MITKRB5-SA-2004-002: double-free vulnerabilities
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Sep 1 12:55:48 EDT 2004
*** WARNING ***
I'm going to start an exchange to try to determine whether Mike has the
correct bits and why he can't verify the signature. It should be noted
that this entire exchange is occuring over unprotected email, and so it is
a bad idea to rely on statements made by either of us like "it works for
me" or "the file has SHA-1 checksum XYZ" or "here is the file".
The _only_ way to ensure you have an unmodified copy of the patch is to
verify the PGP signature, using a known-good copy of the developer's PGP
key.
Now, on to business...
On Wednesday, September 01, 2004 08:19:33 -0700 Mike Friedman
<mikef at ack.berkeley.edu> wrote:
>> 2004-002-patch_1.2.7.txt
>> ========================
>>
>> http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt
>>
>> The associated detached PGP signature is at:
>>
>> http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt.asc
>
> I find that the PGP signature doesn't verify. Is anyone else having this
> problem?
Nope. I fetched the patch and the corresponding detached signature, and
had no problems verifying the signature. You haven't said what tools
you're using or what the error was, so let's start by considering the
possibility that the bits you have don't match the ones Tom signed...
The correct patch is 6441 bytes and 247 lines.
It has UNIX-style newlines; perhaps that is the problem.
Can you send me a hash?
-- Jeff
More information about the Kerberos
mailing list