Any info on CVE-2006-1721 ?

Kai Blin blin at gmx.net
Thu Oct 5 06:40:31 EDT 2006


On Wednesday 04 October 2006 14:42, Biswatosh wrote:
> That was a nice explanation Kai. But I still need to
> be 100% clear on this fix.

Then I guess you need one of the developers to answer you on that one. :)

> My question is, what was the attack and how was it
> averted by doing this?
> **********************************************
> -    if (strcmp(realm, text->realm) != 0) {
> +    if (((realm != NULL) && (strcmp(realm,
> text->realm) != 0)) &&
> +	(text->realm[0] != 0)) {
>  	SETERROR(sparams->utils,....
> ***********************************************
> All I know is from
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
> How a "text->realm != 0" and a "realm != NULL", could
> avert that attack?

The old check causes a segfault if realm was a null pointer on the strcmp() 
check. This was fixed with the realm != NULL check.  I figure the 
text->realm[0] != 0 check was just added to avoid a wrong return value on the 
first use of a context. That's a speculation on my part, though.

Cheers,
Kai

-- 
Kai Blin, <blin At gmx Dot net>
WorldForge developer    http://www.worldforge.org/
Wine developer          http://wiki.winehq.org/KaiBlin/
--
Ninjas and Pirates agree: Cowboys suck!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20061005/95a89dbf/attachment.bin


More information about the Cyrus-sasl mailing list