svn commit: r320905 - vendor-crypto/heimdal/dist/lib/krb5

[Xin LI]

Author: delphij
Date: Wed Jul 12 07:13:56 2017
New Revision: 320905
URL: https://svnweb.freebsd.org/changeset/base/320905

Log:
  Import upstream fix for CVE-2017-11103:
  
  	CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
  	In _krb5_extract_ticket() the KDC-REP service name must be obtained from
  	encrypted version stored in 'enc_part' instead of the unencrypted version
  	stored in 'ticket'.  Use of the unecrypted version provides an
  	opportunity for successful server impersonation and other attacks.
  
  	Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
  
  	Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
  
  Submitted by:	hrs
  Obtained from:	https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
  Security:	CVE-2017-11103
  Security:	FreeBSD-SA-17:05.heimdal

Modified:
  vendor-crypto/heimdal/dist/lib/krb5/ticket.c

Modified: vendor-crypto/heimdal/dist/lib/krb5/ticket.c
==============================================================================
--- vendor-crypto/heimdal/dist/lib/krb5/ticket.c	Wed Jul 12 07:00:56 2017	(r320904)
+++ vendor-crypto/heimdal/dist/lib/krb5/ticket.c	Wed Jul 12 07:13:56 2017	(r320905)
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
     if (ret)
 	goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){