From owner-svn-src-vendor@freebsd.org Wed Jul 12 07:13:58 2017 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46F7BDB4A12; Wed, 12 Jul 2017 07:13:58 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 154F47C578; Wed, 12 Jul 2017 07:13:58 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v6C7DvW1037047; Wed, 12 Jul 2017 07:13:57 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v6C7Dvgm037046; Wed, 12 Jul 2017 07:13:57 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201707120713.v6C7Dvgm037046@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 12 Jul 2017 07:13:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r320905 - vendor-crypto/heimdal/dist/lib/krb5 X-SVN-Group: vendor-crypto X-SVN-Commit-Author: delphij X-SVN-Commit-Paths: vendor-crypto/heimdal/dist/lib/krb5 X-SVN-Commit-Revision: 320905 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jul 2017 07:13:58 -0000 Author: delphij Date: Wed Jul 12 07:13:56 2017 New Revision: 320905 URL: https://svnweb.freebsd.org/changeset/base/320905 Log: Import upstream fix for CVE-2017-11103: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c Submitted by: hrs Obtained from: https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Security: CVE-2017-11103 Security: FreeBSD-SA-17:05.heimdal Modified: vendor-crypto/heimdal/dist/lib/krb5/ticket.c Modified: vendor-crypto/heimdal/dist/lib/krb5/ticket.c ============================================================================== --- vendor-crypto/heimdal/dist/lib/krb5/ticket.c Wed Jul 12 07:00:56 2017 (r320904) +++ vendor-crypto/heimdal/dist/lib/krb5/ticket.c Wed Jul 12 07:13:56 2017 (r320905) @@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){