Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Jul 2017 07:26:07 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r320907 - in stable: 10/crypto/heimdal/lib/krb5 11/crypto/heimdal/lib/krb5
Message-ID:  <201707120726.v6C7Q78c041105@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: delphij
Date: Wed Jul 12 07:26:07 2017
New Revision: 320907
URL: https://svnweb.freebsd.org/changeset/base/320907

Log:
  MFC r320906: MFV r320905: Import upstream fix for CVE-2017-11103.
  
  In _krb5_extract_ticket() the KDC-REP service name must be obtained from
  encrypted version stored in 'enc_part' instead of the unencrypted version
  stored in 'ticket'.  Use of the unecrypted version provides an
  opportunity for successful server impersonation and other attacks.
  
  Submitted by:	hrs
  Obtained from:	Heimdal
  Security:	FreeBSD-SA-17:05.heimdal
  Security:	CVE-2017-11103

Modified:
  stable/11/crypto/heimdal/lib/krb5/ticket.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/10/crypto/heimdal/lib/krb5/ticket.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/11/crypto/heimdal/lib/krb5/ticket.c
==============================================================================
--- stable/11/crypto/heimdal/lib/krb5/ticket.c	Wed Jul 12 07:19:06 2017	(r320906)
+++ stable/11/crypto/heimdal/lib/krb5/ticket.c	Wed Jul 12 07:26:07 2017	(r320907)
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
     if (ret)
 	goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201707120726.v6C7Q78c041105>