Skip Menu |
 

Download (untitled) / with headers
text/plain 3.3KiB
From maetrics@realwarp.net Sun Jan 13 08:01:49 2002
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id IAA15319
for <bugs@RT-11.mit.edu>; Sun, 13 Jan 2002 08:01:49 -0500 (EST)
Received: from nsa.realwarp.net (dsl092-217-228.nyc1.dsl.speakeasy.net [66.92.217.228])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id IAA27252
for <krb5-bugs@mit.edu>; Sun, 13 Jan 2002 08:01:48 -0500 (EST)
Received: (qmail 6566 invoked from network); 12 Jan 2002 21:53:04 -0000
Received: from dsl092-217-225.nyc1.dsl.speakeasy.net (HELO realwarp.net) (66.92.217.225)
by 10.0.0.5 with SMTP; 12 Jan 2002 21:53:04 -0000
Message-Id: <3C414DB1.40005@realwarp.net>
Date: Sun, 13 Jan 2002 04:04:49 -0500
From: Chris Gragsone <maetrics@realwarp.net>
To: "Replugge [Rod]" <replugge@alcoholico.org>
Cc: bugtraq@securityfocus.com, krb5-bugs@mit.edu
Subject: Re: Kerberos 5 ftp client Core Dump
References: <1010739498.19750.1286.camel@puma.trustix.com>

Show quoted text
>Number: 1042
>Category: krb5-clients
>Synopsis: Re: Kerberos 5 ftp client Core Dump
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Jan 13 08:02:01 EST 2002
>Last-Modified: Thu Apr 4 16:43:30 EST 2002
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: hartmans
Responsible-Changed-When: Thu Apr 4 16:43:26 2002
Responsible-Changed-Why:

Show quoted text
>Unformatted:
kerberos 5 gssft 1.2.2

the problem is that "~{" is globbed, then passed to strcmp without any
checking.

once ~{ is ftpglob()'d it returns as a NULL, which when passed to stcmp
causes a coredump

the following might be a decent patch.

on ftp.c:842
replace
if (!globulize(&argv[2])) {
with
if (!globulize(&argv[2]) || (argv[2] == NULL)) {

this will solve the current core dump. The problem is that there may be
other code which depends on a sanitized glob'd argument. Which means
glob.c needs a few sanitzing functions and error messages.




Replugge [Rod] wrote:

Show quoted text
> A problem exist in the ftp client provided by Kerberos 5 1.2.2,
> kerberos 5 ftp client is provided by the rpm package
> krb5-workstation-1.2.2-12.
>
> I tested this on Redhat 7.1 i386/alpha ...
>
> # ftp localhost
> Connected to localhost.localdomain.
> 220 testbox.something.com FTP server (Version wu-2.6.1-16.7x.1) ready.
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (localhost:user1): anonymous
> 331 Guest login ok, send your complete e-mail address as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get ~{
> remote: ~{
> Segmentation fault
>
>
> Strace:
>
> read(0, get ~{
> "get ~{\n", 1024) = 7
> write(1, "remote: ~{\n", 11remote: ~{
> ) = 11
> rt_sigaction(SIGINT, {0x8053070, [INT], SA_RESTART|0x4000000},
> {0x80576b0, [INT], SA_RESTART|0x4000000}, 8) = 0
> --- SIGSEGV (Segmentation fault) ---
> +++ killed by SIGSEGV +++
>
>
>
> --
> /*
> Rodrigo Gutierrez <rodrigo@trustix.com>
> Trustix AS - http://www.trustix.com
> */
>
>
>
>