Re: note to CVE-2011-0285

To: Tom Yu <tlyu@MIT.EDU>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: note to CVE-2011-0285
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 18 Apr 2011 19:46:27 +0200
Message-id: <[🔎] 20110418174627.GB3581@pisco.westfalen.local>
In-reply-to: <[🔎] ldvvcyf9x1y.fsf@cathode-dark-space.mit.edu>
References: <[🔎] ldvvcyf9x1y.fsf@cathode-dark-space.mit.edu>

On Fri, Apr 15, 2011 at 02:41:45PM -0400, Tom Yu wrote:
> [following up here because I'm not sure anyone saw my note in
> #debian-security]
> 
> In
> 
>     http://security-tracker.debian.org/tracker/CVE-2011-0285
> 
> there is a note saying that the vulnerable code appears to be in
> krb5-1.6 as well.  While the error case in the process_chpw_request()
> in kadmind in 1.6 can leave the data pointer uninitialized, the error
> path in its caller will not free() that pointer (the invalid pointer
> goes out of scope without being freed), unlike in krb5-1.7 and later.
> Those later releases add support for password changing over TCP, and
> the error path in the TCP handling code is what frees the
> uninitialized pointer.

Thanks, I've added that to the tracker.

Cheers,
        Moritz

Reply to:

References:
- note to CVE-2011-0285
  - From: Tom Yu <tlyu@MIT.EDU>

Prev by Date: Re: CVE-2010-4704 is done
Next by Date: Lenny and CVE-2011-0536
Previous by thread: note to CVE-2011-0285
Next by thread: Lenny and CVE-2011-0536
Index(es):
- Date
- Thread