[krbdev.mit.edu #5944] SVN Commit
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Fri Apr 18 15:31:56 EDT 2008
Jeff Altman reported this, based on a crash seen in KfW in the wild.
The krb5_data handle used to describe the message field returned by the KDC is
not null-terminated, but we use a "%s" format to incorporate it into an error
message string. In the right circumstances, garbage bytes can be pulled into
the string, or a memory fault may result.
However, as this is in the error-reporting part of the client-side code for
fetching new credentials, it's a relatively minor DoS attack only, not a
serious security exposure. Should be fixed in the next releases, though.
Commit By: raeburn
Revision: 20304
Changed Files:
U trunk/src/lib/krb5/krb/gc_via_tkt.c
More information about the krb5-bugs
mailing list