[24290] in Kerberos
Re: krb5.conf ' # ' in realms section can cause ssh to segv
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Wed Jul 13 16:44:28 2005
Message-ID: <42D57CFD.1090101@sxw.org.uk>
Date: Wed, 13 Jul 2005 21:43:41 +0100
From: Simon Wilkinson <simon@sxw.org.uk>
MIME-Version: 1.0
To: Troy Benjegerdes <hozer@hozed.org>
In-Reply-To: <20050713195610.GJ16924@kalmia.hozed.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Troy Benjegerdes wrote:
>
> Is this a potential security issue? Granted, if you can edit krb5.conf,
> you can do a lot of other stuff.. but a segv is pretty bad behavior.
You've not really provided enough information to track this down. The
stack trace doesn't have any symbols, and you haven't even said which
version of krb5 or ssh you're running. You've also not provided any
debugging dumps from the ssh client which would help show where the
error is occuring.
If you could let me know those things, I can probably trace this a bit
better. My rough guess is that the client's first call into init_context
is failing, due to the bad configuration. It's then trying to release a
buffer that hasn't been allocated, and so is seg faulting.
I don't think this is a security issue - its client side, rather than
server side, the error isn't as a result of bad incoming data, and ssh
doesn't run with elevated priviledge.
If you can provide more information though, and you're running OpenSSH
with my patches, or code derived from them, it would be good to fix this.
Cheers,
Simon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
