me
/
guix
Archived
1
0
Fork 0
This repository has been archived on 2024-08-07. You can view files and clone it, but cannot push or open issues/pull-requests.
guix/gnu/packages/patches/heimdal-CVE-2017-11103.patch

46 lines
1.6 KiB
Diff

Fix CVE-2017-11103:
https://orpheus-lyre.info/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
https://security-tracker.debian.org/tracker/CVE-2017-11103
Patch lifted from upstream source repository:
https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Wed, 12 Apr 2017 15:40:42 -0400
Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
---
lib/krb5/ticket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
index d95d96d1b..b8d81c6ad 100644
--- a/lib/krb5/ticket.c
+++ b/lib/krb5/ticket.c
@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
- rep->kdc_rep.ticket.sname,
- rep->kdc_rep.ticket.realm);
+ rep->enc_part.sname,
+ rep->enc_part.srealm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
--
2.13.3