Skip Menu |
 

From: raeburn@mit.edu
Subject: SVN Commit

Jeff Altman reported this, based on a crash seen in KfW in the wild.

The krb5_data handle used to describe the message field returned by the KDC is
not null-terminated, but we use a "%s" format to incorporate it into an error
message string. In the right circumstances, garbage bytes can be pulled into
the string, or a memory fault may result.

However, as this is in the error-reporting part of the client-side code for
fetching new credentials, it's a relatively minor DoS attack only, not a
serious security exposure. Should be fixed in the next releases, though.

Commit By: raeburn



Revision: 20304
Changed Files:
U trunk/src/lib/krb5/krb/gc_via_tkt.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r20304 from trunk

r20304@cathode-dark-space: raeburn | 2008-04-18 15:31:47 -0400
ticket: new
subject: fix possible buffer overrun in handling generic-error return
target_version: 1.6.5
tags: pullup

Jeff Altman reported this, based on a crash seen in KfW in the wild.

The krb5_data handle used to describe the message field returned by the KDC is
not null-terminated, but we use a "%s" format to incorporate it into an error
message string. In the right circumstances, garbage bytes can be pulled into
the string, or a memory fault may result.

However, as this is in the error-reporting part of the client-side code for
fetching new credentials, it's a relatively minor DoS attack only, not a
serious security exposure. Should be fixed in the next releases, though.



Commit By: tlyu



Revision: 20521
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/krb/gc_via_tkt.c