Subject: | prompter users should zero out reply data before freeing it |
I've been looking at the code that calls krb5_prompter_posix() and I've
noticed that the reply data (which may contain a password) is not being
zeroed out before being freed. When I look at similar code in the
Solaris libpam I notice that the reply data is being zeroed prior to
free. This seems to be a better practice security wise.
I suggest looking at every place a prompter is called and memset() the
reply data with 0 prior to it's being freed.
noticed that the reply data (which may contain a password) is not being
zeroed out before being freed. When I look at similar code in the
Solaris libpam I notice that the reply data is being zeroed prior to
free. This seems to be a better practice security wise.
I suggest looking at every place a prompter is called and memset() the
reply data with 0 prior to it's being freed.