note to CVE-2011-0285

To: debian-security-tracker@lists.debian.org
Subject: note to CVE-2011-0285
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 15 Apr 2011 14:41:45 -0400
Message-id: <[🔎] ldvvcyf9x1y.fsf@cathode-dark-space.mit.edu>

[following up here because I'm not sure anyone saw my note in
#debian-security]

In

    http://security-tracker.debian.org/tracker/CVE-2011-0285

there is a note saying that the vulnerable code appears to be in
krb5-1.6 as well.  While the error case in the process_chpw_request()
in kadmind in 1.6 can leave the data pointer uninitialized, the error
path in its caller will not free() that pointer (the invalid pointer
goes out of scope without being freed), unlike in krb5-1.7 and later.
Those later releases add support for password changing over TCP, and
the error path in the TCP handling code is what frees the
uninitialized pointer.

Reply to:

Follow-Ups:
- Re: note to CVE-2011-0285
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: CVE-2010-4704 is done
Next by Date: Re: CVE-2010-4704 is done
Previous by thread: Re: CVE-2010-4704 is done
Next by thread: Re: note to CVE-2011-0285
Index(es):
- Date
- Thread