svn commit: r320907 - in stable: 10/crypto/heimdal/lib/krb5 11/crypto/heimdal/lib/krb5
Xin LI
delphij at FreeBSD.org
Wed Jul 12 07:26:09 UTC 2017
Author: delphij
Date: Wed Jul 12 07:26:07 2017
New Revision: 320907
URL: https://svnweb.freebsd.org/changeset/base/320907
Log:
MFC r320906: MFV r320905: Import upstream fix for CVE-2017-11103.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Submitted by: hrs
Obtained from: Heimdal
Security: FreeBSD-SA-17:05.heimdal
Security: CVE-2017-11103
Modified:
stable/10/crypto/heimdal/lib/krb5/ticket.c
Directory Properties:
stable/10/ (props changed)
Changes in other areas also in this revision:
Modified:
stable/11/crypto/heimdal/lib/krb5/ticket.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/10/crypto/heimdal/lib/krb5/ticket.c
==============================================================================
--- stable/10/crypto/heimdal/lib/krb5/ticket.c Wed Jul 12 07:19:06 2017 (r320906)
+++ stable/10/crypto/heimdal/lib/krb5/ticket.c Wed Jul 12 07:26:07 2017 (r320907)
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
- rep->kdc_rep.ticket.sname,
- rep->kdc_rep.ticket.realm);
+ rep->enc_part.sname,
+ rep->enc_part.srealm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
More information about the svn-src-stable
mailing list