aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2017-07-12 08:07:16 +0000
committerXin LI <delphij@FreeBSD.org>2017-07-12 08:07:16 +0000
commitf29656e2ea6679cee2ce2178cc37b117c48d0a6a (patch)
treea03630872a4be9e342e738c46567a8e6d0fe4aae
parent2014d3d2489c5f7acaf4910265a0f342eebba4ab (diff)
downloadsrc-f29656e2ea6679cee2ce2178cc37b117c48d0a6a.tar.gz
src-f29656e2ea6679cee2ce2178cc37b117c48d0a6a.zip
MFS r320907: MFC r320906: MFV r320905: Import upstream fix for
CVE-2017-11103. In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Submitted by: hrs Obtained from: Heimdal Security: FreeBSD-SA-17:05.heimdal Security: CVE-2017-11103 Approved by: re (kib)
Notes
Notes: svn path=/releng/11.1/; revision=320910
-rw-r--r--crypto/heimdal/lib/krb5/ticket.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c
index 4845a93d9446..5b6eabe2b0e0 100644
--- a/crypto/heimdal/lib/krb5/ticket.c
+++ b/crypto/heimdal/lib/krb5/ticket.c
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
- rep->kdc_rep.ticket.sname,
- rep->kdc_rep.ticket.realm);
+ rep->enc_part.sname,
+ rep->enc_part.srealm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){