Date: Fri, 9 Jun 2017 15:57:30 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r443016 - in head/security/heimdal: . files Message-ID: <201706091557.v59FvUnK054219@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Fri Jun 9 15:57:30 2017 New Revision: 443016 URL: https://svnweb.freebsd.org/changeset/ports/443016 Log: security/heimdal: Backport security fix PR: 219657 MFH: 2017Q2 Security: CVE-2017-6594 Added: head/security/heimdal/files/patch-CVE-2017-6594 (contents, props changed) Modified: head/security/heimdal/Makefile Modified: head/security/heimdal/Makefile ============================================================================== --- head/security/heimdal/Makefile Fri Jun 9 15:50:39 2017 (r443015) +++ head/security/heimdal/Makefile Fri Jun 9 15:57:30 2017 (r443016) @@ -3,7 +3,7 @@ PORTNAME= heimdal PORTVERSION= 7.1.0 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security ipv6 MASTER_SITES= http://www.h5l.org/dist/src/ \ http://ftp.pdc.kth.se/pub/heimdal/src/ \ Added: head/security/heimdal/files/patch-CVE-2017-6594 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/heimdal/files/patch-CVE-2017-6594 Fri Jun 9 15:57:30 2017 (r443016) @@ -0,0 +1,168 @@ +diff -ru NEWS NEWS +--- NEWS 2016-11-29 01:35:27.000000000 +0000 ++++ NEWS 2017-06-03 15:23:36.264325000 +0000 +@@ -1,4 +1,18 @@ +-Release Notes - Heimdal - Version Heimdal 1.6 ++Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port) ++ ++ Security ++ ++ - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently ++ caused the previous hop realm to not be added to the transit path ++ of issued tickets. This may, in some cases, enable bypass of capath ++ policy in Heimdal versions 1.5 through 7.2. ++ ++ Note, this may break sites that rely on the bug. With the bug some ++ incomplete [capaths] worked, that should not have. These may now break ++ authentication in some cross-realm configurations. ++ (CVE-2017-6594) ++ ++Release Notes - Heimdal - Version Heimdal 7.1 + + Security + - ... +diff -ru kdc/krb5tgs.c kdc/krb5tgs.c +--- kdc/krb5tgs.c 2016-11-29 01:35:27.000000000 +0000 ++++ kdc/krb5tgs.c 2017-06-03 15:23:36.271738000 +0000 +@@ -655,8 +655,12 @@ + "Decoding transited encoding"); + return ret; + } ++ ++ /* ++ * If the realm of the presented tgt is neither the client nor the server ++ * realm, it is a transit realm and must be added to transited set. ++ */ + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { +- /* not us, so add the previous realm to transited set */ + if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { + ret = ERANGE; + goto free_realms; +@@ -737,6 +741,7 @@ + const char *server_name, + hdb_entry_ex *client, + krb5_principal client_principal, ++ const char *tgt_realm, + hdb_entry_ex *krbtgt, + krb5_enctype krbtgt_etype, + krb5_principals spp, +@@ -798,7 +803,7 @@ + &tgt->transited, &et, + krb5_principal_get_realm(context, client_principal), + krb5_principal_get_realm(context, server->entry.principal), +- krb5_principal_get_realm(context, krbtgt->entry.principal)); ++ tgt_realm); + if(ret) + goto out; + +@@ -1519,6 +1524,8 @@ + krb5_keyblock sessionkey; + krb5_kvno kvno; + krb5_data rspac; ++ const char *tgt_realm = /* Realm of TGT issuer */ ++ krb5_principal_get_realm(context, krbtgt->entry.principal); + const char *our_realm = /* Realm of this KDC */ + krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1); + char **capath = NULL; +@@ -2324,6 +2331,7 @@ + spn, + client, + cp, ++ tgt_realm, + krbtgt_out, + tkey_sign->key.keytype, + spp, +diff -ru tests/kdc/check-kdc.in tests/kdc/check-kdc.in +--- tests/kdc/check-kdc.in 2016-12-14 18:01:18.000000000 +0000 ++++ tests/kdc/check-kdc.in 2017-06-03 15:23:36.276571000 +0000 +@@ -53,6 +53,7 @@ + R5=SOME-REALM5.FR + R6=SOME-REALM6.US + R7=SOME-REALM7.UK ++R8=SOME-REALM8.UK + + H1=H1.$R + H2=H2.$R +@@ -152,6 +153,12 @@ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ ++ ${R8} || exit 1 ++ ++${kadmin} \ ++ init \ ++ --realm-max-ticket-life=1day \ ++ --realm-max-renewable-life=1month \ + ${H1} || exit 1 + + ${kadmin} \ +@@ -191,6 +198,7 @@ + ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1 ++${kadmin} add -p foo --use-defaults foo@${R8} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1 + ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1 +@@ -249,6 +257,9 @@ + ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1 + ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1 + ++${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1 ++${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1 ++ + ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1 + ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1 + +@@ -284,6 +295,7 @@ + ${kadmin5} check ${R5} || exit 1 + ${kadmin} check ${R6} || exit 1 + ${kadmin} check ${R7} || exit 1 ++${kadmin} check ${R8} || exit 1 + ${kadmin} check ${H1} || exit 1 + ${kadmin} check ${H2} || exit 1 + ${kadmin} check ${H3} || exit 1 +@@ -388,6 +400,8 @@ + ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with capaths for $R -> $R7" + ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } ++echo "Should not get x-realm tickets with capaths for $R -> $R8" ++${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Testing capaths logic (reverse order)" +@@ -418,10 +432,13 @@ + + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1" + ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R" + ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2" + ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Testing multi-hop [capaths] referral logic" +diff -ru tests/kdc/krb5.conf.in tests/kdc/krb5.conf.in +--- tests/kdc/krb5.conf.in 2016-11-29 01:35:28.000000000 +0000 ++++ tests/kdc/krb5.conf.in 2017-06-03 15:23:36.278848000 +0000 +@@ -40,6 +40,9 @@ + SOME-REALM7.UK = { + kdc = localhost:@port@ + } ++ SOME-REALM8.UK = { ++ kdc = localhost:@port@ ++ } + TEST-HTTP.H5L.SE = { + kdc = http/localhost:@port@ + } +@@ -147,6 +150,7 @@ + SOME-REALM6.US = SOME-REALM5.FR + SOME-REALM7.UK = SOME-REALM6.US + SOME-REALM7.UK = SOME-REALM5.FR ++ SOME-REALM8.UK = SOME-REALM6.US + } + H4.H2.TEST.H5L.SE = { + H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706091557.v59FvUnK054219>