reassign 512410 libkrb5-3 # double-free triggered in externally-accessible services is always # potentially a security issue severity 512410 serious tags 512410 security found 512410 libkrb5-3/1.10.1+dfsg-1 thanks
"Livingston, John A" <john.a.livings...@boeing.com> writes: > On Jun 6, 2012, at 5:40 PM, Russ Allbery wrote: >> Aha! Do you have the keytab PAM option set either in the PAM >> configuration or in krb5.conf? > I don't believe we do, unless it's getting called subtly from something > else. Below is our regular krb5.conf in case it's helpful. Our PAM setup > uses the standard Debian pam-auth-update lines for use with Kerberos, > plenty of invocations of "pam_krb5.so minimum_uid=1000", but no use of > the keytab option. Our host entries live in the default > /etc/krb5.keytab, I don't think we've had a reason to use keytab. Indeed, you don't. I am therefore confused as to how you're encountering this, since pam-krb5 only calls krb5_verify_init_creds in one place, and in that one place the server argument is NULL unless the keytab PAM option or krb5.conf configuration option is defined. But, nonetheless, that seems to be the issue. Maybe something internal to the Kerberos library is calling krb5_verify_init_creds with a non-NULL principal? But if so, I'm not seeing it anywhere in the source. In any event, I'll reassign this to libkrb5-3, which needs a patch before the wheezy release. (Upstream already fixed this in the development sources.) -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
