_cyrus-sasl2: not-affected raring_cyrus-sasl2: released (2.1.25.dfsg1-6ubuntu0.1) trusty_cyrus-sasl2: not-affected (2.1.25.dfsg1-17) trusty/esm_cyrus-sasl2: not-affected (2.1.25.dfsg1-17) vivid_cyrus-sasl2: released (2.1.26.dfsg1-13ubuntu0.1) devel_cyrus-sasl2: released (2.1.26.dfsg1-14) vivid/stable-phone-overlay_cyrus-sasl2: released (2.1.26.dfsg1-13ubuntu0.1) vivid/ubuntu-core_cyrus-sasl2: released (2.1.26.dfsg1-13ubuntu0.1)