Re: CVE request: Cyrus-sasl NULL ptr. dereference

[Solar Designer <solar () openwall com>]

On Fri, Jul 12, 2013 at 03:27:18PM +0000, mancha wrote:
> Starting with glibc 2.17 (eglibc 2.17), crypt() fails with
> EINVAL (w/ NULL return) if the salt violates specifications.
> Additionally, on FIPS-140 enabled Linux systems, DES/MD5-encrypted
> passwords passed to crypt() fail with EPERM (w/ NULL return).
>
> When authenticating against Cyrus-sasl via mechanisms that use
> glibc's crypt (e.g. getpwent or shadow auth. mechs), and this
> crypt() returns a NULL as glibc 2.17+ does on above-described
> input, the client crashes the authentication daemon resulting
> in a DoS.

Does this really crash the entire daemon process rather than just one of
its children (where a new one would be spawned for another request)?

I think this needs to be clarified, and the answer will affect whether
we have a security issue (CVE-worthy) or not.

Alexander