CVE-2009-0688

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2009-0688
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2009-05-15 15:30:00 UTC
Updated2017-09-29 01:33:00 UTC
DescriptionMultiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.

Risk And Classification

Problem Types: CWE-119

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Carnegie Mellon University Cyrus-sasl 1.4.1 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.0 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.10 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.11 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.13 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.15 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.16 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.2 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.20 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.21 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.22 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.23 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.24 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.26 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.27 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.28 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.3 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.5 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.0 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.1 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.2 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.3 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.4 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.5 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.0 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.1 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.10 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.11 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.12 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.13 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.14 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.15 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.16 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.17 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.18 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.19 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.2 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.20 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.21 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.3 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.5 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.6 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.7 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.8 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.9 All All All
Application Carnegie Mellon University Cyrus-sasl 1.4.1 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.0 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.10 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.11 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.13 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.15 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.16 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.2 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.20 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.21 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.22 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.23 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.24 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.26 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.27 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.28 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.3 All All All
Application Carnegie Mellon University Cyrus-sasl 1.5.5 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.0 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.1 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.2 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.3 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.4 All All All
Application Carnegie Mellon University Cyrus-sasl 2.0.5 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.0 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.1 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.10 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.11 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.12 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.13 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.14 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.15 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.16 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.17 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.18 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.19 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.2 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.20 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.21 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.3 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.5 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.6 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.7 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.8 All All All
Application Carnegie Mellon University Cyrus-sasl 2.1.9 All All All
Application Carnegie Mellon University Cyrus-sasl All All All All

References

ReferenceSourceLinkTags
Sun Solaris SASL Library Buffer Overflow Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com SECUNIA secunia.com
54515 OSVDB osvdb.org
ASA-2009-184 (SUN 259148) CONFIRM support.avaya.com
Cyrus SASL 'sasl_encode64()' Remote Buffer Overflow Vulnerability BID www.securityfocus.com Patch
Oracle Critical Patch Update Advisory - April 2010 CONFIRM www.oracle.com
USN-790-1: Cyrus SASL vulnerability | Ubuntu UBUNTU www.ubuntu.com
US-CERT Vulnerability Note VU#238019 CERT-VN www.kb.cert.org Patch, US Government Resource
ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.23.tar.gz CONFIRM ftp.andrew.cmu.edu Patch
Cyrus SASL Buffer Overflow in sasl_encode64 Lets Remote Users Execute Arbitrary Code - SecurityTracker SECTRACK www.securitytracker.com
US-CERT Technical Cyber Security Alert TA10-103B -- Oracle Updates for Multiple Vulnerabilities CERT www.us-cert.gov US Government Resource
Repository / Oval Repository OVAL oval.cisecurity.org
#259148: Security Vulnerability in the Solaris Simple Authentication and Security Layer (SASL) Library (see libsasl(3LIB)) Routine sasl_encode64(3SASL) may Allow Unprivileged Users to Crash Applications Using this Function SUNALERT sunsolve.sun.com
Gentoo update for cyrus-sasl - Secunia Advisories - Vulnerability Information - Secunia.com SECUNIA secunia.com
Debian -- Security Information -- DSA-1807-1 cyrus-sasl2, cyrus-sasl2-heimdal DEBIAN www.debian.org
264248 SUNALERT sunsolve.sun.com
Advisories:rPSA-2009-0091 - rPath Wiki CONFIRM wiki.rpath.com
rPath update for cyrus-sasl - Secunia Advisories - Vulnerability Information - Secunia.com SECUNIA secunia.com
APPLE-SA-2010-03-29-1 Security Update 2010-002 / Mac OS X v10.6.3 APPLE lists.apple.com
Slackware update for cyrus-sasl - Secunia Advisories - Vulnerability Information - Secunia.com SECUNIA secunia.com
Red Hat update for cyrus-imapd - Secunia.com SECUNIA secunia.com
#273910: This Alert covers CVE-2009-2404 and CVE-2009-0688 for the Directory Server component of the Sun ONE Directory Server and Sun Java System Directory Server products. SUNALERT sunsolve.sun.com
SUSE Update for Multiple Packages - Advisories - Community SECUNIA secunia.com
1020755 SUNALERT sunsolve.sun.com
Avaya CMS Solaris SASL Library Buffer Overflow Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com SECUNIA secunia.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH VUPEN www.vupen.com
Sun Java System Directory Server Two Vulnerabilities - Secunia.com SECUNIA secunia.com
Support / Security / Advisories / / MDVSA-2009:113 | Mandriva MANDRIVA www.mandriva.com
Debian update for cyrus-sasl2 and cyrus-sasl2-heimdal - Secunia.com SECUNIA secunia.com
54514 OSVDB osvdb.org
Repository / Oval Repository OVAL oval.cisecurity.org
The Slackware Linux Project: Slackware Security Advisories SLACKWARE slackware.com
1021699 SUNALERT sunsolve.sun.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH VUPEN www.vupen.com
Cyrus SASL "sasl_encode64()" Buffer Overflow Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com SECUNIA secunia.com
About the security content of Security Update 2010-002 / Mac OS X v10.6.3 CONFIRM support.apple.com
IBM X-Force Exchange XF exchange.xforce.ibmcloud.com
Gentoo Linux Documentation -- Cyrus-SASL: Execution of arbitrary code GENTOO security.gentoo.org
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:011 SUSE lists.opensuse.org
Support REDHAT www.redhat.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

OrganizationPublishedContributorStatement
Red Hat2009-06-19Tomas HogerThe upstream fix for this issue is not backwards compatible and introduces an ABI change not allowed in Red Hat Enterprise Linux. Therefore, there is no plan to address this problem directly in cyrus-sasl packages. All applications shipped in Red Hat Enterprise Linux and using affected sasl_encode64() function were investigated and patched if their use of the function could have security consequences. See following bug report for further details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0688#c20
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report