MITKRB5-SA-2003-001: Multiple vulnerabilities in old releases of MIT Kerberos

Dick Joltes djoltes at
Tue Feb 11 12:12:59 EST 2003

By any chance does someone have code diffs for items 2 through 4
available?  I could really use this information, as simply folding
the latest release into our DCE simply isn't an option.


Dick Joltes
Staff Software Engineer, IBM DCE L3 Maintenance
djoltes at or djoltes at


At 03:58 PM 03-02-03 -0600, Bill Dodd wrote:

>Does anyone remember these 4 problems and their fixes well enough to
>summarize where and/or what the fixes are? We have our Kerberos product
>merged up to the 1.2.5 code, so I'm not worried about that. But I'm
>trying to help one of our DCE folks figure out what areas of code to
>look at to see if any of these fixes apply to the KDC code in the DCE
>Problem 1: KDC null pointer dereferences
>     I don't recall where the fixes were for this.
>Problem 2: realm transit checks
>     I DO know where these fixes are.
>Problem 3: format strings
>     I vaguely remember this. Seems like there were some klog() or
>     krb5_klog_syslog() calls that printed a principal string directly
>     without using a "%s" format string. But poking around in some
>     older trees I was unable to find the offending calls. Anyone
>     remember more specifically where these calls were or which release
>     they were fixed in?
>Problem 4: bounds checking on data sizes
>     I recall a fix to asn1_get_length(). Were there others?

More information about the krbdev mailing list