MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow

Mike Friedman mikef at ack.berkeley.edu
Tue Jun 26 17:28:29 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 26 Jun 2007 at 14:01 (-0400), Tom Yu wrote:

> This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite. The 
> krb5-1.6.1 and krb5-1.5.3 releases already contains the prerequisite 
> patch.

Tom,

When 2007-02 came out, there wasn't a version of the patch for 1.4.2, 
which I was, and am, running.  When I asked about this at the time, I was 
told the following:

    Your patching may be significantly simplified if you are certain that
    vsnprintf() is present on your systems; in that case you may omit the
    changes to files other than src/lib/kadm5/logger.c, at the expense of
    sometimes losing some log data due to vsnprintf() performing
    truncation.  Also, it is probably wise to unconditionally call
    vsnprintf() in logger.c (rather than under #ifdef HAVE_VSNPRINTF) in
    that case.

My system does support vsnprintf(), so, I followed the above advice. 
Now, I'm faced with having to install 2007-05, which has the full 2007-02 
patch as pre-requisite.

Any suggestions as to the easiest way to proceed?  I'd like at present to 
avoid significant testing of a new release if it's likely to have some 
incompatibilities.  I'm not sure what the issues are between 1.5.3 and 
1.6.1 in this regard.

If I had a version of 2007-05 that fit 1.4.2 with only the 'logger.c' 
portion of 2007-02 applied, that would, I suppose, be the best I could 
expect.  What are the chances of that?

Anyway, I seem to be in a bind.  Is there a way I can get 2007-05 on 
without too much effort at this point?

Thanks.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at ack.Berkeley.EDU               2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://socrates.berkeley.edu/~mikef  http://ist.berkeley.edu
_________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBRoGFAK0bf1iNr4mCEQIzaACcDQjx3SuNUhIr4EUU+kJ55U6AJdEAnicY
i7hzccZaRmlCpbH3YGHfsTq0
=LiR0
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list