Bug 25914

Summary: cyrus-sasl new security issue CVE-2019-19906
Product: Mageia Reporter: Zombie Ryushu <zombie.ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://linuxsecurity.com/advisories/deblts/debian-lts-dla-2044-1-cyrus-sasl2-security-update-10-38-49
Whiteboard: MGA7-64-OK
Source RPM: cyrus-sasl-2.1.27-1.mga7.src.rpm CVE: CVE-2019-19906
Status comment:

Zombie Ryushu 2019-12-20 21:39:46 CET

CVE: (none) => CVE-2019-19906
Component: RPM Packages => Security

Comment 1 Lewis Smith 2019-12-21 20:17:52 CET 
Thank you for the pointer.
No duplicate found for the CVE.
This bug has been raised for cyrus-sasl2, which we do not have exactly; but cyrus-sasl. In case this difference matters.

Assigning to DavidG because you have already (!) "add patch to fix CVE-2019-19906 (mga#25914)".

Assignee: bugsquad => geiger.david68210
QA Contact: (none) => security
Source RPM: cyrus-sasl => cyrus-sasl-2.1.27-1.mga7.src.rpm

Comment 2 David Walser 2019-12-21 21:32:15 CET 
Actual link:
https://www.debian.org/lts/security/2019/dla-2044

Debian has also issued an advisory for this on December 20:
https://www.debian.org/security/2019/dsa-4591

Version: 7 => Cauldron
Summary: cyrus-sasl2 security update CVE-2019-19906 => cyrus-sasl new security issue CVE-2019-19906
Whiteboard: (none) => MGA7TOO

Comment 3 David GEIGER 2019-12-22 06:14:40 CET 
Done also for mga7!
Comment 4 David Walser 2019-12-22 14:23:52 CET 
Advisory:
========================

Updated cyrus-sasl packages fix security vulnerability:

Stephan Zeisberg reported an out-of-bounds write vulnerability in the
_sasl_add_string() function in cyrus-sasl2, a library implementing the Simple
Authentication and Security Layer. A remote attacker can take advantage of this
issue to cause denial-of-service conditions for applications using the library
(CVE-2019-19906).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
https://www.debian.org/security/2019/dsa-4591
========================

Updated packages in core/updates_testing:
========================
cyrus-sasl-2.1.27-1.1.mga7
libsasl2_3-2.1.27-1.1.mga7
libsasl2-devel-2.1.27-1.1.mga7
libsasl2-plug-anonymous-2.1.27-1.1.mga7
libsasl2-plug-crammd5-2.1.27-1.1.mga7
libsasl2-plug-digestmd5-2.1.27-1.1.mga7
libsasl2-plug-plain-2.1.27-1.1.mga7
libsasl2-plug-scram-2.1.27-1.1.mga7
libsasl2-plug-login-2.1.27-1.1.mga7
libsasl2-plug-gssapi-2.1.27-1.1.mga7
libsasl2-plug-otp-2.1.27-1.1.mga7
libsasl2-plug-sasldb-2.1.27-1.1.mga7
libsasl2-plug-srp-2.1.27-1.1.mga7
libsasl2-plug-ntlm-2.1.27-1.1.mga7
libsasl2-plug-mysql-2.1.27-1.1.mga7
libsasl2-plug-pgsql-2.1.27-1.1.mga7
libsasl2-plug-sqlite3-2.1.27-1.1.mga7
libsasl2-plug-ldapdb-2.1.27-1.1.mga7

from cyrus-sasl-2.1.27-1.1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Herman Viaene 2020-01-04 14:59:04 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref to bug 11112 for tests, points to accessing samaba.
So tried
$ strace -o sasl-txt smbtree -S
Unable to initialize messaging context
Enter MYGROUP\tester7's password: 
WORKGROUP
        \\MACH1                         Samba Server Version 4.10.11
trace shows
openat(AT_FDCWD, "/lib64/libsasl2.so.3", O_RDONLY|O_CLOEXEC) = 3
Looked into contents o cyrus-sasl and found daemon, so
# systemctl -l status saslauthd
● saslauthd.service - SASL authentication daemon.
   Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# systemctl -l start saslauthd
# systemctl -l status saslauthd
● saslauthd.service - SASL authentication daemon.
   Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-01-04 14:51:43 CET; 3s ago
  Process: 29476 ExecStart=/usr/sbin/saslauthd -m /run/saslauthd -a $SASL_AUTHMECH $SASLAUTHD_OPTS (code=exited, status=0/SUCCESS)
 Main PID: 29477 (saslauthd)
   Memory: 1.4M
   CGroup: /system.slice/saslauthd.service
           ├─29477 /usr/sbin/saslauthd -m /run/saslauthd -a pam
           ├─29478 /usr/sbin/saslauthd -m /run/saslauthd -a pam
           ├─29479 /usr/sbin/saslauthd -m /run/saslauthd -a pam
           ├─29480 /usr/sbin/saslauthd -m /run/saslauthd -a pam
           └─29481 /usr/sbin/saslauthd -m /run/saslauthd -a pam

jan 04 14:51:43 mach5.hviaene.thuis systemd[1]: Starting SASL authentication daemon....
jan 04 14:51:43 mach5.hviaene.thuis saslauthd[29477]:                 : master pid is: 29477
jan 04 14:51:43 mach5.hviaene.thuis saslauthd[29477]:                 : listening on socket: /run/saslauthd/mux
jan 04 14:51:43 mach5.hviaene.thuis systemd[1]: Started SASL authentication daemon..
I could not make sense of the other commands, but what I see looks good. OK'ing unless someone else has better ideas

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-01-04 23:38:40 CET 
Good enough for me, Herman. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 14:28:30 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-01-05 16:39:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0011.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED