[16086] in Kerberos-V5-bugs
[krbdev.mit.edu #8717] racecondition in posix platformAccess code
daemon@ATHENA.MIT.EDU (Dhiraj Mishra via RT)
Thu Jul 26 12:50:19 2018
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Dhiraj Mishra via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8717@krbdev.mit.edu>
Message-ID: <rt-8717-48725.5.02393248033748@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8717'":;
Date: Thu, 26 Jul 2018 12:50:12 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Dear Team,
File: localauth_k5login.c#L110
I believe this indicates a security flaw, If an attacker can change
anything along the path between the call access() and the files actually
used, attacker may exploit the race condition or a time-of-check,
time-of-use race condition, request team to please have a look and
validate.
Thank you
--
Regards
*Dhiraj Mishra.*GPG ID : 51720F56 | Finger Print : 1F6A FC7B 05AA CF29
8C1C ED65 3233 4D18 5172 0F56
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs