The following are patches against 1.0.7-beta1 (roughly). The most critical ones are: appl/bsd/krshd.c lib/krb4/rd_req.c lib/krb5/krb/conv_princ.c The rest are not as important but you may wish to apply them anyway out of paranoia. To apply these, save this page to disk, cd to the top of your source tree and run patch, e.g. cd /usr/local/src/krb5-1.0.7-beta1/src patch -p0 < /tmp/krb4buf10x_patch.txt Index: appl/bsd/krshd.c =================================================================== RCS file: /cvs/krbdev/krb5/src/appl/bsd/krshd.c,v retrieving revision 5.66.2.6 diff -c -r5.66.2.6 krshd.c *** appl/bsd/krshd.c 1999/03/09 00:27:31 5.66.2.6 --- appl/bsd/krshd.c 2000/04/29 02:58:52 *************** *** 1469,1483 **** strcpy((char *) cmdbuf + offst, kprogdir); cp = copy + 3 + offst; if (auth_sys == KRB5_RECVAUTH_V4) { ! strcat(cmdbuf, "/v4rcp"); } else { ! strcat(cmdbuf, "/rcp"); } if (stat((char *)cmdbuf + offst, &s) >= 0) ! strcat(cmdbuf, cp); else ! strcpy(cmdbuf, copy); free(copy); } #endif --- 1469,1484 ---- strcpy((char *) cmdbuf + offst, kprogdir); cp = copy + 3 + offst; + cmdbuf[sizeof(cmdbuf) - 1] = '\0'; if (auth_sys == KRB5_RECVAUTH_V4) { ! strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf)); } else { ! strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf)); } if (stat((char *)cmdbuf + offst, &s) >= 0) ! strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf)); else ! strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf)); free(copy); } #endif Index: lib/krb4/kuserok.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb4/kuserok.c,v retrieving revision 1.3 diff -c -r1.3 kuserok.c *** lib/krb4/kuserok.c 1996/01/27 06:06:22 1.3 --- lib/krb4/kuserok.c 2000/04/29 02:59:02 *************** *** 115,122 **** if ((pwd = getpwnam(luser)) == NULL) { return(NOTOK); } ! (void) strcpy(pbuf, pwd->pw_dir); ! (void) strcat(pbuf, "/.klogin"); if (access(pbuf, F_OK)) { /* not accessible */ /* --- 115,125 ---- if ((pwd = getpwnam(luser)) == NULL) { return(NOTOK); } ! if (strlen (pwd->pw_dir) + sizeof ("/.klogin") >= sizeof (pbuf)) ! return NOTOK; ! (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); ! pbuf[sizeof(pbuf) - 1] = '\0'; ! (void) strncat(pbuf, "/.klogin", sizeof(pbuf) - 1 - strlen(pbuf)); if (access(pbuf, F_OK)) { /* not accessible */ /* Index: lib/krb4/rd_req.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb4/rd_req.c,v retrieving revision 1.4 diff -c -r1.4 rd_req.c *** lib/krb4/rd_req.c 1996/02/24 14:29:26 1.4 --- lib/krb4/rd_req.c 2000/04/29 02:59:02 *************** *** 155,160 **** --- 155,162 ---- Kerberos used to encrypt ticket */ int status; + tkt->mbz = req_id->mbz = 0; + if (authent->length <= 0) return(RD_AP_MODIFIED); *************** *** 190,197 **** mutual = 0; #endif /* lint */ s_kvno = *ptr++; /* get server key version */ ! (void) strcpy(realm,ptr); /* And the realm of the issuing KDC */ ! ptr += strlen(ptr) + 1; /* skip the realm "hint" */ /* * If "fn" is NULL, key info should already be set; don't --- 192,200 ---- mutual = 0; #endif /* lint */ s_kvno = *ptr++; /* get server key version */ ! (void) strncpy(realm,ptr,REALM_SZ); /* And the realm of the issuing KDC */ ! realm[REALM_SZ-1] = '\0'; ! ptr += strlen(realm) + 1; /* skip the realm "hint" */ /* * If "fn" is NULL, key info should already be set; don't *************** *** 277,289 **** #define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED); ptr = (char *) req_id->dat; ! (void) strcpy(r_aname,ptr); /* Authentication name */ ptr += strlen(r_aname)+1; check_ptr(); ! (void) strcpy(r_inst,ptr); /* Authentication instance */ ptr += strlen(r_inst)+1; check_ptr(); ! (void) strcpy(r_realm,ptr); /* Authentication name */ ptr += strlen(r_realm)+1; check_ptr(); memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */ --- 280,295 ---- #define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED); ptr = (char *) req_id->dat; ! (void) strncpy(r_aname,ptr,ANAME_SZ); /* Authentication name */ ! r_aname[ANAME_SZ-1] = '\0'; ptr += strlen(r_aname)+1; check_ptr(); ! (void) strncpy(r_inst,ptr,INST_SZ); /* Authentication instance */ ! r_inst[INST_SZ-1] = '\0'; ptr += strlen(r_inst)+1; check_ptr(); ! (void) strncpy(r_realm,ptr,REALM_SZ); /* Authentication name */ ! r_realm[REALM_SZ-1] = '\0'; ptr += strlen(r_realm)+1; check_ptr(); memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */ Index: lib/krb5/krb/conv_princ.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/conv_princ.c,v retrieving revision 1.19.8.1 diff -c -r1.19.8.1 conv_princ.c *** lib/krb5/krb/conv_princ.c 1999/02/07 00:52:01 1.19.8.1 --- lib/krb5/krb/conv_princ.c 2000/04/29 02:59:04 *************** *** 243,249 **** if (retval == 0 && full_name && full_name[0]) { instance = full_name[0]; } else { ! strcpy(buf, instance); retval = krb5_get_realm_domain(context, realm, &domain); if (retval) return retval; --- 243,250 ---- if (retval == 0 && full_name && full_name[0]) { instance = full_name[0]; } else { ! strncpy(buf, instance, sizeof(buf)); ! buf[sizeof(buf) - 1] = '\0'; retval = krb5_get_realm_domain(context, realm, &domain); if (retval) return retval; *************** *** 251,258 **** for (cp = domain; *cp; cp++) if (isupper(*cp)) *cp = tolower(*cp); ! strcat(buf, "."); ! strcat(buf, domain); krb5_xfree(domain); } instance = buf; --- 252,259 ---- for (cp = domain; *cp; cp++) if (isupper(*cp)) *cp = tolower(*cp); ! strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); ! strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); krb5_xfree(domain); } instance = buf; Index: lib/krb5/os/kuserok.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/kuserok.c,v retrieving revision 5.19 diff -c -r5.19 kuserok.c *** lib/krb5/os/kuserok.c 1996/06/12 05:15:02 5.19 --- lib/krb5/os/kuserok.c 2000/04/29 02:59:04 *************** *** 77,84 **** if ((pwd = getpwnam(luser)) == NULL) { return(FALSE); } ! (void) strcpy(pbuf, pwd->pw_dir); ! (void) strcat(pbuf, "/.k5login"); if (access(pbuf, F_OK)) { /* not accessible */ /* --- 77,85 ---- if ((pwd = getpwnam(luser)) == NULL) { return(FALSE); } ! (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); ! pbuf[sizeof(pbuf) - 1] = '\0'; ! (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf)); if (access(pbuf, F_OK)) { /* not accessible */ /* Index: lib/krb5/posix/syslog.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/posix/syslog.c,v retrieving revision 5.7 diff -c -r5.7 syslog.c *** lib/krb5/posix/syslog.c 1996/06/12 05:16:04 5.7 --- lib/krb5/posix/syslog.c 2000/04/29 02:59:04 *************** *** 115,121 **** (void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4); for (p = tbuf; *p; ++p); if (LogTag) { ! (void)strcpy(p, LogTag); for (; *p; ++p); } if (LogStat & LOG_PID) { --- 115,121 ---- (void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4); for (p = tbuf; *p; ++p); if (LogTag) { ! (void)strncpy(p, LogTag, sizeof(tbuf) - 1 - (p - tbuf)); for (; *p; ++p); } if (LogStat & LOG_PID) { *************** *** 146,151 **** --- 146,156 ---- } (void)vsprintf(p, fmt_cpy, ap); + /* Bounds checking?? If a system doesn't have syslog, we + probably can't rely on it having vsnprintf either. Try not + to let a buffer overrun be exploited. */ + if (strlen (tbuf) >= sizeof (tbuf)) + abort (); /* output the message to the local logger */ if (send(LogFile, tbuf, cnt = strlen(tbuf), 0) >= 0 || *************** *** 169,175 **** if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0) return; (void)alarm((u_int)0); ! (void)strcat(tbuf, "\r"); p = strchr(tbuf, '>') + 1; (void)write(fd, p, cnt + 1 - (p - tbuf)); (void)close(fd); --- 174,181 ---- if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0) return; (void)alarm((u_int)0); ! tbuf[sizeof(tbuf) - 1] = '\0'; ! (void)strncat(tbuf, "\r", sizeof(tbuf) - 1 - strlen(tbuf)); p = strchr(tbuf, '>') + 1; (void)write(fd, p, cnt + 1 - (p - tbuf)); (void)close(fd);