Secure testing team - Sep 2007 - r6529 - data/CVE

Author: fw
Date: 2007-09-07 06:40:13 +0000 (Fri, 07 Sep 2007)
New Revision: 6529

Modified:
   data/CVE/list
Log:
CVE-2007-4743: krb5, librpcsecgss


Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-09-07 05:52:01 UTC (rev 6528)
+++ data/CVE/list	2007-09-07 06:40:13 UTC (rev 6529)
@@ -1,3 +1,6 @@
+CVE-2007-4743 [Incorrect fix for CVE-2007-3999: buffer overflow in RPC library]
+	- krb5 <unfixed> (high)
+	- librpcsecgss <unfixed>
 CVE-2007-4731
 	RESERVED
 CVE-2007-4730

Hi,
* fw at alioth.debian.org <fw at alioth.debian.org> [2007-09-07
12:32]:
> Author: fw
> CVE-2007-4743: krb5, librpcsecgss
> Modified: data/CVE/list
> ==================================================================> ---
data/CVE/list	2007-09-07 05:52:01 UTC (rev 6528)
> +++ data/CVE/list	2007-09-07 06:40:13 UTC (rev 6529)
> @@ -1,3 +1,6 @@
> +CVE-2007-4743 [Incorrect fix for CVE-2007-3999: buffer overflow in RPC
library]
> +	- krb5 <unfixed> (high)
> +	- librpcsecgss <unfixed>
>  CVE-2007-4731
Is there any public information about why exactly this patch 
is wrong?
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070907/ff01ae88/attachment.pgp

* Nico Golde:
>> +CVE-2007-4743 [Incorrect fix for CVE-2007-3999: buffer overflow in RPC
library]
>> +	- krb5 <unfixed> (high)
>> +	- librpcsecgss <unfixed>
>>  CVE-2007-4731
>
> Is there any public information about why exactly this patch 
> is wrong?
<http://article.gmane.org/gmane.comp.encryption.kerberos.announce/86>

I''ve also put it into the list file.