Date: Tue, 30 Jan 2001 13:54:39 -0500
From: Dug Song <dugsong@MONKEY.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Buffer overflow in old ssh-1.2.2x-afs-kerberosv4 patches
A remotely exploitable buffer overflow in the Kerberos ticket handling
code in the old SSH AFS / Kerberos v4 ssh-1.2.2x series of patches was
reported by Jouko Pynnonen <jouko@solutions.fi> on December 10, 2000.
This was actually fixed during our initial audit and integration of
the AFS / Kerberos v4 support in OpenSSH back in September 1999:
1.5 (dugsong 29-Sep-99): if (auth.length < MAX_KTXT_LEN)
1.5 (dugsong 29-Sep-99): memcpy(auth.dat, kdata, auth.length);
but the fixes were, to my discredit, never backported to the
deprecated ssh-1.2.2x series of patches, originally available from
http://www.monkey.org/~dugsong/ssh-afs/
Users on the ssh-afs@umich.edu mailing list were notified of this
vulnerability on December 10, 2000, and Bjoern Groenvall released an
updated version of ossh (from which OpenSSH was originally derived)
on January 4, 2001.
Any AFS / Kerberos v4 sites still using the old ssh-1.2.2x patches
(there shouldn't be any left, hopefully) should upgrade to OpenSSH:
http://www.openssh.com/
-d.
---
http://www.monkey.org/~dugsong/
