MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog[CVE-2007-0957] - Kerberos

This is a discussion on MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog[CVE-2007-0957] - Kerberos ; Mike, What modifications did you make to your src/lib/kadm5/configure script? There is mention in the advisory about making changes to detect vsnprintf() but I am not exactly sure how to do that. I am not a developer but need to ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog[CVE-2007-0957]

  1. MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog[CVE-2007-0957]

    Mike,
    What modifications did you make to your src/lib/kadm5/configure script?
    There is mention in the advisory about making changes to detect
    vsnprintf() but I am not exactly sure how to do that. I am not a
    developer but need to patch our kerberos code for these 3 security issues.
    -Eddie B.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: MITKRB5-SA-2007-002: KDC,kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

    Specifically,

    ====================
    diff -Nur krb5-040307/lib/kadm5/configure krb5/lib/kadm5/configure
    --- krb5-040307/lib/kadm5/configure 2005-11-16 16:47:28.000000000 -0600
    +++ krb5/lib/kadm5/configure 2007-04-03 15:15:04.000000000 -0500
    @@ -5453,7 +5453,7 @@



    -for ac_func in openlog syslog closelog strftime vsprintf
    +for ac_func in openlog syslog closelog strftime vsprintf vsnprintf
    do
    as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
    echo "$as_me:$LINENO: checking for $ac_func" >&5
    =====================

    That's included in the patch I posted and results in -DHAVE_VSNPRINTF=1
    (at least for me it did).

    -Mike

    Edward Beuerlein wrote:
    > Mike,
    > What modifications did you make to your src/lib/kadm5/configure script?
    > There is mention in the advisory about making changes to detect
    > vsnprintf() but I am not exactly sure how to do that. I am not a
    > developer but need to patch our kerberos code for these 3 security issues.
    > -Eddie B.
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread