MITKRB5-SA-2003-001: Multiple vulnerabilities in old releasesof MIT Kerberos

[Matt Crawford]

Item 2 may be just this:

diff -c -r1.1.1.5 -r1.1.1.6
*** kdc_util.c  29 Jan 2003 18:57:52 -0000      1.1.1.5
--- kdc_util.c  29 Jan 2003 20:11:09 -0000      1.1.1.6
***************
*** 806,812 ****
        goto fail;
      }
      strcat(trans, current);
!     new_trans->length = strlen(trans) + 1;
  
      strncpy(prev, exp, sizeof(prev) - 1);
      prev[sizeof(prev) - 1] = '\0';
--- 806,812 ----
        goto fail;
      }
      strcat(trans, current);
!     new_trans->length = strlen(trans);
  
      strncpy(prev, exp, sizeof(prev) - 1);
      prev[sizeof(prev) - 1] = '\0';
***************
*** 834,840 ****
        goto fail;
      }
      strcat(trans, realm);
!     new_trans->length = strlen(trans) + 1;
    }
  
    retval = 0;
--- 834,840 ----
        goto fail;
      }
      strcat(trans, realm);
!     new_trans->length = strlen(trans);
    }
  
    retval = 0;


Item 3
All throughout kdc/kerberos_v4.c, but maybe there were others I had
already fixed locally.

Item 4
src/lib/krb5/asn.1/asn1_get.c,v
retrieving revision 1.1.1.4
retrieving revision 1.1.1.5
diff -c -r1.1.1.4 -r1.1.1.5
*** asn1_get.c  12 Mar 2001 21:01:22 -0000      1.1.1.4
--- asn1_get.c  29 Jan 2003 19:12:45 -0000      1.1.1.5
***************
*** 57,63 ****
       asn1_tagnum *tagnum;
       int *retlen;
  {
-   asn1_error_code retval;
    int indef;
  
    return asn1_get_tag_indef(buf, class, construction, tagnum, retlen, &indef);
--- 57,62 ----
***************
*** 143,148 ****
--- 142,149 ----
        if(retval) return retval;
        len = (len<<8) + (int)o;
      }
+     if (len < 0)
+       return ASN1_OVERRUN;
      if (indef != NULL && !len)
        *indef = 1;
      if(retlen != NULL) *retlen = len;