MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]
Tom Yu
tlyu at MIT.EDU
Tue Apr 3 16:18:24 EDT 2007
>>>>> "mikef" == Mike Friedman <mikef at ack.berkeley.edu> writes:
mikef> On Tue, 3 Apr 2007 at 14:10 (-0400), Tom Yu wrote:
>> AFFECTED SOFTWARE
>> =================
>>
>> * MIT krb5 releases through krb5-1.6
mikef> ...
>> The patch is available at
>>
>> http://web.mit.edu/kerberos/advisories/2007-002-patch.txt
mikef> Tom,
mikef> Is the above patch supposed to apply to 1.4.2? I find several large
mikef> discrepancies in the line numbers. For example, in
mikef> src/kadmin/server/misc.c, the 1.4.2 version has only 151 lines, yet the
mikef> patch refers to line 171. There are also significant differences in, for
mikef> example, src/kadmin/server/ovsec_kadmd.c. Plus minor line differences in
mikef> other modules for this patch.
mikef> Is there a different version of this patch for 1.4.2?
Your patching may be significantly simplified if you are certain that
vsnprintf() is present on your systems; in that case you may omit the
changes to files other than src/lib/kadm5/logger.c, at the expense of
sometimes losing some log data due to vsnprintf() performing
truncation. Also, it is probably wise to unconditionally call
vsnprintf() in logger.c (rather than under #ifdef HAVE_VSNPRINTF) in
that case.
krb5-1.5.x had significant changes in some of the affected kadmind and
KDC code; if there is sufficient interest, we may be able to produce
additional patches for earlier releases.
---Tom
More information about the Kerberos
mailing list