1159635 – (CVE-2019-19906) VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet

Bug 1159635 (CVE-2019-19906) - VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet

Summary: VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl has an out-of-bounds write lead...

Status:	RESOLVED FIXED

Alias:	CVE-2019-19906

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/249586/
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-19906:7.5:(AV...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-12-20 09:48 UTC by Alexandros Toptsoglou
Modified:	2024-05-22 14:27 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	varkoly: needinfo? (atoptsoglou)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-12-20 09:48:52 UTC

CVE-2019-19906

cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to
unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP
packet. The OpenLDAP crash is ultimately caused by an off-by-one error in
_sasl_add_string in common.c in cyrus-sasl.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19906
https://github.com/cyrusimap/cyrus-sasl/issues/587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
https://www.openldap.org/its/index.cgi/Incoming?id=9123

Comment 1 Swamp Workflow Management 2020-01-02 09:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1159635) was mentioned in
https://build.opensuse.org/request/show/760381 Factory / cyrus-sasl

Comment 2 Alexandros Toptsoglou 2020-05-12 09:32:35 UTC

Upstream fix: https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1

Comment 8 Swamp Workflow Management 2020-12-17 23:19:13 UTC

SUSE-SU-2020:14579-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1159635
CVE References: CVE-2019-19906
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    cyrus-sasl-2.1.22-182.26.4.1, cyrus-sasl-saslauthd-2.1.22-182.26.4.1
SUSE Linux Enterprise Server 11-SECURITY (src):    cyrus-sasl-openssl1-2.1.22-182.26.4.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    cyrus-sasl-2.1.22-182.26.4.1, cyrus-sasl-saslauthd-2.1.22-182.26.4.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    cyrus-sasl-2.1.22-182.26.4.1, cyrus-sasl-saslauthd-2.1.22-182.26.4.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    cyrus-sasl-2.1.22-182.26.4.1, cyrus-sasl-openssl1-2.1.22-182.26.4.1, cyrus-sasl-saslauthd-2.1.22-182.26.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2020-12-28 17:15:43 UTC

SUSE-SU-2020:3939-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1159635
CVE References: CVE-2019-19906
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE OpenStack Cloud Crowbar 8 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE OpenStack Cloud 9 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE OpenStack Cloud 8 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE OpenStack Cloud 7 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server 12-SP5 (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    cyrus-sasl-2.1.26-8.13.1
SUSE Enterprise Storage 5 (src):    cyrus-sasl-2.1.26-8.13.1
HPE Helion Openstack 8 (src):    cyrus-sasl-2.1.26-8.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Thomas Leroy 2022-08-08 12:30:12 UTC

Hi Peter, the old submission for SUSE:SLE-15:Update/{cyrus-sasl-saslauthd, cyrus-sasl-sasl} didn't fix the issue. I think we will need another submission for those two packages in this codestream. 
Moreover, it seems that SUSE:SLE-12:Update/cyrus-sasl-saslauthd never had the fix

Comment 18 Thomas Leroy 2022-09-05 12:14:04 UTC

(In reply to Thomas Leroy from comment #17)
> Hi Peter, the old submission for SUSE:SLE-15:Update/{cyrus-sasl-saslauthd,
> cyrus-sasl-sasl} didn't fix the issue. I think we will need another
> submission for those two packages in this codestream. 
> Moreover, it seems that SUSE:SLE-12:Update/cyrus-sasl-saslauthd never had
> the fix

Any news Peter?

Comment 19 Peter Varkoly 2022-09-09 11:55:35 UTC

(In reply to Thomas Leroy from comment #18)
> (In reply to Thomas Leroy from comment #17)
> > Hi Peter, the old submission for SUSE:SLE-15:Update/{cyrus-sasl-saslauthd,
> > cyrus-sasl-sasl} didn't fix the issue. I think we will need another
> > submission for those two packages in this codestream. 
I've created a SR: 279314

> > Moreover, it seems that SUSE:SLE-12:Update/cyrus-sasl-saslauthd never had
> > the fix
 
cyrus-sasl-saslauthd.spec of SUSE_SLE-12_Update contains the patch already since "Dec 10 18:58:39 UTC 2020"
> 
> Any news Peter?

Comment 20 Thomas Leroy 2022-09-09 12:05:04 UTC

(In reply to Peter Varkoly from comment #19)
> (In reply to Thomas Leroy from comment #18)
> > (In reply to Thomas Leroy from comment #17)
> > > Hi Peter, the old submission for SUSE:SLE-15:Update/{cyrus-sasl-saslauthd,
> > > cyrus-sasl-sasl} didn't fix the issue. I think we will need another
> > > submission for those two packages in this codestream. 
> I've created a SR: 279314

Thanks!

> > > Moreover, it seems that SUSE:SLE-12:Update/cyrus-sasl-saslauthd never had
> > > the fix
>  
> cyrus-sasl-saslauthd.spec of SUSE_SLE-12_Update contains the patch already
> since "Dec 10 18:58:39 UTC 2020"

The CVE and bsc references are missing in the changes file, that's why we lost track of it. Could you please include them in the next SUSE:SLE-12:Update/cyrus-sasl-saslauthd submission? Or create a new submission with only the references added

Comment 22 Peter Varkoly 2022-09-09 14:26:56 UTC

(In reply to Thomas Leroy from comment #20)
> (In reply to Peter Varkoly from comment #19)
> > (In reply to Thomas Leroy from comment #18)
> > > (In reply to Thomas Leroy from comment #17)
> > > > Hi Peter, the old submission for SUSE:SLE-15:Update/{cyrus-sasl-saslauthd,
> > > > cyrus-sasl-sasl} didn't fix the issue. I think we will need another
> > > > submission for those two packages in this codestream. 
> > I've created a SR: 279314
> 
> Thanks!
> 
> > > > Moreover, it seems that SUSE:SLE-12:Update/cyrus-sasl-saslauthd never had
> > > > the fix
> >  
> > cyrus-sasl-saslauthd.spec of SUSE_SLE-12_Update contains the patch already
> > since "Dec 10 18:58:39 UTC 2020"
> 
> The CVE and bsc references are missing in the changes file, that's why we
> lost track of it. Could you please include them in the next
> SUSE:SLE-12:Update/cyrus-sasl-saslauthd submission? Or create a new
> submission with only the references added

Hm it is very strange. In the accepted SR the references are in cyrus-sasl-saslauthd.changes there:
https://build.suse.de/request/show/232584

Comment 23 Swamp Workflow Management 2022-10-07 16:22:51 UTC

SUSE-SU-2022:3549-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1159635
CVE References: CVE-2019-19906
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Manager Retail Branch Server 4.1 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Manager Proxy 4.1 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise Server for SAP 15 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise Server 15-LTSS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Enterprise Storage 7 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE Enterprise Storage 6 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1
SUSE CaaS Platform 4.0 (src):    cyrus-sasl-2.1.26-150000.5.13.1, cyrus-sasl-saslauthd-2.1.26-150000.5.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Peter Varkoly 2022-11-03 05:23:15 UTC

can be closed

Comment 26 Andrea Mattiazzo 2024-05-22 14:27:56 UTC

All done, closing.