UBUNTU-CVE-2013-4122

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2013-4122
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-4122.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2013-4122
Upstream
Related
  • USN-1988-1
  • USN-2755-1
Withdrawn
2025-07-18T16:42:54Z
Published
2013-07-18T00:00:00Z
Modified
2026-02-04T04:11:48.542019Z
Severity
  • Ubuntu - medium
Summary
[none]
Details

Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference.

References

Affected packages

Ubuntu:14.04:LTS / cyrus-sasl2

Package

Name
cyrus-sasl2
Purl
pkg:deb/ubuntu/cyrus-sasl2@2.1.25.dfsg1-17?arch=source&distro=trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.25.dfsg1-17

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "cyrus-sasl2-dbg",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "cyrus-sasl2-doc",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "cyrus-sasl2-heimdal-dbg",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "cyrus-sasl2-mit-dbg",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-2",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-dev",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-modules",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-modules-db",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-modules-gssapi-heimdal",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-modules-gssapi-mit",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-modules-ldap",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-modules-otp",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "libsasl2-modules-sql",
            "binary_version": "2.1.25.dfsg1-17"
        },
        {
            "binary_name": "sasl2-bin",
            "binary_version": "2.1.25.dfsg1-17"
        }
    ],
    "availability": "No subscription required"
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-4122.json"