Full Disclosure mailing list archives

Re: [SECURITY] [DSA 504-1] New heimdal packages fix potential buffer overflow

From: Dave Aitel <dave () immunitysec com>
Date: Tue, 18 May 2004 09:01:07 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Lead to unexpected behavior?" That is definately not the candor and
honesty the world expects from what may be the leading Linux
distribution, or any open source project. It reeks of proprietary
vendor risk whitewashing. Either you don't understand the problem
effectively, which is bad, or you are attempting to hide it, which is
also bad.

Dave Aitel
Immunity, Inc.

debian-security-announce () lists debian org wrote:

|
- --------------------------------------------------------------------------
|  Debian Security Advisory DSA 504-1 security () debian org
| http://www.debian.org/security/                             Martin
| Schulze May 18th, 2004 http://www.debian.org/security/faq
|
- --------------------------------------------------------------------------
|
|
| Package        : heimdal Vulnerability  : missing input sanitising
| Problem-Type   : remote Debian-specific: no CVE ID         :
| CAN-2004-0472
|
| Evgeny Demidov discovered a potential buffer overflow in a Kerberos
| 4 component of heimdal, a free implementation of Kerberos 5.  The
| problem is present in kadmind, a server for administrative access
| to the Kerberos database.  This problem could perhaps be exploited
| to cause the daemon to read a negative amount of data which could
| lead to unexpected behaviour.
|
| For the stable distribution (woody) this problem has been fixed in
| version 0.4e-7.woody.9.
|
| For the unstable distribution (sid) this problem has been fixed in
| version 0.6.2-1.
|
| We recommend that you upgrade your heimdal and related packages.
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAqgkSzOrqAtg8JS8RAl5KAJ4lzKgz5fioVyHXpsAX5f8wspLiCgCfYOW6
e9W61KETU5i22e+yhH6rqM4=
=dh0x
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

[SECURITY] [DSA 504-1] New heimdal packages fix potential buffer overflow debian-security-announce (May 18)
- Re: [SECURITY] [DSA 504-1] New heimdal packages fix potential buffer overflow Dave Aitel (May 18)