mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-25 03:54:17 +01:00
MFV r320905: Import upstream fix for CVE-2017-11103.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Submitted by: hrs Obtained from: Heimdal Security: FreeBSD-SA-17:05.heimdal Security: CVE-2017-11103
This commit is contained in:
commit
49426905b3
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=320906
@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
|
||||
/* check server referral and save principal */
|
||||
ret = _krb5_principalname2krb5_principal (context,
|
||||
&tmp_principal,
|
||||
rep->kdc_rep.ticket.sname,
|
||||
rep->kdc_rep.ticket.realm);
|
||||
rep->enc_part.sname,
|
||||
rep->enc_part.srealm);
|
||||
if (ret)
|
||||
goto out;
|
||||
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
|
||||
|
Loading…
Reference in New Issue
Block a user