Date: Wed, 12 Jul 2017 08:07:16 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r320910 - releng/11.1/crypto/heimdal/lib/krb5 Message-ID: <201707120807.v6C87GIi057560@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Jul 12 08:07:16 2017 New Revision: 320910 URL: https://svnweb.freebsd.org/changeset/base/320910 Log: MFS r320907: MFC r320906: MFV r320905: Import upstream fix for CVE-2017-11103. In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Submitted by: hrs Obtained from: Heimdal Security: FreeBSD-SA-17:05.heimdal Security: CVE-2017-11103 Approved by: re (kib) Modified: releng/11.1/crypto/heimdal/lib/krb5/ticket.c Directory Properties: releng/11.1/ (props changed) Modified: releng/11.1/crypto/heimdal/lib/krb5/ticket.c ============================================================================== --- releng/11.1/crypto/heimdal/lib/krb5/ticket.c Wed Jul 12 07:31:28 2017 (r320909) +++ releng/11.1/crypto/heimdal/lib/krb5/ticket.c Wed Jul 12 08:07:16 2017 (r320910) @@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201707120807.v6C87GIi057560>