Ticket History #5853: apparent uninit length in ftpd.c:reply() [CVE-2007-5894]

This is one of the Venustech AD-LAB alleged vulnerabilities.

CVE-2007-5894
http://bugs.gentoo.org/show_bug.cgi?id=199205

This is not a vulnerability, and only a stylistic bug. The alleged
vulnerability consists of reading an uninitialized variable, "length",
in the reply() function in src/appl/gssftp/ftpd/ftpd.c.

1878 /* Other auth types go here ... */
1879 if (length >= sizeof(in) / 4 * 3) {
1880 syslog(LOG_ERR, "input to radix_encode too long");
1881 fputs(in, stdout);
1882 } else if ((kerror = radix_encode(out, in, &length, 0))) {
1883 syslog(LOG_ERR, "Couldn't encode reply (%s)",
1884 radix_error(kerror));
1885 fputs(in,stdout);

The "length" variable is only uninitialized if "auth_type" is neither
the "KERBEROS_V4" nor "GSSAPI"; this condition cannot occur in the
unmodified source code. While the remote user can set the string in
"auth_type", this may only occur by way of the auth_data() function,
which will only set "auth_type" if it exactly matches one of the
aforementioned two strings.

pull up r20182 from trunk

r20182@cathode-dark-space: tlyu | 2007-12-14 00:14:11 -0500
ticket: 5853
target_version: 1.6.4
tags: pullup

fix CVE-2007-5894: apparent uninit length in ftpd.c:reply()



Commit By: tlyu



Revision: 20183
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/appl/gssftp/ftpd/ftpd.c