hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-12-26 04:54:07 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

MFV r320905: Import upstream fix for CVE-2017-11103.

Browse Source 
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Submitted by:	hrs
Obtained from:	Heimdal
Security:	FreeBSD-SA-17:05.heimdal
Security:	CVE-2017-11103
This commit is contained in:
Xin LI 2017-07-12 07:19:06 +00:00
commit 49426905b3
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=320906
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/heimdal/lib/krb5/ticket.c
View File

@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
/* check server referral and save principal */ /* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context, ret = _krb5_principalname2krb5_principal (context,
&tmp_principal, &tmp_principal,
rep->kdc_rep.ticket.sname, rep->enc_part.sname,
rep->kdc_rep.ticket.realm); rep->enc_part.srealm);
if (ret) if (ret)
goto out; goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){