svn commit: r443017 - in branches/2017Q2/security/heimdal: . files

Fri Jun 9 15:58:14 UTC 2017

Author: feld
Date: Fri Jun  9 15:58:13 2017
New Revision: 443017
URL: https://svnweb.freebsd.org/changeset/ports/443017

Log:
  MFH: r443016
  
  security/heimdal: Backport security fix
  
  PR:		219657
  Security:	CVE-2017-6594
  
  Approved by:	ports-secteam (with hat)

Added:
  branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594
     - copied unchanged from r443016, head/security/heimdal/files/patch-CVE-2017-6594
Modified:
  branches/2017Q2/security/heimdal/Makefile
Directory Properties:
  branches/2017Q2/   (props changed)

Modified: branches/2017Q2/security/heimdal/Makefile
==============================================================================

--- branches/2017Q2/security/heimdal/Makefile	Fri Jun  9 15:57:30 2017	(r443016)
+++ branches/2017Q2/security/heimdal/Makefile	Fri Jun  9 15:58:13 2017	(r443017)
@@ -3,7 +3,7 @@
 
 PORTNAME=	heimdal
 PORTVERSION=	7.1.0
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security ipv6
 MASTER_SITES=	http://www.h5l.org/dist/src/ \
 		http://ftp.pdc.kth.se/pub/heimdal/src/ \

Copied: branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594 (from r443016, head/security/heimdal/files/patch-CVE-2017-6594)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594	Fri Jun  9 15:58:13 2017	(r443017, copy of r443016, head/security/heimdal/files/patch-CVE-2017-6594)
@@ -0,0 +1,168 @@
+diff -ru NEWS NEWS
+--- NEWS	2016-11-29 01:35:27.000000000 +0000
++++ NEWS	2017-06-03 15:23:36.264325000 +0000
+@@ -1,4 +1,18 @@
+-Release Notes - Heimdal - Version Heimdal 1.6
++Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port)
++
++ Security
++
++ - Fix transit path validation.  Commit f469fc6 (2010-10-02) inadvertently
++   caused the previous hop realm to not be added to the transit path
++   of issued tickets.  This may, in some cases, enable bypass of capath
++   policy in Heimdal versions 1.5 through 7.2.
++
++   Note, this may break sites that rely on the bug.  With the bug some
++   incomplete [capaths] worked, that should not have.  These may now break
++   authentication in some cross-realm configurations.
++   (CVE-2017-6594)
++
++Release Notes - Heimdal - Version Heimdal 7.1
+ 
+  Security
+  - ...
+diff -ru kdc/krb5tgs.c kdc/krb5tgs.c
+--- kdc/krb5tgs.c	2016-11-29 01:35:27.000000000 +0000
++++ kdc/krb5tgs.c	2017-06-03 15:23:36.271738000 +0000
+@@ -655,8 +655,12 @@
+ 		  "Decoding transited encoding");
+ 	return ret;
+     }
++
++    /*
++     * If the realm of the presented tgt is neither the client nor the server
++     * realm, it is a transit realm and must be added to transited set.
++     */
+     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+-	/* not us, so add the previous realm to transited set */
+ 	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+ 	    ret = ERANGE;
+ 	    goto free_realms;
+@@ -737,6 +741,7 @@
+ 	       const char *server_name,
+ 	       hdb_entry_ex *client,
+ 	       krb5_principal client_principal,
++               const char *tgt_realm,
+ 	       hdb_entry_ex *krbtgt,
+ 	       krb5_enctype krbtgt_etype,
+ 	       krb5_principals spp,
+@@ -798,7 +803,7 @@
+ 				 &tgt->transited, &et,
+ 				 krb5_principal_get_realm(context, client_principal),
+ 				 krb5_principal_get_realm(context, server->entry.principal),
+-				 krb5_principal_get_realm(context, krbtgt->entry.principal));
++				 tgt_realm);
+     if(ret)
+ 	goto out;
+ 
+@@ -1519,6 +1524,8 @@
+     krb5_keyblock sessionkey;
+     krb5_kvno kvno;
+     krb5_data rspac;
++    const char *tgt_realm = /* Realm of TGT issuer */
++        krb5_principal_get_realm(context, krbtgt->entry.principal);
+     const char *our_realm = /* Realm of this KDC */
+         krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);
+     char **capath = NULL;
+@@ -2324,6 +2331,7 @@
+ 			 spn,
+ 			 client,
+ 			 cp,
++                         tgt_realm,
+ 			 krbtgt_out,
+ 			 tkey_sign->key.keytype,
+ 			 spp,
+diff -ru tests/kdc/check-kdc.in tests/kdc/check-kdc.in
+--- tests/kdc/check-kdc.in	2016-12-14 18:01:18.000000000 +0000
++++ tests/kdc/check-kdc.in	2017-06-03 15:23:36.276571000 +0000
+@@ -53,6 +53,7 @@
+ R5=SOME-REALM5.FR
+ R6=SOME-REALM6.US
+ R7=SOME-REALM7.UK
++R8=SOME-REALM8.UK
+ 
+ H1=H1.$R
+ H2=H2.$R
+@@ -152,6 +153,12 @@
+     init \
+     --realm-max-ticket-life=1day \
+     --realm-max-renewable-life=1month \
++    ${R8} || exit 1
++
++${kadmin} \
++    init \
++    --realm-max-ticket-life=1day \
++    --realm-max-renewable-life=1month \
+     ${H1} || exit 1
+ 
+ ${kadmin} \
+@@ -191,6 +198,7 @@
+ ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
++${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
+ ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
+@@ -249,6 +257,9 @@
+ ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
+ 
++${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
++${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
++
+ ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
+ 
+@@ -284,6 +295,7 @@
+ ${kadmin5} check ${R5} || exit 1
+ ${kadmin} check ${R6} || exit 1
+ ${kadmin} check ${R7} || exit 1
++${kadmin} check ${R8} || exit 1
+ ${kadmin} check ${H1} || exit 1
+ ${kadmin} check ${H2} || exit 1
+ ${kadmin} check ${H3} || exit 1
+@@ -388,6 +400,8 @@
+ ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with capaths for $R -> $R7"
+ ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
++echo "Should not get x-realm tickets with capaths for $R -> $R8"
++${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+ 
+ echo "Testing capaths logic (reverse order)"
+@@ -418,10 +432,13 @@
+ 
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
+ ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"
+ ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
+ ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+ 
+ echo "Testing multi-hop [capaths] referral logic"
+diff -ru tests/kdc/krb5.conf.in tests/kdc/krb5.conf.in
+--- tests/kdc/krb5.conf.in	2016-11-29 01:35:28.000000000 +0000
++++ tests/kdc/krb5.conf.in	2017-06-03 15:23:36.278848000 +0000
+@@ -40,6 +40,9 @@
+ 	SOME-REALM7.UK = {
+ 		kdc = localhost:@port@
+ 	}
++	SOME-REALM8.UK = {
++		kdc = localhost:@port@
++	}
+ 	TEST-HTTP.H5L.SE = {
+ 		kdc = http/localhost:@port@
+ 	}
+@@ -147,6 +150,7 @@
+ 		SOME-REALM6.US = SOME-REALM5.FR
+ 		SOME-REALM7.UK = SOME-REALM6.US
+ 		SOME-REALM7.UK = SOME-REALM5.FR
++		SOME-REALM8.UK = SOME-REALM6.US
+ 	}
+         H4.H2.TEST.H5L.SE = {
+                 H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
