MFV r320905: Import upstream fix for CVE-2017-11103.

In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Submitted by: hrs Obtained from: Heimdal Security: FreeBSD-SA-17:05.heimdal Security: CVE-2017-11103
2017-07-12 07:19:06 +00:00 · 2017-07-12 07:19:06 +00:00 · 49426905b3
commit 49426905b3
parent a8d7b9d3bb f52d4664e3
1 changed files with 2 additions and 2 deletions
--- a/crypto/heimdal/lib/krb5/ticket.c
+++ b/crypto/heimdal/lib/krb5/ticket.c
@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
    /* check server referral and save principal */
    ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
    if (ret)
 	goto out;
    if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){