86 lines
2.9 KiB
Diff
86 lines
2.9 KiB
Diff
|
Fix CVE-2017-6594:
|
||
|
|
||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
|
||
|
https://security-tracker.debian.org/tracker/CVE-2017-6594
|
||
|
|
||
|
Patch lifted from upstream source repository:
|
||
|
|
||
|
https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
|
||
|
|
||
|
To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and
|
||
|
files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.
|
||
|
|
||
|
From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001
|
||
|
From: Viktor Dukhovni <viktor@twosigma.com>
|
||
|
Date: Wed, 10 Aug 2016 23:31:14 +0000
|
||
|
Subject: [PATCH] Fix transit path validation CVE-2017-6594
|
||
|
|
||
|
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
|
||
|
to not be added to the transit path of issued tickets. This may, in
|
||
|
some cases, enable bypass of capath policy in Heimdal versions 1.5
|
||
|
through 7.2.
|
||
|
|
||
|
Note, this may break sites that rely on the bug. With the bug some
|
||
|
incomplete [capaths] worked, that should not have. These may now break
|
||
|
authentication in some cross-realm configurations.
|
||
|
---
|
||
|
NEWS | 14 ++++++++++++++
|
||
|
kdc/krb5tgs.c | 12 ++++++++++--
|
||
|
tests/kdc/check-kdc.in | 17 +++++++++++++++++
|
||
|
tests/kdc/krb5.conf.in | 4 ++++
|
||
|
4 files changed, 45 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
|
||
|
index 6048b9c55..98503812f 100644
|
||
|
--- a/kdc/krb5tgs.c
|
||
|
+++ b/kdc/krb5tgs.c
|
||
|
@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
|
||
|
"Decoding transited encoding");
|
||
|
return ret;
|
||
|
}
|
||
|
+
|
||
|
+ /*
|
||
|
+ * If the realm of the presented tgt is neither the client nor the server
|
||
|
+ * realm, it is a transit realm and must be added to transited set.
|
||
|
+ */
|
||
|
if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
|
||
|
- /* not us, so add the previous realm to transited set */
|
||
|
if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
|
||
|
ret = ERANGE;
|
||
|
goto free_realms;
|
||
|
@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
|
||
|
const char *server_name,
|
||
|
hdb_entry_ex *client,
|
||
|
krb5_principal client_principal,
|
||
|
+ const char *tgt_realm,
|
||
|
hdb_entry_ex *krbtgt,
|
||
|
krb5_enctype krbtgt_etype,
|
||
|
krb5_principals spp,
|
||
|
@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
|
||
|
&tgt->transited, &et,
|
||
|
krb5_principal_get_realm(context, client_principal),
|
||
|
krb5_principal_get_realm(context, server->entry.principal),
|
||
|
- krb5_principal_get_realm(context, krbtgt->entry.principal));
|
||
|
+ tgt_realm);
|
||
|
if(ret)
|
||
|
goto out;
|
||
|
|
||
|
@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,
|
||
|
krb5_keyblock sessionkey;
|
||
|
krb5_kvno kvno;
|
||
|
krb5_data rspac;
|
||
|
+ const char *tgt_realm = /* Realm of TGT issuer */
|
||
|
+ krb5_principal_get_realm(context, krbtgt->entry.principal);
|
||
|
|
||
|
@@ -2324,6 +2331,7 @@ server_lookup:
|
||
|
spn,
|
||
|
client,
|
||
|
cp,
|
||
|
+ tgt_realm,
|
||
|
krbtgt_out,
|
||
|
tkey_sign->key.keytype,
|
||
|
spp,
|
||
|
--
|
||
|
2.13.3
|
||
|
|