Home page logo

bugtraq logo Bugtraq mailing list archives

Buffer overflow in old ssh-1.2.2x-afs-kerberosv4 patches
From: Dug Song <dugsong () MONKEY ORG>
Date: Tue, 30 Jan 2001 13:54:39 -0500

A remotely exploitable buffer overflow in the Kerberos ticket handling
code in the old SSH AFS / Kerberos v4 ssh-1.2.2x series of patches was
reported by Jouko Pynnonen <jouko () solutions fi> on December 10, 2000.

This was actually fixed during our initial audit and integration of
the AFS / Kerberos v4 support in OpenSSH back in September 1999:

1.5  (dugsong  29-Sep-99):    if (auth.length <  MAX_KTXT_LEN)
1.5  (dugsong  29-Sep-99):       memcpy(auth.dat, kdata, auth.length);

but the fixes were, to my discredit, never backported to the
deprecated ssh-1.2.2x series of patches, originally available from


Users on the ssh-afs () umich edu mailing list were notified of this
vulnerability on December 10, 2000, and Bjoern Groenvall released an
updated version of ossh (from which OpenSSH was originally derived)
on January 4, 2001.

Any AFS / Kerberos v4 sites still using the old ssh-1.2.2x patches
(there shouldn't be any left, hopefully) should upgrade to OpenSSH:




  By Date           By Thread  

Current thread:
  • Buffer overflow in old ssh-1.2.2x-afs-kerberosv4 patches Dug Song (Jan 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]