From arkadi@hosting.lv  Tue Dec 17 16:46:40 2002
Return-Path: <arkadi@hosting.lv>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 974B637B401
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 17 Dec 2002 16:46:40 -0800 (PST)
Received: from idea.hosting.lv (idea.hosting.lv [62.85.37.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 919CF43EA9
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 17 Dec 2002 16:46:39 -0800 (PST)
	(envelope-from arkadi@hosting.lv)
Received: from arkadi by idea.hosting.lv with local 
	id 18OSMH-000CrN-00
	for FreeBSD-gnats-submit@freebsd.org; Wed, 18 Dec 2002 02:46:45 +0200
Message-Id: <E18OSMH-000CrN-00@idea.hosting.lv>
Date: Wed, 18 Dec 2002 02:46:45 +0200
From: Arkadi Shishlov <arkadi@hosting.lv>
Reply-To: Arkadi Shishlov <arkadi@hosting.lv>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: security/cyrus-sasl 1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         46338
>Category:       ports
>Synopsis:       security/cyrus-sasl 1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 17 16:50:01 PST 2002
>Closed-Date:    Fri Sep 16 20:54:52 GMT 2005
>Last-Modified:  Fri Sep 16 20:54:52 GMT 2005
>Originator:     Arkadi Shishlov
>Release:        FreeBSD 4.6.2-RELEASE i386
>Organization:
>Environment:
System: FreeBSD idea.hosting.lv 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #0: Mon Aug 19 20:10:07 EEST 2002 root@idea.hosting.lv:/usr/src/sys/compile/idea i386


>Description:

Take a look at following snippet of code from cyrus-sasl/lib/checkpw.c
patched with mysql authentication:

static int mysql_verify_password(sasl_conn_t *conn,
                                const char *userid,
                                const char *password,
                                const char *service __attribute__((unused)),
                                const char *user_realm __attribute__((unused)),
                                const char **reply)
{
[...]
   cur_host = db_host;
   while ( cur_host != NULL || sock == NULL) {
     db_host = strchr(db_host,',');
     if ( db_host != NULL ) {   
       db_host[0] = 0x00;
       /* loop till we find some text */
       while (!isalnum(db_host[0]) )
           db_host++;
     }
     sock = mysql_connect(&mysql,db_host,db_user,db_passwd);
     cur_host = db_host;
          }
[...]

db_host is a string, "localhost" for example. At the first while() pass, strchr()
returns NULL, so mysql_connect() is called with db_host == NULL. Bad. It is OK,
when db_host == "localhost", cause NULL value is a special case meaning "localhost"
for mysql_connect(). Consider there is no database at localhost or db_host was not
"localhost" but "db.domain.com". mysql_connect() fails to connect and sock == NULL.
db_host == NULL. while() condition is still true and strchr() is called on NULL value.
Segfault. This 'parser' is horribly broken.

>How-To-Repeat:
Setup some software that use SASL for authentication. For example Cyrus-IMAP.
Setup it to use MySQL and supply some invalid values in config to be sure
mysql_connect() could not connect to that destination. Try to login, IMAP
daemon will segfault.
>Fix:
>Release-Note:
>Audit-Trail:

From: Peter Pentchev <roam@ringlet.net>
To: Arkadi Shishlov <arkadi@hosting.lv>
Cc: "Scot W. Hetzel" <hetzels@westbend.net>, bug-followup@FreeBSD.org
Subject: Re: ports/46338: cyrus-sasl-1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect
Date: Wed, 18 Dec 2002 10:16:10 +0200

 On Wed, Dec 18, 2002 at 02:46:45AM +0200, Arkadi Shishlov wrote:
 > 
 > >Number:         46338
 > >Category:       ports
 > >Synopsis:       cyrus-sasl-1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect
 
 Is the port maintainer aware of this problem report?
 
 G'luck,
 Peter
 
 -- 
 Peter Pentchev	roam@ringlet.net	roam@FreeBSD.org
 PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
 Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
 .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI

From: Arkadi Shishlov <arkadi@hosting.lv>
To: Peter Pentchev <roam@ringlet.net>
Cc: "Scot W. Hetzel" <hetzels@westbend.net>, bug-followup@FreeBSD.org
Subject: Re: ports/46338: cyrus-sasl-1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect
Date: Wed, 18 Dec 2002 11:29:17 +0200

 On Wed, Dec 18, 2002 at 10:16:10AM +0200, Peter Pentchev wrote:
 > On Wed, Dec 18, 2002 at 02:46:45AM +0200, Arkadi Shishlov wrote:
 > > 
 > > >Number:         46338
 > > >Category:       ports
 > > >Synopsis:       cyrus-sasl-1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect
 > 
 > Is the port maintainer aware of this problem report?
 
 Last time I contacted him with another unrelated enhancement patch I've
 got no response, so thinking send-pr is prefered method I opened PR.
 
 
 arkadi.
State-Changed-From-To: feedback->closed 
State-Changed-By: edwin 
State-Changed-When: Sat Sep 27 18:35:21 PDT 2003 
State-Changed-Why:  
If this is still a problem with the latest (3.23.58) one, please 
resubmit the problem. Most likely it was caused by the not running 
of ldconfig by the port. If it still occures, please add the output 
of "ldconfig -r" to the PR. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=44799 
State-Changed-From-To: open->open 
State-Changed-By: edwin 
State-Changed-When: Sat Sep 27 18:35:21 PDT 2003 
State-Changed-Why:  
euhmm.. I'll redit this PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=45210 
State-Changed-From-To: open->open 
State-Changed-By: edwin 
State-Changed-When: Sat Sep 27 18:35:21 PDT 2003 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=46024 
State-Changed-From-To: open->open 
State-Changed-By: edwin 
State-Changed-When: Sat Sep 27 18:35:21 PDT 2003 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=46338 
State-Changed-From-To: open->feedback 
State-Changed-By: pav 
State-Changed-When: Tue Dec 30 06:32:23 PST 2003 
State-Changed-Why:  
Do you have a patch for this? Or, does cyrus-sasl2 works 
for you? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46338 

From: Arkadi Shishlov <arkadi@hosting.lv>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/46338: security/cyrus-sasl 1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect
Date: Tue, 30 Dec 2003 18:07:22 +0200

 No patch.
 I use cyrus-imapd (2.0) so I guess we are stuck with cyrus-sasl (1.5).
State-Changed-From-To: feedback->suspended 
State-Changed-By: pav 
State-Changed-When: Tue Dec 30 16:14:11 PST 2003 
State-Changed-Why:  
Marking suspended, patch to fix described problem is welcome. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46338 
State-Changed-From-To: suspended->closed 
State-Changed-By: pav 
State-Changed-When: Fri Sep 16 20:54:35 GMT 2005 
State-Changed-Why:  
After almost two years, no activity. Sorry we couldn't help you better. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46338 
>Unformatted:
