Buffer overflow in old ssh-1.2.2x-afs-kerberosv4 patches

[Dug Song <dugsong () MONKEY ORG>]

A remotely exploitable buffer overflow in the Kerberos ticket handling
code in the old SSH AFS / Kerberos v4 ssh-1.2.2x series of patches was
reported by Jouko Pynnonen <jouko () solutions fi> on December 10, 2000.

This was actually fixed during our initial audit and integration of
the AFS / Kerberos v4 support in OpenSSH back in September 1999:

1.5  (dugsong  29-Sep-99):    if (auth.length <  MAX_KTXT_LEN)
1.5  (dugsong  29-Sep-99):       memcpy(auth.dat, kdata, auth.length);

but the fixes were, to my discredit, never backported to the
deprecated ssh-1.2.2x series of patches, originally available from

        http://www.monkey.org/~dugsong/ssh-afs/

Users on the ssh-afs () umich edu mailing list were notified of this
vulnerability on December 10, 2000, and Bjoern Groenvall released an
updated version of ossh (from which OpenSSH was originally derived)
on January 4, 2001.

Any AFS / Kerberos v4 sites still using the old ssh-1.2.2x patches
(there shouldn't be any left, hopefully) should upgrade to OpenSSH:

        http://www.openssh.com/

-d.

---
http://www.monkey.org/~dugsong/