GNU SASL 2.2.4 closes a heap-disclosure flaw (CWE-908, CVSS 6.5 as claimed) in _gsasl_ntlm_client_step: the code allocated a fixed 1,076-byte structure with malloc rather than calloc, then accepted short Type-2 challenges from the server, leaving roughly 1,060 uninitialized bytes that get echoed back in the client response. Versions 2.2.3 and earlier linked against libntlm are affected. Should NTLM still be reachable in new deployments at all?
#security #NTLM