Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5894 to the following vulnerability: The reply function in ftpd.c in the gssftp ftpd in MIT Kerberos 5 (krb5) does not initialize the length variable when auth_type has a certain value, which has unknown impact and remote authenticated attack vectors. NOTE: the original disclosure misidentifies the conditions under which the uninitialized variable is used. References: http://bugs.gentoo.org/show_bug.cgi?id=199205
http://marc.info/?l=full-disclosure&m=119743235325151&w=2 MIT say: CVE-2007-5894 http://bugs.gentoo.org/show_bug.cgi?id=199205 This is not a vulnerability, and only a stylistic bug. The alleged vulnerability consists of reading an uninitialized variable, "length", in the reply() function in src/appl/gssftp/ftpd/ftpd.c. 1878 /* Other auth types go here ... */ 1879 if (length >= sizeof(in) / 4 * 3) { 1880 syslog(LOG_ERR, "input to radix_encode too long"); 1881 fputs(in, stdout); 1882 } else if ((kerror = radix_encode(out, in, &length, 0))) { 1883 syslog(LOG_ERR, "Couldn't encode reply (%s)", 1884 radix_error(kerror)); 1885 fputs(in,stdout); The "length" variable is only uninitialized if "auth_type" is neither the "KERBEROS_V4" nor "GSSAPI"; this condition cannot occur in the unmodified source code. While the remote user can set the string in "auth_type", this may only occur by way of the auth_data() function, which will only set "auth_type" if it exactly matches one of the aforementioned two strings.