Re: note to CVE-2011-0285
On Fri, Apr 15, 2011 at 02:41:45PM -0400, Tom Yu wrote:
> [following up here because I'm not sure anyone saw my note in
> #debian-security]
>
> In
>
> http://security-tracker.debian.org/tracker/CVE-2011-0285
>
> there is a note saying that the vulnerable code appears to be in
> krb5-1.6 as well. While the error case in the process_chpw_request()
> in kadmind in 1.6 can leave the data pointer uninitialized, the error
> path in its caller will not free() that pointer (the invalid pointer
> goes out of scope without being freed), unlike in krb5-1.7 and later.
> Those later releases add support for password changing over TCP, and
> the error path in the TCP handling code is what frees the
> uninitialized pointer.
Thanks, I've added that to the tracker.
Cheers,
Moritz
Reply to: