svn commit: r320906 - head/crypto/heimdal/lib/krb5

Wed, 12 Jul 2017 00:19:47 -0700 

Author: delphij
Date: Wed Jul 12 07:19:06 2017
New Revision: 320906
URL: https://svnweb.freebsd.org/changeset/base/320906

Log:
  MFV r320905: Import upstream fix for CVE-2017-11103.
  
  In _krb5_extract_ticket() the KDC-REP service name must be obtained from
  encrypted version stored in 'enc_part' instead of the unencrypted version
  stored in 'ticket'.  Use of the unecrypted version provides an
  opportunity for successful server impersonation and other attacks.
  
  Submitted by: hrs
  Obtained from:        Heimdal
  Security:     FreeBSD-SA-17:05.heimdal
  Security:     CVE-2017-11103

Modified:
  head/crypto/heimdal/lib/krb5/ticket.c
Directory Properties:
  head/crypto/heimdal/   (props changed)

Modified: head/crypto/heimdal/lib/krb5/ticket.c
==============================================================================
--- head/crypto/heimdal/lib/krb5/ticket.c       Wed Jul 12 07:13:56 2017        
(r320905)
+++ head/crypto/heimdal/lib/krb5/ticket.c       Wed Jul 12 07:19:06 2017        
(r320906)
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
                                              &tmp_principal,
-                                             rep->kdc_rep.ticket.sname,
-                                             rep->kdc_rep.ticket.realm);
+                                             rep->enc_part.sname,
+                                             rep->enc_part.srealm);
     if (ret)
        goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to