MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

Mike Dopheide dopheide at ncsa.uiuc.edu
Tue Apr 3 17:50:18 EDT 2007


Specifically,

====================
diff -Nur krb5-040307/lib/kadm5/configure krb5/lib/kadm5/configure
--- krb5-040307/lib/kadm5/configure     2005-11-16 16:47:28.000000000 -0600
+++ krb5/lib/kadm5/configure    2007-04-03 15:15:04.000000000 -0500
@@ -5453,7 +5453,7 @@



-for ac_func in openlog syslog closelog strftime vsprintf
+for ac_func in openlog syslog closelog strftime vsprintf vsnprintf
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
echo "$as_me:$LINENO: checking for $ac_func" >&5
=====================

That's included in the patch I posted and results in -DHAVE_VSNPRINTF=1 
(at least for me it did).

-Mike

Edward Beuerlein wrote:
> Mike,
> What modifications did you make to your src/lib/kadm5/configure script?
>  There is mention in the advisory about making changes to detect
> vsnprintf() but I am not exactly sure how to do that.  I am not a
> developer but need to patch our kerberos code for these 3 security issues.
> -Eddie B.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 



More information about the Kerberos mailing list