A remotely exploitable buffer overflow in the Kerberos ticket handling
code in the old SSH AFS / Kerberos v4 ssh-1.2.2x series of patches was
reported by Jouko Pynnonen <[EMAIL PROTECTED]> on December 10, 2000.
This was actually fixed during our initial audit and integration of
the AFS / Kerberos v4 support in OpenSSH back in September 1999:
1.5 (dugsong 29-Sep-99): if (auth.length < MAX_KTXT_LEN)
1.5 (dugsong 29-Sep-99): memcpy(auth.dat, kdata, auth.length);
but the fixes were, to my discredit, never backported to the
deprecated ssh-1.2.2x series of patches, originally available from
http://www.monkey.org/~dugsong/ssh-afs/
Users on the [EMAIL PROTECTED] mailing list were notified of this
vulnerability on December 10, 2000, and Bjoern Groenvall released an
updated version of ossh (from which OpenSSH was originally derived)
on January 4, 2001.
Any AFS / Kerberos v4 sites still using the old ssh-1.2.2x patches
(there shouldn't be any left, hopefully) should upgrade to OpenSSH:
http://www.openssh.com/
-d.
---
http://www.monkey.org/~dugsong/
