25914 – cyrus-sasl new security issue CVE-2019-19906

Bug 25914 - cyrus-sasl new security issue CVE-2019-19906

Summary: cyrus-sasl new security issue CVE-2019-19906

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://linuxsecurity.com/advisories/...
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-12-20 21:39 CET by Zombie Ryushu
Modified:	2020-01-05 16:39 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	cyrus-sasl-2.1.27-1.mga7.src.rpm
CVE:	CVE-2019-19906
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2019-12-20 21:39:07 CET

https://linuxsecurity.com/advisories/deblts/debian-lts-dla-2044-1-cyrus-sasl2-security-update-10-38-49

Zombie Ryushu 2019-12-20 21:39:46 CET

CVE: (none) => CVE-2019-19906
Component: RPM Packages => Security

Comment 1 Lewis Smith 2019-12-21 20:17:52 CET

Thank you for the pointer.
No duplicate found for the CVE.
This bug has been raised for cyrus-sasl2, which we do not have exactly; but cyrus-sasl. In case this difference matters.

Assigning to DavidG because you have already (!) "add patch to fix CVE-2019-19906 (mga#25914)".

Assignee: bugsquad => geiger.david68210
QA Contact: (none) => security
Source RPM: cyrus-sasl => cyrus-sasl-2.1.27-1.mga7.src.rpm

Comment 2 David Walser 2019-12-21 21:32:15 CET

Actual link:
https://www.debian.org/lts/security/2019/dla-2044

Debian has also issued an advisory for this on December 20:
https://www.debian.org/security/2019/dsa-4591

Version: 7 => Cauldron
Summary: cyrus-sasl2 security update CVE-2019-19906 => cyrus-sasl new security issue CVE-2019-19906
Whiteboard: (none) => MGA7TOO

Comment 3 David GEIGER 2019-12-22 06:14:40 CET

Done also for mga7!

Comment 4 David Walser 2019-12-22 14:23:52 CET

Advisory:
========================

Updated cyrus-sasl packages fix security vulnerability:

Stephan Zeisberg reported an out-of-bounds write vulnerability in the
_sasl_add_string() function in cyrus-sasl2, a library implementing the Simple
Authentication and Security Layer. A remote attacker can take advantage of this
issue to cause denial-of-service conditions for applications using the library
(CVE-2019-19906).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
https://www.debian.org/security/2019/dsa-4591
========================

Updated packages in core/updates_testing:
========================
cyrus-sasl-2.1.27-1.1.mga7
libsasl2_3-2.1.27-1.1.mga7
libsasl2-devel-2.1.27-1.1.mga7
libsasl2-plug-anonymous-2.1.27-1.1.mga7
libsasl2-plug-crammd5-2.1.27-1.1.mga7
libsasl2-plug-digestmd5-2.1.27-1.1.mga7
libsasl2-plug-plain-2.1.27-1.1.mga7
libsasl2-plug-scram-2.1.27-1.1.mga7
libsasl2-plug-login-2.1.27-1.1.mga7
libsasl2-plug-gssapi-2.1.27-1.1.mga7
libsasl2-plug-otp-2.1.27-1.1.mga7
libsasl2-plug-sasldb-2.1.27-1.1.mga7
libsasl2-plug-srp-2.1.27-1.1.mga7
libsasl2-plug-ntlm-2.1.27-1.1.mga7
libsasl2-plug-mysql-2.1.27-1.1.mga7
libsasl2-plug-pgsql-2.1.27-1.1.mga7
libsasl2-plug-sqlite3-2.1.27-1.1.mga7
libsasl2-plug-ldapdb-2.1.27-1.1.mga7

from cyrus-sasl-2.1.27-1.1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Herman Viaene 2020-01-04 14:59:04 CET

MGA7-64 Plasma on Lenovo B50
No installation issues
Ref to bug 11112 for tests, points to accessing samaba.
So tried
$ strace -o sasl-txt smbtree -S
Unable to initialize messaging context
Enter MYGROUP\tester7's password: 
WORKGROUP
        \\MACH1                         Samba Server Version 4.10.11
trace shows
openat(AT_FDCWD, "/lib64/libsasl2.so.3", O_RDONLY|O_CLOEXEC) = 3
Looked into contents o cyrus-sasl and found daemon, so
# systemctl -l status saslauthd
● saslauthd.service - SASL authentication daemon.
   Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# systemctl -l start saslauthd
# systemctl -l status saslauthd
● saslauthd.service - SASL authentication daemon.
   Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-01-04 14:51:43 CET; 3s ago
  Process: 29476 ExecStart=/usr/sbin/saslauthd -m /run/saslauthd -a $SASL_AUTHMECH $SASLAUTHD_OPTS (code=exited, status=0/SUCCESS)
 Main PID: 29477 (saslauthd)
   Memory: 1.4M
   CGroup: /system.slice/saslauthd.service
           ├─29477 /usr/sbin/saslauthd -m /run/saslauthd -a pam
           ├─29478 /usr/sbin/saslauthd -m /run/saslauthd -a pam
           ├─29479 /usr/sbin/saslauthd -m /run/saslauthd -a pam
           ├─29480 /usr/sbin/saslauthd -m /run/saslauthd -a pam
           └─29481 /usr/sbin/saslauthd -m /run/saslauthd -a pam

jan 04 14:51:43 mach5.hviaene.thuis systemd[1]: Starting SASL authentication daemon....
jan 04 14:51:43 mach5.hviaene.thuis saslauthd[29477]:                 : master pid is: 29477
jan 04 14:51:43 mach5.hviaene.thuis saslauthd[29477]:                 : listening on socket: /run/saslauthd/mux
jan 04 14:51:43 mach5.hviaene.thuis systemd[1]: Started SASL authentication daemon..
I could not make sense of the other commands, but what I see looks good. OK'ing unless someone else has better ideas

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-01-04 23:38:40 CET

Good enough for me, Herman. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 14:28:30 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-01-05 16:39:56 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0011.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.