[3297] in Kerberos-V5-bugs
pending/1042: Re: Kerberos 5 ftp client Core Dump
daemon@ATHENA.MIT.EDU (Chris Gragsone)
Sun Jan 13 08:02:07 2002
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: gnats-admin@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, Chris Gragsone <maetrics@realwarp.net>
Message-Id: <3C414DB1.40005@realwarp.net>
Date: Sun, 13 Jan 2002 04:04:49 -0500
From: Chris Gragsone <maetrics@realwarp.net>
To: "Replugge [Rod]" <replugge@alcoholico.org>
Cc: bugtraq@securityfocus.com, krb5-bugs@mit.edu
>Number: 1042
>Category: pending
>Synopsis: Re: Kerberos 5 ftp client Core Dump
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Jan 13 08:02:01 EST 2002
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
kerberos 5 gssft 1.2.2
the problem is that "~{" is globbed, then passed to strcmp without any
checking.
once ~{ is ftpglob()'d it returns as a NULL, which when passed to stcmp
causes a coredump
the following might be a decent patch.
on ftp.c:842
replace
if (!globulize(&argv[2])) {
with
if (!globulize(&argv[2]) || (argv[2] == NULL)) {
this will solve the current core dump. The problem is that there may be
other code which depends on a sanitized glob'd argument. Which means
glob.c needs a few sanitzing functions and error messages.
Replugge [Rod] wrote:
> A problem exist in the ftp client provided by Kerberos 5 1.2.2,
> kerberos 5 ftp client is provided by the rpm package
> krb5-workstation-1.2.2-12.
>
> I tested this on Redhat 7.1 i386/alpha ...
>
> # ftp localhost
> Connected to localhost.localdomain.
> 220 testbox.something.com FTP server (Version wu-2.6.1-16.7x.1) ready.
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (localhost:user1): anonymous
> 331 Guest login ok, send your complete e-mail address as password.
> Password:
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get ~{
> remote: ~{
> Segmentation fault
>
>
> Strace:
>
> read(0, get ~{
> "get ~{\n", 1024) = 7
> write(1, "remote: ~{\n", 11remote: ~{
> ) = 11
> rt_sigaction(SIGINT, {0x8053070, [INT], SA_RESTART|0x4000000},
> {0x80576b0, [INT], SA_RESTART|0x4000000}, 8) = 0
> --- SIGSEGV (Segmentation fault) ---
> +++ killed by SIGSEGV +++
>
>
>
> --
> /*
> Rodrigo Gutierrez <rodrigo@trustix.com>
> Trustix AS - http://www.trustix.com
> */
>
>
>
>
