CVE 2004-0884
The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.
Related bugs and status
CVE-2004-0884 (Candidate) is related to these bugs:
Bug #8636: libsasl2: re-entrance when used with libnss-ldap
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 8636 | libsasl2: re-entrance when used with libnss-ldap | cyrus-sasl2 (Ubuntu) | Medium | Fix Released | ||
| 8636 | libsasl2: re-entrance when used with libnss-ldap | cyrus-sasl2 (Debian) | Unknown | Fix Released | ||
Bug #8883: cyrus-sasl2: Local privilege escalation on setuid environment (CAN-2004-0884)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 8883 | cyrus-sasl2: Local privilege escalation on setuid environment (CAN-2004-0884) | cyrus-sasl2 (Ubuntu) | High | Fix Released | ||
| 8883 | cyrus-sasl2: Local privilege escalation on setuid environment (CAN-2004-0884) | cyrus-sasl2 (Debian) | Unknown | Fix Released | ||
Bug #9127: fixed cyrus packages break sendmail
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 9127 | fixed cyrus packages break sendmail | cyrus-sasl2 (Ubuntu) | Medium | Invalid | ||
| 9127 | fixed cyrus packages break sendmail | cyrus-sasl2 (Debian) | Unknown | Fix Released | ||
Bug #10608: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 10608 | cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13 | cyrus21-imapd (Ubuntu) | High | Fix Released | ||
| 10608 | cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13 | cyrus21-imapd (Debian) | Unknown | Fix Released | ||
Bug #15288: cyrus-sasl2: FTBFS (amd64/gcc-4.0): static declaration of 'global_callbacks' follows non-static declaration
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 15288 | cyrus-sasl2: FTBFS (amd64/gcc-4.0): static declaration of 'global_callbacks' follows non-static declaration | Ubuntu | High | Fix Released | ||
| 15288 | cyrus-sasl2: FTBFS (amd64/gcc-4.0): static declaration of 'global_callbacks' follows non-static declaration | Debian | Unknown | Fix Released | ||
Bug #23446: FTBFS: Syntax error before MD5_CTX
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 23446 | FTBFS: Syntax error before MD5_CTX | cyrus-sasl2 (Ubuntu) | High | Fix Released | ||
| 23446 | FTBFS: Syntax error before MD5_CTX | cyrus-sasl2 (Debian) | Unknown | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
