Bug in set/change password client library

Russ Allbery rra at stanford.edu
Thu May 5 12:45:19 EDT 2011

Greg Hudson <ghudson at MIT.EDU> writes:
> On Wed, 2011-05-04 at 23:08 -0400, Russ Allbery wrote:

>> There's a bug in the set/change password client library in at least
>> Kerberos 1.9 with the parsing of a reply from a server if the reply is
>> longer than 255 bytes.

> This bug isn't present on trunk, because r24899 consolidated the chpw
> and setpw reply parsing and used the (correct) chpw code as the basis.

> Does this bug occur in practice?  Is it worth making a fix for 1.9 or
> earlier?

I discovered it while trying to get the bottom of why we had to use a
workaround in WebAuth to treat all "message stream modified" errors as
password strength checking failures.  When using Heimdal kpasswdd with an
external strength checking program, the error message on failure is always
long enough to trigger this bug.  It's not a huge deal, since it's "just"
an error reporting bug, but a fix in a 1.9 point release seems like it
might be a good idea.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the krbdev mailing list