Bug 436345

Summary: Buffer overflow when SElinux enabled.
Product: [Fedora] Fedora Reporter: Pawel Salek <pawsa>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-23 07:52:48 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 442314    
Attachments:
Description Flags
One-line patch none

Description Pawel Salek 2008-03-06 12:24:14 EST
Description of problem:
selinux-label patch adds code that does not compute buffer size correctly (a
typical off-by-one error).  This will at best corrupt heap whenever the code is
executed.

Version-Release number of selected component (if applicable):
krb5-workstation-1.6.2-11.fc8
krb5-1.6.1-17.el5 is affected as well.

How reproducible:
100%

Steps to Reproduce:
1. have selinux enabled.
2. try transferring a file from a local directory so that path does not start
with /.
3. watch heap being corrupted (MALLOC_CHECK_=2 helps to see it already at the
first time).

Additional info:
Patch will be attached.
Comment 1 Pawel Salek 2008-03-06 12:25:51 EST
Created attachment 297075 [details]
One-line patch

Trivial fix.
Comment 2 Pawel Salek 2008-03-07 06:58:42 EST
Bug present also in ftp program as distributed with krb5-1.6.2-13.fc8
Comment 3 Nalin Dahyabhai 2008-03-18 12:12:37 EDT
Going to include the fix in 1.6.2-14, leaving open until it's pushed as an update.
Comment 4 Fedora Update System 2008-03-18 14:50:45 EDT
krb5-1.6.2-14.fc8 has been submitted as an update for Fedora 8
Comment 5 Fedora Update System 2008-03-21 18:20:16 EDT
krb5-1.6.2-14.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Pawel Salek 2008-03-23 07:52:48 EDT
The bug appears to be gone in krb5-1.6.2-14.fc8