Skip Menu |
 

From mikef@ack.Berkeley.EDU Wed Feb 23 17:17:55 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id RAA25113
for <bugs@RT-11.MIT.EDU>; Wed, 23 Feb 2000 17:17:51 -0500 (EST)
Received: from ack.Berkeley.EDU by MIT.EDU with SMTP
id AA18734; Wed, 23 Feb 00 17:19:05 EST
Received: (from mikef@localhost)
by ack.Berkeley.EDU (8.9.3+Sun/8.9.3) id OAA14891
for krb5-bugs@mit.edu; Wed, 23 Feb 2000 14:17:42 -0800 (PST)
Message-Id: <200002232217.OAA14891@ack.Berkeley.EDU>
Date: Wed, 23 Feb 2000 14:17:42 -0800 (PST)
From: Mike Friedman <mikef@ack.Berkeley.EDU>
Reply-To: mikef@ack.Berkeley.EDU
To: krb5-bugs@MIT.EDU
Subject: Bug in V1.1.1

Show quoted text
>Number: 827
>Category: krb5-kdc
>Synopsis: Printing bug in kdc/kerberos_v4.c
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Feb 23 17:18:00 EST 2000
>Last-Modified: Fri Sep 28 21:58:43 EDT 2001
>Originator: Mike Friedman
>Organization:
University of California at Berkeley
Show quoted text
>Release: krb5-1.1.1
>Environment:
System: SunOS ks2.Berkeley.EDU 5.7 Generic_106541-08 sun4m sparc SUNW,SPARCstation-5
Architecture: sun4

Show quoted text
>Description:
KDC can be made to crash by supplying a principal in a V4 request that
contains multiple occurrences of the string "%s". KDC logging of V4
requests usess printf (or equivalent) without a format string.
Show quoted text
>How-To-Repeat:
Issue a V4 kinit for a principal containing the string "%s%s%s%s%s%s".
Show quoted text
>Fix:
*** kerberos_v4.c.orig Fri Dec 17 12:46:05 1999
--- kerberos_v4.c Wed Feb 23 13:39:47 2000
***************
*** 293,299 ****
case L_APPL_REQ:
strcpy(log_text, "PROCESS_V4:");
vsprintf(log_text+strlen(log_text), format, pvar);
! krb5_klog_syslog(logpri, log_text);
/* ignore the other types... */
}
va_end(pvar);
--- 294,300 ----
case L_APPL_REQ:
strcpy(log_text, "PROCESS_V4:");
vsprintf(log_text+strlen(log_text), format, pvar);
! krb5_klog_syslog(logpri, "%s", log_text);
/* ignore the other types... */
}
va_end(pvar);


----------------------------------------------------------------------------
Mike Friedman mikef@ack.Berkeley.EDU
Communication & Network Services +1-510-642-1410
University of California at Berkeley http://ack.Berkeley.EDU/~mikef
----------------------------------------------------------------------------
Show quoted text
>Audit-Trail:

From: Ken Raeburn <raeburn@MIT.EDU>
To: mikef@ack.Berkeley.EDU
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/827: Bug in V1.1.1
Date: 24 Feb 2000 17:45:16 -0500

Thanks for the report.

There's still a buffer-overrun issue in that code, unfortunately, but
that doesn't look as serious at first glance...

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Fri Sep 28 21:58:35 2001
State-Changed-Why:

fixed a while ago

Show quoted text
>Unformatted: