From owner-svn-ports-all@freebsd.org  Fri Jun  9 15:57:32 2017
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1CFAEBF83C8;
 Fri,  9 Jun 2017 15:57:32 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id EACD6728C1;
 Fri,  9 Jun 2017 15:57:31 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v59FvUgi054220;
 Fri, 9 Jun 2017 15:57:30 GMT (envelope-from feld@FreeBSD.org)
Received: (from feld@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v59FvUnK054219;
 Fri, 9 Jun 2017 15:57:30 GMT (envelope-from feld@FreeBSD.org)
Message-Id: <201706091557.v59FvUnK054219@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: feld set sender to
 feld@FreeBSD.org using -f
From: Mark Felder <feld@FreeBSD.org>
Date: Fri, 9 Jun 2017 15:57:30 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r443016 - in head/security/heimdal: . files
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 15:57:32 -0000

Author: feld
Date: Fri Jun  9 15:57:30 2017
New Revision: 443016
URL: https://svnweb.freebsd.org/changeset/ports/443016

Log:
  security/heimdal: Backport security fix
  
  PR:		219657
  MFH:		2017Q2
  Security:	CVE-2017-6594

Added:
  head/security/heimdal/files/patch-CVE-2017-6594   (contents, props changed)
Modified:
  head/security/heimdal/Makefile

Modified: head/security/heimdal/Makefile
==============================================================================
--- head/security/heimdal/Makefile	Fri Jun  9 15:50:39 2017	(r443015)
+++ head/security/heimdal/Makefile	Fri Jun  9 15:57:30 2017	(r443016)
@@ -3,7 +3,7 @@
 
 PORTNAME=	heimdal
 PORTVERSION=	7.1.0
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security ipv6
 MASTER_SITES=	http://www.h5l.org/dist/src/ \
 		http://ftp.pdc.kth.se/pub/heimdal/src/ \

Added: head/security/heimdal/files/patch-CVE-2017-6594
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/heimdal/files/patch-CVE-2017-6594	Fri Jun  9 15:57:30 2017	(r443016)
@@ -0,0 +1,168 @@
+diff -ru NEWS NEWS
+--- NEWS	2016-11-29 01:35:27.000000000 +0000
++++ NEWS	2017-06-03 15:23:36.264325000 +0000
+@@ -1,4 +1,18 @@
+-Release Notes - Heimdal - Version Heimdal 1.6
++Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port)
++
++ Security
++
++ - Fix transit path validation.  Commit f469fc6 (2010-10-02) inadvertently
++   caused the previous hop realm to not be added to the transit path
++   of issued tickets.  This may, in some cases, enable bypass of capath
++   policy in Heimdal versions 1.5 through 7.2.
++
++   Note, this may break sites that rely on the bug.  With the bug some
++   incomplete [capaths] worked, that should not have.  These may now break
++   authentication in some cross-realm configurations.
++   (CVE-2017-6594)
++
++Release Notes - Heimdal - Version Heimdal 7.1
+ 
+  Security
+  - ...
+diff -ru kdc/krb5tgs.c kdc/krb5tgs.c
+--- kdc/krb5tgs.c	2016-11-29 01:35:27.000000000 +0000
++++ kdc/krb5tgs.c	2017-06-03 15:23:36.271738000 +0000
+@@ -655,8 +655,12 @@
+ 		  "Decoding transited encoding");
+ 	return ret;
+     }
++
++    /*
++     * If the realm of the presented tgt is neither the client nor the server
++     * realm, it is a transit realm and must be added to transited set.
++     */
+     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+-	/* not us, so add the previous realm to transited set */
+ 	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+ 	    ret = ERANGE;
+ 	    goto free_realms;
+@@ -737,6 +741,7 @@
+ 	       const char *server_name,
+ 	       hdb_entry_ex *client,
+ 	       krb5_principal client_principal,
++               const char *tgt_realm,
+ 	       hdb_entry_ex *krbtgt,
+ 	       krb5_enctype krbtgt_etype,
+ 	       krb5_principals spp,
+@@ -798,7 +803,7 @@
+ 				 &tgt->transited, &et,
+ 				 krb5_principal_get_realm(context, client_principal),
+ 				 krb5_principal_get_realm(context, server->entry.principal),
+-				 krb5_principal_get_realm(context, krbtgt->entry.principal));
++				 tgt_realm);
+     if(ret)
+ 	goto out;
+ 
+@@ -1519,6 +1524,8 @@
+     krb5_keyblock sessionkey;
+     krb5_kvno kvno;
+     krb5_data rspac;
++    const char *tgt_realm = /* Realm of TGT issuer */
++        krb5_principal_get_realm(context, krbtgt->entry.principal);
+     const char *our_realm = /* Realm of this KDC */
+         krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);
+     char **capath = NULL;
+@@ -2324,6 +2331,7 @@
+ 			 spn,
+ 			 client,
+ 			 cp,
++                         tgt_realm,
+ 			 krbtgt_out,
+ 			 tkey_sign->key.keytype,
+ 			 spp,
+diff -ru tests/kdc/check-kdc.in tests/kdc/check-kdc.in
+--- tests/kdc/check-kdc.in	2016-12-14 18:01:18.000000000 +0000
++++ tests/kdc/check-kdc.in	2017-06-03 15:23:36.276571000 +0000
+@@ -53,6 +53,7 @@
+ R5=SOME-REALM5.FR
+ R6=SOME-REALM6.US
+ R7=SOME-REALM7.UK
++R8=SOME-REALM8.UK
+ 
+ H1=H1.$R
+ H2=H2.$R
+@@ -152,6 +153,12 @@
+     init \
+     --realm-max-ticket-life=1day \
+     --realm-max-renewable-life=1month \
++    ${R8} || exit 1
++
++${kadmin} \
++    init \
++    --realm-max-ticket-life=1day \
++    --realm-max-renewable-life=1month \
+     ${H1} || exit 1
+ 
+ ${kadmin} \
+@@ -191,6 +198,7 @@
+ ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
++${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
+ ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
+@@ -249,6 +257,9 @@
+ ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
+ 
++${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
++${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
++
+ ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
+ 
+@@ -284,6 +295,7 @@
+ ${kadmin5} check ${R5} || exit 1
+ ${kadmin} check ${R6} || exit 1
+ ${kadmin} check ${R7} || exit 1
++${kadmin} check ${R8} || exit 1
+ ${kadmin} check ${H1} || exit 1
+ ${kadmin} check ${H2} || exit 1
+ ${kadmin} check ${H3} || exit 1
+@@ -388,6 +400,8 @@
+ ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with capaths for $R -> $R7"
+ ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
++echo "Should not get x-realm tickets with capaths for $R -> $R8"
++${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+ 
+ echo "Testing capaths logic (reverse order)"
+@@ -418,10 +432,13 @@
+ 
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
+ ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"
+ ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
+ ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+ 
+ echo "Testing multi-hop [capaths] referral logic"
+diff -ru tests/kdc/krb5.conf.in tests/kdc/krb5.conf.in
+--- tests/kdc/krb5.conf.in	2016-11-29 01:35:28.000000000 +0000
++++ tests/kdc/krb5.conf.in	2017-06-03 15:23:36.278848000 +0000
+@@ -40,6 +40,9 @@
+ 	SOME-REALM7.UK = {
+ 		kdc = localhost:@port@
+ 	}
++	SOME-REALM8.UK = {
++		kdc = localhost:@port@
++	}
+ 	TEST-HTTP.H5L.SE = {
+ 		kdc = http/localhost:@port@
+ 	}
+@@ -147,6 +150,7 @@
+ 		SOME-REALM6.US = SOME-REALM5.FR
+ 		SOME-REALM7.UK = SOME-REALM6.US
+ 		SOME-REALM7.UK = SOME-REALM5.FR
++		SOME-REALM8.UK = SOME-REALM6.US
+ 	}
+         H4.H2.TEST.H5L.SE = {
+                 H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE