krb5.conf ' # ' in realms section can cause ssh to segv
Troy Benjegerdes
hozer at hozed.org
Wed Jul 13 18:27:12 EDT 2005
On Wed, Jul 13, 2005 at 09:43:41PM +0100, Simon Wilkinson wrote:
> Troy Benjegerdes wrote:
> >
> > Is this a potential security issue? Granted, if you can edit krb5.conf,
> > you can do a lot of other stuff.. but a segv is pretty bad behavior.
>
> You've not really provided enough information to track this down. The
> stack trace doesn't have any symbols, and you haven't even said which
> version of krb5 or ssh you're running. You've also not provided any
> debugging dumps from the ssh client which would help show where the
> error is occuring.
>
> If you could let me know those things, I can probably trace this a bit
> better. My rough guess is that the client's first call into init_context
> is failing, due to the bad configuration. It's then trying to release a
> buffer that hasn't been allocated, and so is seg faulting.
>
> I don't think this is a security issue - its client side, rather than
> server side, the error isn't as a result of bad incoming data, and ssh
> doesn't run with elevated priviledge.
>
> If you can provide more information though, and you're running OpenSSH
> with my patches, or code derived from them, it would be good to fix this.
Debian-powerpc, running sarge:
ii libkrb53 1.3.6-3 MIT Kerberos runtime libraries
ii ssh-krb5 3.8.1p1-8 Secure rlogin/rsh/rcp replacement
I also know the segv occurred immediately after opening /etc/krb5.conf,
but the strace log is gone from my scrollback.
More information about the Kerberos
mailing list