[krbdev.mit.edu #5853] apparent uninit length in ftpd.c:reply() [CVE-2007-5894]
Tom Yu via RT
rt-comment at krbdev.mit.edu
Wed Dec 12 13:40:00 EST 2007
This is one of the Venustech AD-LAB alleged vulnerabilities.
CVE-2007-5894
http://bugs.gentoo.org/show_bug.cgi?id=199205
This is not a vulnerability, and only a stylistic bug. The alleged
vulnerability consists of reading an uninitialized variable, "length",
in the reply() function in src/appl/gssftp/ftpd/ftpd.c.
1878 /* Other auth types go here ... */
1879 if (length >= sizeof(in) / 4 * 3) {
1880 syslog(LOG_ERR, "input to radix_encode too long");
1881 fputs(in, stdout);
1882 } else if ((kerror = radix_encode(out, in, &length, 0))) {
1883 syslog(LOG_ERR, "Couldn't encode reply (%s)",
1884 radix_error(kerror));
1885 fputs(in,stdout);
The "length" variable is only uninitialized if "auth_type" is neither
the "KERBEROS_V4" nor "GSSAPI"; this condition cannot occur in the
unmodified source code. While the remote user can set the string in
"auth_type", this may only occur by way of the auth_data() function,
which will only set "auth_type" if it exactly matches one of the
aforementioned two strings.
More information about the krb5-bugs
mailing list