d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import upstream fix for CVE-2017-11103:

Browse Source 
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
	In _krb5_extract_ticket() the KDC-REP service name must be obtained from
	encrypted version stored in 'enc_part' instead of the unencrypted version
	stored in 'ticket'.  Use of the unecrypted version provides an
	opportunity for successful server impersonation and other attacks.

	Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

	Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c

Submitted by:	hrs
Obtained from:	6dd3eb836b
Security:	CVE-2017-11103
Security:	FreeBSD-SA-17:05.heimdal
This commit is contained in:
Xin LI 2017-07-12 07:13:56 +00:00
parent feec362185
commit f52d4664e3
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/krb5/ticket.c
View File

@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
rep->enc_part.sname,
rep->enc_part.srealm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){