Support / Security / Advisories / Mandriva Linux 2008.0 / MDVSA-2009:113-1

Package name: cyrus-sasl
Date: 2009-12-03
Advisory ID: MDVSA-2009:113-1
Affected versions: 2008.0 i586 , 2008.0 x86_64

Problem description

Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23
might allow remote attackers to execute arbitrary code or cause a
denial of service application crash) via strings that are used as
input to the sasl_encode64 function in lib/saslutil.c (CVE-2009-0688).

The updated packages have been patched to prevent this.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

Updated packages

2008.0 i586

 0b5da906226132af2c2ed8270343f557  2008.0/i586/cyrus-sasl-2.1.22-23.1mdv2008.0.i586.rpm
 de005340f6be93e76feb3d5fe94e2d54  2008.0/i586/libsasl2-2.1.22-23.1mdv2008.0.i586.rpm
 3d919ce1d732f655ca6be7a89d434acd  2008.0/i586/libsasl2-devel-2.1.22-23.1mdv2008.0.i586.rpm
 540c3b13f892438d8795c17cc89d42bf  2008.0/i586/libsasl2-plug-anonymous-2.1.22-23.1mdv2008.0.i586.rpm
 d13e5e77f0949d58097eb2f734a10255  2008.0/i586/libsasl2-plug-crammd5-2.1.22-23.1mdv2008.0.i586.rpm
 5950850223017fdf5a4b47f0618b55de  2008.0/i586/libsasl2-plug-digestmd5-2.1.22-23.1mdv2008.0.i586.rpm
 5f1c9ad40cdf003c28ca1be8381d8029  2008.0/i586/libsasl2-plug-gssapi-2.1.22-23.1mdv2008.0.i586.rpm
 08bbfad70b61a514204344a125413e14  2008.0/i586/libsasl2-plug-ldapdb-2.1.22-23.1mdv2008.0.i586.rpm
 64386e5dd2a108387dc43379a5513e9c  2008.0/i586/libsasl2-plug-login-2.1.22-23.1mdv2008.0.i586.rpm
 6447f2431d59bc5b30345259f276f6b3  2008.0/i586/libsasl2-plug-ntlm-2.1.22-23.1mdv2008.0.i586.rpm
 93ae062a1aaab4e973859ef402a5a242  2008.0/i586/libsasl2-plug-otp-2.1.22-23.1mdv2008.0.i586.rpm
 91c60f6ec94f4dddc5868588a4b8f68b  2008.0/i586/libsasl2-plug-plain-2.1.22-23.1mdv2008.0.i586.rpm
 f5a00cdd4639421ca1ee15cc0be63eac  2008.0/i586/libsasl2-plug-sasldb-2.1.22-23.1mdv2008.0.i586.rpm
 3d497c02f84a1c3328fdb391643da44c  2008.0/i586/libsasl2-plug-sql-2.1.22-23.1mdv2008.0.i586.rpm 
 6c88dcfd5ab050abd18f4d2983c79300  2008.0/SRPMS/cyrus-sasl-2.1.22-23.1mdv2008.0.src.rpm

2008.0 x86_64

 80d99cc844c67a2a06759bc1e7cc88db  2008.0/x86_64/cyrus-sasl-2.1.22-23.1mdv2008.0.x86_64.rpm
 41b95422b894401eecc2a8681c9dc196  2008.0/x86_64/lib64sasl2-2.1.22-23.1mdv2008.0.x86_64.rpm
 50f33da97b5da9b4bc30ec5bc6d1d659  2008.0/x86_64/lib64sasl2-devel-2.1.22-23.1mdv2008.0.x86_64.rpm
 d4fb022df681b367b8679136f72b592e  2008.0/x86_64/lib64sasl2-plug-anonymous-2.1.22-23.1mdv2008.0.x86_64.rpm
 5d927f67880f4aa762fb367d77641721  2008.0/x86_64/lib64sasl2-plug-crammd5-2.1.22-23.1mdv2008.0.x86_64.rpm
 aed157358368d9ff50959a74fe9c25e4  2008.0/x86_64/lib64sasl2-plug-digestmd5-2.1.22-23.1mdv2008.0.x86_64.rpm
 84d23ab14f7382f7c7ea6b5967ef2f40  2008.0/x86_64/lib64sasl2-plug-gssapi-2.1.22-23.1mdv2008.0.x86_64.rpm
 9e4e676d2fbd739510acc32c0c43be95  2008.0/x86_64/lib64sasl2-plug-ldapdb-2.1.22-23.1mdv2008.0.x86_64.rpm
 4db9412d9b049a07c6cd4a79763d6753  2008.0/x86_64/lib64sasl2-plug-login-2.1.22-23.1mdv2008.0.x86_64.rpm
 ea10f518bb59213ef01857ea4dc0aa4d  2008.0/x86_64/lib64sasl2-plug-ntlm-2.1.22-23.1mdv2008.0.x86_64.rpm
 63d56373895ddc03a85d4dd3ca1f960a  2008.0/x86_64/lib64sasl2-plug-otp-2.1.22-23.1mdv2008.0.x86_64.rpm
 4b655bbd94e9693ea9f57811bd0efad3  2008.0/x86_64/lib64sasl2-plug-plain-2.1.22-23.1mdv2008.0.x86_64.rpm
 5050def960a29e2857cd132785a21143  2008.0/x86_64/lib64sasl2-plug-sasldb-2.1.22-23.1mdv2008.0.x86_64.rpm
 febdbe8c8c23b096a78ea20dc8ceca75  2008.0/x86_64/lib64sasl2-plug-sql-2.1.22-23.1mdv2008.0.x86_64.rpm 
 6c88dcfd5ab050abd18f4d2983c79300  2008.0/SRPMS/cyrus-sasl-2.1.22-23.1mdv2008.0.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0688