A heap-based one-byte out-of-bounds write has been found in pam-krb5 before 4.9. During prompting initiated by the Kerberos library, an attacker who enters a response exactly as long as the length of the buffer provided by the underlying Kerberos library will cause pam-krb5 to write a single nul byte past the end of that buffer. The effect of this buffer overflow will depend on the buffer allocation strategy of the underlying Kerberos library, but could result in heap corruption or a single-byte overwrite of another stack variable, with unknown consequences. Conceivably, remote code execution could be possible, although difficult to achieve. Under normal usage of this PAM module, it never does prompting initiated by the Kerberos library, and thus most configurations will not be readily vulnerable to this bug. Kerberos-library-initiated prompting generally only happens with the no_prompt PAM configuration option, PKINIT, or other non-password preauth mechanisms.
A heap-based one-byte out-of-bounds write has been found in pam-krb5 before 4.9. During prompting initiated by the Kerberos library, an attacker who enters a response exactly as long as the length of the buffer provided by the underlying Kerberos library will cause pam-krb5 to write a single nul byte past the end of that buffer. The effect of this buffer overflow will depend on the buffer allocation strategy of the underlying Kerberos library, but could result in heap corruption or a single-byte overwrite of another stack variable, with unknown consequences. Conceivably, remote code execution could be possible, although difficult to achieve. Under normal usage of this PAM module, it never does prompting initiated by the Kerberos library, and thus most configurations will not be readily vulnerable to this bug. Kerberos-library-initiated prompting generally only happens with the no_prompt PAM configuration option, PKINIT, or other non-password preauth mechanisms.
https://mailman.mit.edu/pipermail/kerberos/2020-March/022444.html https://www.openwall.com/lists/oss-security/2020/03/31/1
Vulmon