CVE-2013-4122

Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
VendorProductVersion
cmucyrus-sasl
𝑥
≤ 2.1.26
cmucyrus-sasl
1.5.28
cmucyrus-sasl
2.1.19
cmucyrus-sasl
2.1.20
cmucyrus-sasl
2.1.21
cmucyrus-sasl
2.1.22
cmucyrus-sasl
2.1.23
cmucyrus-sasl
2.1.24
cmucyrus-sasl
2.1.25
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cyrus-sasl2
bullseye (security)
2.1.27+dfsg-2.1+deb11u1
fixed
bullseye
2.1.27+dfsg-2.1+deb11u1
fixed
wheezy
not-affected
squeeze
not-affected
bookworm
2.1.28+dfsg-10
fixed
sid
2.1.28+dfsg1-8
fixed
trixie
2.1.28+dfsg1-8
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cyrus-sasl2
vivid
Fixed 2.1.26.dfsg1-13ubuntu0.1
released
trusty
not-affected
raring
Fixed 2.1.25.dfsg1-6ubuntu0.1
released
quantal
not-affected
precise
not-affected
lucid
not-affected
Common Weakness Enumeration
References
http://git.cyrusimap.org/cyrus-sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d
http://security.gentoo.org/glsa/glsa-201309-01.xml
http://www.debian.org/security/2015/dsa-3368
http://www.openwall.com/lists/oss-security/2013/07/12/3
http://www.openwall.com/lists/oss-security/2013/07/12/6
http://www.openwall.com/lists/oss-security/2013/07/13/1
http://www.openwall.com/lists/oss-security/2013/07/15/1
http://www.ubuntu.com/usn/USN-2755-1
https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-current%5D-glibc-2-17-shadow-and-other-penumbrae-4175461061/
http://git.cyrusimap.org/cyrus-sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d
http://security.gentoo.org/glsa/glsa-201309-01.xml
http://www.debian.org/security/2015/dsa-3368
http://www.openwall.com/lists/oss-security/2013/07/12/3
http://www.openwall.com/lists/oss-security/2013/07/12/6
http://www.openwall.com/lists/oss-security/2013/07/13/1
http://www.openwall.com/lists/oss-security/2013/07/15/1
http://www.ubuntu.com/usn/USN-2755-1
https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-current%5D-glibc-2-17-shadow-and-other-penumbrae-4175461061/