Debians sikkerhedsbulletin

DSA-563-3 cyrus-sasl -- ukorrigerede inddata

Rapporteret den:

14. okt 2004

Berørte pakker:

cyrus-sasl

Sårbar:

Referencer i sikkerhedsdatabaser:

I Debians fejlsporingssystem: Fejl 275498.
I Mitres CVE-ordbog: CVE-2004-0884.

Yderligere oplysninger:

Denne sikkerhedsbulletin retter DSA 563-1 og DSA 563-2, der ikke var i stand til at erstatte biblioteket til arkitekturerne sparc og arm på grund af forskellig versionering i det stabile arkiv. Andre arkitekturer blev opdateret korrekt. Et nyt problem blev dog rapporteret i forbindelse med sendmail, som desuden er rettet i forbindelse med denne opdatering.

I den stabile distribution (woody) er dette problem rettet i version 1.5.27-3.1woody5.

Til reference følger bulletinens tekst:

En sårbarhed er opdaget i Cyrus-implmentationen af SASL-biblioteket, Simple Authentication and Security Layer, en metode til tilføjelse af autentifikationsunderstøttelse for connection-baserede protokoller. Biblioteket adlyder blindt miljøvariablen SASL_PATH blindly, hvilket gør det muligt for en lokal bruger at linke til et ondsindet bibliotek, for at kunne køre vilkårlig kode med rettighederne hørende til en setuid- eller setgid-applikation.

I den ustabile distribution (sid) er dette problem rettet i version 1.5.28-6.2 af cyrus-sasl og i version 2.1.19-1.3 af cyrus-sasl2.

Vi anbefaler at du opgraderer dine libsasl-pakker.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3.1woody5.dsc; http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3.1woody5.diff.gz; http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_alpha.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_alpha.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_alpha.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_alpha.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_arm.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_arm.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_arm.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_arm.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_i386.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_i386.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_i386.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_i386.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_ia64.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_ia64.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_ia64.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_ia64.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_hppa.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_hppa.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_hppa.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_hppa.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_m68k.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_m68k.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_m68k.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_m68k.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_mips.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_mips.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_mips.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_mips.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_mipsel.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_powerpc.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_s390.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_s390.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_s390.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_s390.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3.1woody5_sparc.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3.1woody5_sparc.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3.1woody5_sparc.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3.1woody5_sparc.deb; http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3.1woody5_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.

MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.