Any info on CVE-2006-1721 ?

Biswatosh biswatosh2001 at yahoo.com
Wed Oct 4 04:07:18 EDT 2006


Thx Kai. Pls see my response inline.

--- Kai Blin <blin at gmx.net> wrote:

> On Wednesday 04 October 2006 08:13, Biswatosh wrote:
> 
> > 2)What if,
> >          (a) realm != NULL
> >      and (b) strcmp(realm,text->realm) != 0
> >      and (c) text->realm[0] == 0 ,  are all true?
> 
> This is a != 0, not a == 0. So we make sure that...

Yes, SASL code checks text->realm[0] != 0, correct but
my question was what if text->realm[0] == 0 ,and
having realm !=NULL and  realm not same as text->realm
?
Where is this being validated? Why are we not making 
SETERROR(sparams->util,"realm changed: authentication
aborted") then? The realm has certainly changed,is not
it, even if text->realm is an empty string?

> (a) realm is not a NULL pointer,
> (b) realm is not identical to text->realm
> (c) text->realm is not an empty string
> 
> If all of those a true, SASL_BADAUTH is returned.
>
Yes,like I said above, what if (a),(b) are true but
(c) is false? 


> > If a,b and c are true then it won't return
> SASL_BADAUTH
> > and won't set error to "realm changed:
> authentication
> > aborted". 
> 
> Well, if all those are true, it will set that error.
> strcmp returns 0 if two 
> strings are identical.
> 
> > But then, has not the realm actually changed 
> > because of (b)? Should we not throw an error then?
> 
> Well, the code does.

How? Of course, the answer to my questions above
should  perhaps answer this.

> 
> Kai
> 
> -- 
> Kai Blin, <blin At gmx Dot net>
> WorldForge developer    http://www.worldforge.org/
> Wine developer         
> http://wiki.winehq.org/KaiBlin/
> --
> Ninjas and Pirates agree: Cowboys suck!
> 

Thanks
Biswatosh

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the Cyrus-sasl mailing list