[16777] in Kerberos-V5-bugs
[krbdev.mit.edu #9022] Potential integer overflows
daemon@ATHENA.MIT.EDU (Kihong Heo via RT)
Mon Aug 2 23:07:47 2021
From: "Kihong Heo via RT" <rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To: <8F1D64AB-AB14-4290-95DD-0D108D796AC2@gmail.com>
Message-ID: <rt-4.4.3-2-3053137-1627960056-1122.9022-4-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9022":;
Date: Mon, 02 Aug 2021 23:07:37 -0400
MIME-Version: 1.0
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krb5-bugs-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Mon Aug 02 23:07:36 2021: Request 9022 was acted upon.
Transaction: Ticket created by kihong.heo@gmail.com
Queue: krb5
Subject: Potential integer overflows
Owner: Nobody
Requestors: kihong.heo@gmail.com
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9022 >
Dear Kerberos developers,
It seems that there exist several potential integer overflows that can lead buffer overflows. Please find the following description:
In the latest version of Kerberos (1.19.2),
1. src/kadmin/dbutil/dump.c:660: fscanf reads arbitrarily large integers into u1, u2, …
2. src/kadmin/dbutil/dump.c:671: Call to malloc with the large integer added by one can return a non-null yet invalid address according to the standard.
3. src/kadmin/dbutil/dump.c:685: Call to calloc with the large integer can cause a memory allocation with an overflowed integer
Best,
Kihong
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
