[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
This bug was fixed in the package cyrus-sasl2 - 2.1.25.dfsg1-6ubuntu0.1 --- cyrus-sasl2 (2.1.25.dfsg1-6ubuntu0.1) raring-security; urgency=low * SECURITY UPDATE: denial of service via invalid salt (LP: #1187001) - debian/patches/CVE-2013-4122.patch: properly handle glibc returning NULL on an invalid salt in pwcheck/pwcheck_getpwnam.c, pwcheck/pwcheck_getspnam.c, saslauthd/auth_getpwent.c, saslauthd/auth_shadow.c. - CVE-2013-4122 -- Marc DeslauriersMon, 07 Oct 2013 08:40:56 -0400 ** Changed in: cyrus-sasl2 (Ubuntu Raring) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
This issue only affects Raring and newer. Already fixed in saucy. ** Also affects: cyrus-sasl2 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: cyrus-sasl2 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: cyrus-sasl2 (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: cyrus-sasl2 (Ubuntu Saucy) Importance: High Status: Confirmed ** Also affects: cyrus-sasl2 (Ubuntu Raring) Importance: Undecided Status: New ** Changed in: cyrus-sasl2 (Ubuntu Lucid) Status: New => Invalid ** Changed in: cyrus-sasl2 (Ubuntu Precise) Status: New => Invalid ** Changed in: cyrus-sasl2 (Ubuntu Raring) Importance: Undecided => Medium ** Changed in: cyrus-sasl2 (Ubuntu Raring) Status: New => Confirmed ** Changed in: cyrus-sasl2 (Ubuntu Raring) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: cyrus-sasl2 (Ubuntu Quantal) Status: New => Invalid ** Changed in: cyrus-sasl2 (Ubuntu Saucy) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
Mancha, thanks! I'm sorry I overlooked it. (Even worse, I did the triage way back when I forgot about it in the meantime: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4122.html ) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
I just updated the upstream bugzilla report to reflect the CVE assignment and link my point release patches. https://bugzilla.cyrusimap.org/show_bug.cgi?id=3803 ** Bug watch added: bugzilla.cyrusimap.org/ #3803 http://bugzilla.cyrusimap.org/show_bug.cgi?id=3803 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
Hi. This issue was assigned CVE-2013-4122: http://openwall.com/lists /oss-security/2013/07/13/1 --mancha ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-4122 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
On 02/10/2013 08:09, Seth Arnold wrote: > Are you confident about multi-threading? I don't see any linker commands > to link against the threading libraries in our build logs: > https://launchpadlibrarian.net/92810645/buildlog_ubuntu-precise-amd64 > .cyrus-sasl2_2.1.25.dfsg1-3_BUILDING.txt.gz and I also see extensive > use of fork(2) in the upstream git: http://git.cyrusimap.org/cyrus- > sasl/tree/saslauthd/saslauthd- > main.c?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d > >>From just the five minutes I've looked, I'd say it looks like usual > Unix-style preforking server, not threaded server. > Hi I'm not an expert on this. But when compiled with --with-ipctype=doors it will use pthreads. Also, the auth_shadow.c contains #ifdef _REENTRANT directives, suggesting possible multi-threaded use. So someone (perhaps upstream) should make sure the code is safe to use in all configurations. CU, Arno -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
I think default THREADS=5 in /etc/default/saslauthd, after these all crash [as above] then thats the end of SASL working. (at least that is what happened for me, repeatedly). Setting this to THREADS=0 has worked around the issue (for me anyway) as it makes it fork instead. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
Are you confident about multi-threading? I don't see any linker commands to link against the threading libraries in our build logs: https://launchpadlibrarian.net/92810645/buildlog_ubuntu-precise-amd64 .cyrus-sasl2_2.1.25.dfsg1-3_BUILDING.txt.gz and I also see extensive use of fork(2) in the upstream git: http://git.cyrusimap.org/cyrus- sasl/tree/saslauthd/saslauthd- main.c?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d >From just the five minutes I've looked, I'd say it looks like usual Unix-style preforking server, not threaded server. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
Hi Thanks. Also note the use of crypt() in a multithreaded application. Must be crypt_r(). CU, Arno Seth Arnold <1187...@bugs.launchpad.net> wrote: >I think this hasn't been addressed in part because it didn't get a CVE >number: http://openwall.com/lists/oss-security/2013/07/12/4 > >Since the service appears to be restarting without qualm, I can see why >it didn't get a CVE, but this does seem less than awesome. > >Mancha made a lot of patches for services when the crypt() change >happened, here's an email from him with upstream patch and two >backported patches: http://openwall.com/lists/oss-security/2013/07/12/3 > >-- >You received this bug notification because you are subscribed to the >bug >report. >https://bugs.launchpad.net/bugs/1187001 > >Title: > saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in > libc-2.17.so[b716+1ad000] > >To manage notifications about this bug go to: >https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
I think this hasn't been addressed in part because it didn't get a CVE number: http://openwall.com/lists/oss-security/2013/07/12/4 Since the service appears to be restarting without qualm, I can see why it didn't get a CVE, but this does seem less than awesome. Mancha made a lot of patches for services when the crypt() change happened, here's an email from him with upstream patch and two backported patches: http://openwall.com/lists/oss-security/2013/07/12/3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
BTW, shouldn't saslauthd use crypt_r(), it being a multi-threaded beasty? ;o) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
Hi all
I can reproduce the problem when I run saslauthd with authmech shadow:
saslauthd -a shadow
and then try to authenticate users that have a crippled /etc/shadow
entry. By crippled I mean ! or * as password entry, as for root, mail,
nobody.
When I run the 2.1.25 stock source with debugging symbols in gdb with
"-a shadow -n 1 -d -m /var/run/saslauthd/mux" as param, I get:
Program received signal SIGSEGV, Segmentation fault.
0xb7e6e6f1 in ?? () from /lib/i386-linux-gnu/libc.so.6
(gdb) where
#0 0xb7e6e6f1 in ?? () from /lib/i386-linux-gnu/libc.so.6
#1 0xb7e6e326 in strdup () from /lib/i386-linux-gnu/libc.so.6
#2 0x0804b910 in auth_shadow (login=0xb098 "root",
password=0xb199 "dfsdf", service=0xb29a "ldap",
realm=0xb39b "") at auth_shadow.c:188
#3 0x0804ed3f in do_auth (_login=_login@entry=0xb098 "root",
password=password@entry=0xb199 "dfsdf",
service=service@entry=0xb29a "ldap", realm=realm@entry=0xb39b "")
at saslauthd-main.c:410
#4 0x0804dd17 in do_request (conn_fd=conn_fd@entry=9) at ipc_unix.c:426
#5 0x0804e547 in ipc_loop () at ipc_unix.c:277
#6 0x080499c1 in main (argc=8, argv=0xb5e4) at saslauthd-main.c:369
Offending line is:
cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
where crypt() returns NULL for the crippled shadow entries. Proposed
patch:
char *encpwd = crypt(password, sp->sp_pwdp);
if (encpwd == NULL) {
if (flags & VERBOSE) {
syslog(LOG_DEBUG, "DEBUG: auth_shadow: crypt returned NULL");
}
RETURN("NO");
}
cpw = strdup((const char *)encpwd);
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187001
Title:
saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in
libc-2.17.so[b716+1ad000]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
if anyone else is suffering this I installed fail2ban as a workaround, the attacker's IP gets banned before SASL falls over. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187001] Re: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b7160000+1ad000]
** Changed in: cyrus-sasl2 (Ubuntu) Status: New => Confirmed ** Changed in: cyrus-sasl2 (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187001 Title: saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in libc-2.17.so[b716+1ad000] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1187001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
