git: aac9dda7f844 - releng/13.3 - Heimdal: Fix transit path validation CVE-2017-6594
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 21 Feb 2024 14:01:53 UTC
The branch releng/13.3 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=aac9dda7f8446c2c3badecb9fa3473ab008ee59b commit aac9dda7f8446c2c3badecb9fa3473ab008ee59b Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-02-14 19:56:18 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-02-21 14:01:48 +0000 Heimdal: Fix transit path validation CVE-2017-6594 Apply upstream b1e699103. This fixes a bug introduced by upstream f469fc6 which may in some cases enable bypass of capath policy. Upstream writes in their commit log: Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. Reported by: emaste Security: CVE-2017-6594 Obtained from: upstream b1e699103 MFS requested by: re (cperciva Approved by: re (cperciva) (cherry picked from commit f8041e3628bd70cf5562a9c13eb3d6af8463e720) (cherry picked from commit 9a7121454dc0f68af2687699d5feabf736692fa6) --- crypto/heimdal/kdc/krb5tgs.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/crypto/heimdal/kdc/krb5tgs.c b/crypto/heimdal/kdc/krb5tgs.c index 19d669798830..cde869522e23 100644 --- a/crypto/heimdal/kdc/krb5tgs.c +++ b/crypto/heimdal/kdc/krb5tgs.c @@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context, "Decoding transited encoding"); return ret; } + + /* + * If the realm of the presented tgt is neither the client nor the server + * realm, it is a transit realm and must be added to transited set. + */ if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { - /* not us, so add the previous realm to transited set */ if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { ret = ERANGE; goto free_realms; @@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context, const char *server_name, hdb_entry_ex *client, krb5_principal client_principal, + const char *tgt_realm, hdb_entry_ex *krbtgt, krb5_enctype krbtgt_etype, krb5_principals spp, @@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context, &tgt->transited, &et, krb5_principal_get_realm(context, client_principal), krb5_principal_get_realm(context, server->entry.principal), - krb5_principal_get_realm(context, krbtgt->entry.principal)); + tgt_realm); if(ret) goto out; @@ -1494,6 +1499,8 @@ tgs_build_reply(krb5_context context, krb5_keyblock sessionkey; krb5_kvno kvno; krb5_data rspac; + const char *tgt_realm = /* Realm of TGT issuer */ + krb5_principal_get_realm(context, krbtgt->entry.principal); hdb_entry_ex *krbtgt_out = NULL; @@ -2240,6 +2247,7 @@ server_lookup: spn, client, cp, + tgt_realm, krbtgt_out, krbtgt_etype, spp,