46 lines
1.6 KiB
Diff
46 lines
1.6 KiB
Diff
Fix CVE-2017-11103:
|
|
|
|
https://orpheus-lyre.info/
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
|
|
https://security-tracker.debian.org/tracker/CVE-2017-11103
|
|
|
|
Patch lifted from upstream source repository:
|
|
|
|
https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
|
|
|
|
From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
|
|
From: Jeffrey Altman <jaltman@secure-endpoints.com>
|
|
Date: Wed, 12 Apr 2017 15:40:42 -0400
|
|
Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
|
|
|
|
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
|
|
encrypted version stored in 'enc_part' instead of the unencrypted version
|
|
stored in 'ticket'. Use of the unecrypted version provides an
|
|
opportunity for successful server impersonation and other attacks.
|
|
|
|
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
|
|
|
|
Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
|
|
---
|
|
lib/krb5/ticket.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
|
|
index d95d96d1b..b8d81c6ad 100644
|
|
--- a/lib/krb5/ticket.c
|
|
+++ b/lib/krb5/ticket.c
|
|
@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
|
|
/* check server referral and save principal */
|
|
ret = _krb5_principalname2krb5_principal (context,
|
|
&tmp_principal,
|
|
- rep->kdc_rep.ticket.sname,
|
|
- rep->kdc_rep.ticket.realm);
|
|
+ rep->enc_part.sname,
|
|
+ rep->enc_part.srealm);
|
|
if (ret)
|
|
goto out;
|
|
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
|
|
--
|
|
2.13.3
|
|
|