Public Date:
487251: CVE-2009-0688 cyrus-sasl: sasl_encode64() does not reliably null-terminate its output

The MITRE CVE dictionary describes this issue as:

Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.

Find out more about CVE-2009-0688 from the MITRE CVE dictionary dictionary and NIST NVD.


The upstream fix for this issue is not backwards compatible and introduces an ABI change not allowed in Red Hat Enterprise Linux. Therefore, there is no plan to address this problem directly in cyrus-sasl packages.

All applications shipped in Red Hat Enterprise Linux and using affected sasl_encode64() function were investigated and patched if their use of the function could have security consequences. See following bug report for further details:

CVSS v2 metrics

Base Score 6.4
Base Metrics AV:N/AC:L/Au:N/C:P/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 4 (cyrus-imapd) RHSA-2009:1116 2009-06-18
Red Hat Enterprise Linux 5 (cyrus-imapd) RHSA-2009:1116 2009-06-18
Last Modified

CVE description copyright © 2017, The MITRE Corporation