MITKRB5-SA-2004-002: double-free vulnerabilities

Jeffrey Hutzelman jhutz at
Wed Sep 1 12:55:48 EDT 2004

*** WARNING ***

I'm going to start an exchange to try to determine whether Mike has the 
correct bits and why he can't verify the signature.  It should be noted 
that this entire exchange is occuring over unprotected email, and so it is 
a bad idea to rely on statements made by either of us like "it works for 
me" or "the file has SHA-1 checksum XYZ" or "here is the file".

The _only_ way to ensure you have an unmodified copy of the patch is to 
verify the PGP signature, using a known-good copy of the developer's PGP 

Now, on to business...

On Wednesday, September 01, 2004 08:19:33 -0700 Mike Friedman 
<mikef at> wrote:

>> 2004-002-patch_1.2.7.txt
>> ========================
>>   The associated detached PGP signature is at:
> I find that the PGP signature doesn't verify.  Is anyone else having this
> problem?

Nope.  I fetched the patch and the corresponding detached signature, and 
had no problems verifying the signature.  You haven't said what tools 
you're using or what the error was, so let's start by considering the 
possibility that the bits you have don't match the ones Tom signed...

The correct patch is 6441 bytes and 247 lines.
It has UNIX-style newlines; perhaps that is the problem.
Can you send me a hash?

-- Jeff

More information about the Kerberos mailing list