Bug#428732: [krbdev.mit.edu #5593] kadmin crashes during password changes
rra@debian.org via RT
rt-comment at krbdev.mit.edu
Mon Jul 9 15:10:55 EDT 2007
Andrew Reid <Andrew.Reid at nist.gov> writes:
> Will there be an "etch" security patch for this for amd64? The daemon
> runs as root, so there's a potential exploit opportunity, and even if
> there weren't, it's a possible DOS attack.
It's a DoS attack really more than an exploit (sign extension bugs on
internal calls that don't use user-supplied data, which I believe is a
correct characterization of this problem, are unlikely to be exploitable),
and I don't think the Debian security folks will consider it worth an
advisory. I will, however, check with the stable release managers about
uploading a fixed package for the next stable point release.
Ken, I assume from the previous bug discussion that this was already fixed
in 1.6? It looks like that file now includes k5-int.h and k5-int.h now
includes time.h.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the krb5-bugs
mailing list