Any info on CVE-2006-1721 ?
Kai Blin
blin at gmx.net
Thu Oct 5 06:40:31 EDT 2006
On Wednesday 04 October 2006 14:42, Biswatosh wrote:
> That was a nice explanation Kai. But I still need to
> be 100% clear on this fix.
Then I guess you need one of the developers to answer you on that one. :)
> My question is, what was the attack and how was it
> averted by doing this?
> **********************************************
> - if (strcmp(realm, text->realm) != 0) {
> + if (((realm != NULL) && (strcmp(realm,
> text->realm) != 0)) &&
> + (text->realm[0] != 0)) {
> SETERROR(sparams->utils,....
> ***********************************************
> All I know is from
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
> How a "text->realm != 0" and a "realm != NULL", could
> avert that attack?
The old check causes a segfault if realm was a null pointer on the strcmp()
check. This was fixed with the realm != NULL check. I figure the
text->realm[0] != 0 check was just added to avoid a wrong return value on the
first use of a context. That's a speculation on my part, though.
Cheers,
Kai
--
Kai Blin, <blin At gmx Dot net>
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin/
--
Ninjas and Pirates agree: Cowboys suck!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20061005/95a89dbf/attachment.bin
More information about the Cyrus-sasl
mailing list