[krbdev.mit.edu #5944] SVN Commit

Tom Yu via RT rt-comment at krbdev.mit.edu
Mon Jul 14 18:12:46 EDT 2008


pull up r20304 from trunk

 r20304 at cathode-dark-space:  raeburn | 2008-04-18 15:31:47 -0400
 ticket: new
 subject: fix possible buffer overrun in handling generic-error return
 target_version: 1.6.5
 tags: pullup
 
 Jeff Altman reported this, based on a crash seen in KfW in the wild.
 
 The krb5_data handle used to describe the message field returned by the KDC is
 not null-terminated, but we use a "%s" format to incorporate it into an error
 message string.  In the right circumstances, garbage bytes can be pulled into
 the string, or a memory fault may result.
 
 However, as this is in the error-reporting part of the client-side code for
 fetching new credentials, it's a relatively minor DoS attack only, not a
 serious security exposure.  Should be fixed in the next releases, though.
 


Commit By: tlyu



Revision: 20521
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/krb/gc_via_tkt.c




More information about the krb5-bugs mailing list