[16984] in Kerberos-V5-bugs
[krbdev.mit.edu #9150] [Comment] libdb2 does not adequately validate
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Nov 4 18:32:35 2024
From: "Greg Hudson via RT" <rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To: <CAF0FeX1ALfMAosTLA8a-rDc9gijzQawAF5AaOMADcDWPE4D2WQ@mail.gmail.com>
Message-ID: <rt-4.4.3-2-2522926-1730763143-534.9150-8-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9150":;
Date: Mon, 04 Nov 2024 18:32:23 -0500
MIME-Version: 1.0
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9150
This is a comment. It is not sent to the Requestor(s):
This came in as a series of apparent static analysis reports. A second report
noted a second tainting issue in the same function. Everything used in the
bpages calculation at line 169 comes from the database file without
validation, which means the memset() at line 174 could exceed the bounds of
hashp->mapp for a variety of reasons.
This isn't a security issue because KDB metadata is trusted input, and this
isn't likely to manifest as a bug because the hash database type isn't used by
default (btree is). But since this code appears very lax about validating
metadata loaded from the DB file, there could be similar issues in the btree
code or elsewhere in the hash code.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
