MITKRB5-SA-2004-002: double-free vulnerabilities

Mike Friedman mikef at ack.Berkeley.EDU
Wed Sep 1 13:06:49 EDT 2004

On Wed, 1 Sep 2004 at 13:44 (-0300), Andreas wrote:

> On Wed, Sep 01, 2004 at 08:19:33AM -0700, Mike Friedman wrote:
>>> 2004-002-patch_1.2.7.txt
>>> ========================
>>>   The associated detached PGP signature is at:
>> I find that the PGP signature doesn't verify.  Is anyone else having
>> this problem?
> Just downloaded both with wget and the signature checks out OK for me.

Hmm.  I just installed wget and then downloaded the 1.3.4 version of the
patch (which I've decided to use instead of 1.2.7).  The signature still
doesn't verify!  In fact, the file I downloaded with wget is identical to
the one I downloaded using 'lynx -source'.

I have no trouble verifying the asn1 (MITKRB5-SA-2004-003) patch with PGP.
Why can't I get -002 to verify?

Any other ideas?  I'm doing this on Solaris 8, using PGP 6.5.8.



Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley

More information about the Kerberos mailing list