Re: Any info on CVE-2006-1721 ?

[Alexey Melnikov <alexey.melnikov@xxxxxxxxx>]

Biswatosh wrote:

> Alexei,
>
> 1)Any reason for this validation:
> (text->realm[0] != 0)) ?
>
> 2)What if, 
>         (a) realm != NULL 
>     and (b) strcmp(realm,text->realm) != 0
>     and (c) text->realm[0] == 0 ,  are all true?
> If a,b and c are true then it won't return
> SASL_BADAUTH
> and won't set error to "realm changed: authentication
> aborted". But then, has not the realm actually changed
> because of (b)? Should we not throw an error then?
>  
In practice text->realm is always non-empty string, the 
get_server_realm() function guaranties that (*).
What the code should really be doing is this:

   if (realm == NULL) {
       if (text->realm[0] != '\0') {
           SETERROR(sparams->utils,
                    "realm changed: authentication aborted");
           result = SASL_BADAUTH;
           goto FreeAllMem;
       }

   } else if ((strcmp(realm, text->realm) != 0)) {
       SETERROR(sparams->utils,
                "realm changed: authentication aborted");
       result = SASL_BADAUTH;
       goto FreeAllMem;
   }

I.e. "realm == NULL" must be treated as realm being "" (as per RFC 2831).

This is almost what is in 2.1.22. 2.1.22 contains:
   } else if ((strcmp(realm, text->realm) != 0) &&
             (text->realm[0] != 0)) {
but the second test should be removed, as it is meaningless anyway.

(*) well, it will return an empty string if params->serverFQDN is the 
empty string, but this should not happen.

> Thanks
> Biswatosh
>
> --- Alexey Melnikov <alexey.melnikov@xxxxxxxxx> wrote:
>  
>
> > Biswatosh wrote:
> >    
> >
> > > Thanks Alexei.
> > >
> > > Cud u or anybody else point out the CMU SASL page
> > > where I can get info about what to set CVSROOT to
> > >      
> > >
> > > and etc?
> > > Must I become a member of sasl-cvs? And,then what?
> > >
> > > Or,to cut it short, please just tell me the lines
> > > changed in digestmd5.c for that bug.
> > >      
> > The patch attached.
> >    
> >
> > > Index: digestmd5.c
> > >      
> ===================================================================
>  
>
> > RCS file: /cvs/src/sasl/plugins/digestmd5.c,v
> > retrieving revision 1.173
> > retrieving revision 1.175
> > diff -u -r1.173 -r1.175
> > --- digestmd5.c	29 Jul 2004 19:21:57 -0000	1.173
> > +++ digestmd5.c	27 Dec 2004 21:30:43 -0000	1.175
> > @@ -2242,7 +2242,8 @@
> >     }
> >
> >     /* Sanity check the parameters */
> > -    if (strcmp(realm, text->realm) != 0) {
> > +    if (((realm != NULL) && (strcmp(realm,
> > text->realm) != 0)) &&
> > +	(text->realm[0] != 0)) {
> > 	SETERROR(sparams->utils,
> > 		 "realm changed: authentication aborted");
> > 	result = SASL_BADAUTH;
> >