CVE-2019-19906

NameCVE-2019-19906
Descriptioncyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2044-1, DSA-4591-1
Debian Bugs947043

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cyrus-sasl2 (PTS)buster, buster (security)2.1.27+dfsg-1+deb10u2fixed
bullseye (security), bullseye2.1.27+dfsg-2.1+deb11u1fixed
bookworm, sid2.1.28+dfsg-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cyrus-sasl2sourcejessie2.1.26.dfsg1-13+deb8u2DLA-2044-1
cyrus-sasl2sourcestretch2.1.27~101-g0780600+dfsg-3+deb9u1DSA-4591-1
cyrus-sasl2sourcebuster2.1.27+dfsg-1+deb10u1DSA-4591-1
cyrus-sasl2source(unstable)2.1.27+dfsg-2947043

Notes

https://github.com/cyrusimap/cyrus-sasl/issues/587
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 (master)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/f96ba043fb9ffd30f7089564164203136506e7ab (master)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/332b8c591b662bce4a2dae55cad9784e15096908 (cyrus-sasl-2.1.28)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/5ac1beeb574cd9d0a518d72330b19d2460688089 (cyrus-sasl-2.1.28)
https://www.openldap.org/its/index.cgi/Incoming?id=9123
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
DSA-4591-1 applied only the first part of the fix which was incomplete (but can be
considered a functional incomplete fix, thus not warranting a CVE):
https://github.com/cyrusimap/cyrus-sasl/pull/655
The functional incomplete fix was already addressed in unstable with 2.1.27+dfsg2-1

Search for package or bug name: Reporting problems