aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2017-07-12 07:26:07 +0000
committerXin LI <delphij@FreeBSD.org>2017-07-12 07:26:07 +0000
commitf18a38a40cf916f865e8af160591efb366cc9252 (patch)
treec8fd2567e8069ede79cad81eb125e7b5a1490ccd /crypto
parent5d22b53c6a3f5489268dbd8b72639de4b87c1944 (diff)
downloadsrc-f18a38a40cf916f865e8af160591efb366cc9252.tar.gz
src-f18a38a40cf916f865e8af160591efb366cc9252.zip
MFC r320906: MFV r320905: Import upstream fix for CVE-2017-11103.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Submitted by: hrs Obtained from: Heimdal Security: FreeBSD-SA-17:05.heimdal Security: CVE-2017-11103
Notes
Notes: svn path=/stable/11/; revision=320907
Diffstat (limited to 'crypto')
-rw-r--r--crypto/heimdal/lib/krb5/ticket.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c
index 4845a93d9446..5b6eabe2b0e0 100644
--- a/crypto/heimdal/lib/krb5/ticket.c
+++ b/crypto/heimdal/lib/krb5/ticket.c
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
- rep->kdc_rep.ticket.sname,
- rep->kdc_rep.ticket.realm);
+ rep->enc_part.sname,
+ rep->enc_part.srealm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){