Any info on CVE-2006-1721 ?

Kai Blin blin at gmx.net
Wed Oct 4 05:47:04 EDT 2006


On Wednesday 04 October 2006 10:07, Biswatosh wrote:

> > > 2)What if,
> > >          (a) realm != NULL
> > >      and (b) strcmp(realm,text->realm) != 0
> > >      and (c) text->realm[0] == 0 ,  are all true?
> >
> > This is a != 0, not a == 0. So we make sure that...
>
> Yes, SASL code checks text->realm[0] != 0, correct but
> my question was what if text->realm[0] == 0 ,and
> having realm !=NULL and  realm not same as text->realm

Oh, I thought you had misread the patch. Sorry then.

> Where is this being validated? Why are we not making
> SETERROR(sparams->util,"realm changed: authentication
> aborted") then? The realm has certainly changed,is not
> it, even if text->realm is an empty string?

To be honest, I am no expert on this code, I've only looked into the ntlm 
plugin a little, but from a quick look on  the source code, I would say this:

text is a context_t struct used for the authentication. The sanity check you 
were asking about is from digestmd5_server_mech_step2(). The context is 
initialized digestmd5_server_mech_new(),  where it is memset to 0. (line 
1002). Unless it's set by some helper function I missed while reading 
digestmd5_server_mech_step1(), it's not initialized on a new context when the 
sanity check happens in digestmd5_server_mech_step2(). So on the first run on 
a new context, text->realm[0] is always == 0.

Thus it would not make sense to fail on that. This only makes sure that a 
context is not reused on a different realm.

Cheers,
Kai

-- 
Kai Blin, <blin At gmx Dot net>
WorldForge developer    http://www.worldforge.org/
Wine developer          http://wiki.winehq.org/KaiBlin/
--
Ninjas and Pirates agree: Cowboys suck!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20061004/135de19c/attachment.bin


More information about the Cyrus-sasl mailing list