Red Hat 9062 Published by

Updated cyrus-sasl packages are available for Red Hat Enterprise Linux 2.1 and 3

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated cyrus-sasl packages fix security flaw
Advisory ID: RHSA-2004:546-01
Issue date: 2004-10-07
Updated on: 2004-10-07
Product: Red Hat Enterprise Linux
Keywords: environment
CVE Names: CAN-2004-0884
----------------------------------------------------------------------

1. Summary:

Updated cyrus-sasl packages that fix a setuid and setgid application vulnerability are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64



3. Problem description:

The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.

At application startup, libsasl and libsasl2 attempts to build a list of all available SASL plug-ins which are available on the system. To do so, the libraries search for and attempt to load every shared library found within the plug-in directory. This location can be set with the SASL_PATH environment variable.

In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0884 to this issue.

Users of cyrus-sasl should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/cyrus-sasl-1.5.24-26.src.rpm
adf38e226dfa211bb2e7e83c5c5418b9 cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44 cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338 cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925 cyrus-sasl-plain-1.5.24-26.i386.rpm

ia64:
97497be93ad3074862be30b3eaf9fe46 cyrus-sasl-1.5.24-26.ia64.rpm
6c4362bc42c9c41f7eb07b61ee733320 cyrus-sasl-devel-1.5.24-26.ia64.rpm
bd3a433063c18f2384bc9249a58d8504 cyrus-sasl-gssapi-1.5.24-26.ia64.rpm
6d34fc4ff8ffda80308d02e82bcefc64 cyrus-sasl-md5-1.5.24-26.ia64.rpm
1eb867b4419336e95ffffec0a88fe01f cyrus-sasl-plain-1.5.24-26.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/cyrus-sasl-1.5.24-26.src.rpm
adf38e226dfa211bb2e7e83c5c5418b9 cyrus-sasl-1.5.24-26.src.rpm

ia64:
97497be93ad3074862be30b3eaf9fe46 cyrus-sasl-1.5.24-26.ia64.rpm
6c4362bc42c9c41f7eb07b61ee733320 cyrus-sasl-devel-1.5.24-26.ia64.rpm
bd3a433063c18f2384bc9249a58d8504 cyrus-sasl-gssapi-1.5.24-26.ia64.rpm
6d34fc4ff8ffda80308d02e82bcefc64 cyrus-sasl-md5-1.5.24-26.ia64.rpm
1eb867b4419336e95ffffec0a88fe01f cyrus-sasl-plain-1.5.24-26.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/cyrus-sasl-1.5.24-26.src.rpm
adf38e226dfa211bb2e7e83c5c5418b9 cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44 cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338 cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925 cyrus-sasl-plain-1.5.24-26.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/cyrus-sasl-1.5.24-26.src.rpm
adf38e226dfa211bb2e7e83c5c5418b9 cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44 cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338 cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925 cyrus-sasl-plain-1.5.24-26.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cyrus-sasl-2.1.15-9.src.rpm
aaf9ffaec315e592644d6daae68aae82 cyrus-sasl-2.1.15-9.src.rpm

i386:
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
6919e5fcd850ee85f783309cb1470aa5 cyrus-sasl-devel-2.1.15-9.i386.rpm
e9ad63b5a0afe14540367226f0433f4b cyrus-sasl-gssapi-2.1.15-9.i386.rpm
1f88d0820350da52c6366cb1212b8936 cyrus-sasl-md5-2.1.15-9.i386.rpm
8be156532f450097531cb90774a10385 cyrus-sasl-plain-2.1.15-9.i386.rpm

ia64:
6bbbc7ee16697a0cb1009b3730fef0ba cyrus-sasl-2.1.15-9.ia64.rpm
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
d2580374e50340bf14d956974a3fb451 cyrus-sasl-devel-2.1.15-9.ia64.rpm
37fcb197c372282ee31dff7d2d81566c cyrus-sasl-gssapi-2.1.15-9.ia64.rpm
444f44cdba6333e1343e23e6d67e6ce6 cyrus-sasl-md5-2.1.15-9.ia64.rpm
8d4d75121ec2e6987f319381ac601716 cyrus-sasl-plain-2.1.15-9.ia64.rpm

ppc:
0dc0857831f3e90217f8f3fd27da70eb cyrus-sasl-2.1.15-9.ppc.rpm
383e13e965189970e5a5f826c6c03af2 cyrus-sasl-devel-2.1.15-9.ppc.rpm
04c195d25dd2d29e808c61f32361428c cyrus-sasl-gssapi-2.1.15-9.ppc.rpm
782939ca66fdae0de95696cd4e903d40 cyrus-sasl-md5-2.1.15-9.ppc.rpm
c9549f71008205a824ed0426c3b873cb cyrus-sasl-plain-2.1.15-9.ppc.rpm

ppc64:
053c8601822ab5206cdc7db1e35e0ea0 cyrus-sasl-2.1.15-9.ppc64.rpm

s390:
adcb50ec0fb14951af6bfe006bc7a295 cyrus-sasl-2.1.15-9.s390.rpm
8dab6edb113343ea0b5550ff7635cded cyrus-sasl-devel-2.1.15-9.s390.rpm
a6c9955bb6df5a16a1012ded6df2eb27 cyrus-sasl-gssapi-2.1.15-9.s390.rpm
9873745733c8ad088251b09bec06a376 cyrus-sasl-md5-2.1.15-9.s390.rpm
07d56edf20dd4d7cf705c8e246329466 cyrus-sasl-plain-2.1.15-9.s390.rpm

s390x:
111e650ab71231c95143847f60a7237b cyrus-sasl-2.1.15-9.s390x.rpm
adcb50ec0fb14951af6bfe006bc7a295 cyrus-sasl-2.1.15-9.s390.rpm
2b0b6453e0738875aaef6a8958ced9fc cyrus-sasl-devel-2.1.15-9.s390x.rpm
72a6318fe8f7a7af727698d98ffc3b0e cyrus-sasl-gssapi-2.1.15-9.s390x.rpm
a45b9c7802f581e14f17d0daa04e8340 cyrus-sasl-md5-2.1.15-9.s390x.rpm
5ee2ddc76df85de40f8fb7d9a42fe81c cyrus-sasl-plain-2.1.15-9.s390x.rpm

x86_64:
7008444c7feb4516e29f4af965be2d3c cyrus-sasl-2.1.15-9.x86_64.rpm
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
f063da2d593dfca9bbffed47e74992a6 cyrus-sasl-devel-2.1.15-9.x86_64.rpm
bced324f78f7d7453d3756e7d23a461b cyrus-sasl-gssapi-2.1.15-9.x86_64.rpm
1261e9ccb900f36592ddfa09c64ba354 cyrus-sasl-md5-2.1.15-9.x86_64.rpm
4ea63d22a136b332f5c405a5c43e1f96 cyrus-sasl-plain-2.1.15-9.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cyrus-sasl-2.1.15-9.src.rpm
aaf9ffaec315e592644d6daae68aae82 cyrus-sasl-2.1.15-9.src.rpm

i386:
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
6919e5fcd850ee85f783309cb1470aa5 cyrus-sasl-devel-2.1.15-9.i386.rpm
e9ad63b5a0afe14540367226f0433f4b cyrus-sasl-gssapi-2.1.15-9.i386.rpm
1f88d0820350da52c6366cb1212b8936 cyrus-sasl-md5-2.1.15-9.i386.rpm
8be156532f450097531cb90774a10385 cyrus-sasl-plain-2.1.15-9.i386.rpm

x86_64:
7008444c7feb4516e29f4af965be2d3c cyrus-sasl-2.1.15-9.x86_64.rpm
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
f063da2d593dfca9bbffed47e74992a6 cyrus-sasl-devel-2.1.15-9.x86_64.rpm
bced324f78f7d7453d3756e7d23a461b cyrus-sasl-gssapi-2.1.15-9.x86_64.rpm
1261e9ccb900f36592ddfa09c64ba354 cyrus-sasl-md5-2.1.15-9.x86_64.rpm
4ea63d22a136b332f5c405a5c43e1f96 cyrus-sasl-plain-2.1.15-9.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cyrus-sasl-2.1.15-9.src.rpm
aaf9ffaec315e592644d6daae68aae82 cyrus-sasl-2.1.15-9.src.rpm

i386:
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
6919e5fcd850ee85f783309cb1470aa5 cyrus-sasl-devel-2.1.15-9.i386.rpm
e9ad63b5a0afe14540367226f0433f4b cyrus-sasl-gssapi-2.1.15-9.i386.rpm
1f88d0820350da52c6366cb1212b8936 cyrus-sasl-md5-2.1.15-9.i386.rpm
8be156532f450097531cb90774a10385 cyrus-sasl-plain-2.1.15-9.i386.rpm

ia64:
6bbbc7ee16697a0cb1009b3730fef0ba cyrus-sasl-2.1.15-9.ia64.rpm
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
d2580374e50340bf14d956974a3fb451 cyrus-sasl-devel-2.1.15-9.ia64.rpm
37fcb197c372282ee31dff7d2d81566c cyrus-sasl-gssapi-2.1.15-9.ia64.rpm
444f44cdba6333e1343e23e6d67e6ce6 cyrus-sasl-md5-2.1.15-9.ia64.rpm
8d4d75121ec2e6987f319381ac601716 cyrus-sasl-plain-2.1.15-9.ia64.rpm

x86_64:
7008444c7feb4516e29f4af965be2d3c cyrus-sasl-2.1.15-9.x86_64.rpm
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
f063da2d593dfca9bbffed47e74992a6 cyrus-sasl-devel-2.1.15-9.x86_64.rpm
bced324f78f7d7453d3756e7d23a461b cyrus-sasl-gssapi-2.1.15-9.x86_64.rpm
1261e9ccb900f36592ddfa09c64ba354 cyrus-sasl-md5-2.1.15-9.x86_64.rpm
4ea63d22a136b332f5c405a5c43e1f96 cyrus-sasl-plain-2.1.15-9.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cyrus-sasl-2.1.15-9.src.rpm
aaf9ffaec315e592644d6daae68aae82 cyrus-sasl-2.1.15-9.src.rpm

i386:
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
6919e5fcd850ee85f783309cb1470aa5 cyrus-sasl-devel-2.1.15-9.i386.rpm
e9ad63b5a0afe14540367226f0433f4b cyrus-sasl-gssapi-2.1.15-9.i386.rpm
1f88d0820350da52c6366cb1212b8936 cyrus-sasl-md5-2.1.15-9.i386.rpm
8be156532f450097531cb90774a10385 cyrus-sasl-plain-2.1.15-9.i386.rpm

ia64:
6bbbc7ee16697a0cb1009b3730fef0ba cyrus-sasl-2.1.15-9.ia64.rpm
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
d2580374e50340bf14d956974a3fb451 cyrus-sasl-devel-2.1.15-9.ia64.rpm
37fcb197c372282ee31dff7d2d81566c cyrus-sasl-gssapi-2.1.15-9.ia64.rpm
444f44cdba6333e1343e23e6d67e6ce6 cyrus-sasl-md5-2.1.15-9.ia64.rpm
8d4d75121ec2e6987f319381ac601716 cyrus-sasl-plain-2.1.15-9.ia64.rpm

x86_64:
7008444c7feb4516e29f4af965be2d3c cyrus-sasl-2.1.15-9.x86_64.rpm
ee9649ea378ae6e28af20b2dffaca059 cyrus-sasl-2.1.15-9.i386.rpm
f063da2d593dfca9bbffed47e74992a6 cyrus-sasl-devel-2.1.15-9.x86_64.rpm
bced324f78f7d7453d3756e7d23a461b cyrus-sasl-gssapi-2.1.15-9.x86_64.rpm
1261e9ccb900f36592ddfa09c64ba354 cyrus-sasl-md5-2.1.15-9.x86_64.rpm
4ea63d22a136b332f5c405a5c43e1f96 cyrus-sasl-plain-2.1.15-9.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

6. References:

https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/lib/common.c.diff?r1=1.103&r2=1.104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0884

7. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.