svn commit: r320910 - releng/11.1/crypto/heimdal/lib/krb5
Xin LI
delphij at FreeBSD.org
Wed Jul 12 08:07:17 UTC 2017
Author: delphij
Date: Wed Jul 12 08:07:16 2017
New Revision: 320910
URL: https://svnweb.freebsd.org/changeset/base/320910
Log:
MFS r320907: MFC r320906: MFV r320905: Import upstream fix for
CVE-2017-11103.
In _krb5_extract_ticket() the KDC-REP service name must be obtained
from encrypted version stored in 'enc_part' instead of the unencrypted
version stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Submitted by: hrs
Obtained from: Heimdal
Security: FreeBSD-SA-17:05.heimdal
Security: CVE-2017-11103
Approved by: re (kib)
Modified:
releng/11.1/crypto/heimdal/lib/krb5/ticket.c
Directory Properties:
releng/11.1/ (props changed)
Modified: releng/11.1/crypto/heimdal/lib/krb5/ticket.c
==============================================================================
--- releng/11.1/crypto/heimdal/lib/krb5/ticket.c Wed Jul 12 07:31:28 2017 (r320909)
+++ releng/11.1/crypto/heimdal/lib/krb5/ticket.c Wed Jul 12 08:07:16 2017 (r320910)
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
- rep->kdc_rep.ticket.sname,
- rep->kdc_rep.ticket.realm);
+ rep->enc_part.sname,
+ rep->enc_part.srealm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
More information about the svn-src-releng
mailing list