From 81c35029d4ee4fa7cd517998844229a514b35531 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Thu, 20 Jul 2017 15:30:12 -0400 Subject: gnu: heimdal: Fix CVE-2017-{6594,11103}. * gnu/packages/patches/heimdal-CVE-2017-6594.patch, gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/kerberos.scm (heimdal)[source]: Use them. --- gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 ++++++++++++ gnu/packages/patches/heimdal-CVE-2017-6594.patch | 85 +++++++++++++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch create mode 100644 gnu/packages/patches/heimdal-CVE-2017-6594.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch new file mode 100644 index 0000000000..d76f0df369 --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-11103: + +https://orpheus-lyre.info/ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 +https://security-tracker.debian.org/tracker/CVE-2017-11103 + +Patch lifted from upstream source repository: + +https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea + +From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001 +From: Jeffrey Altman +Date: Wed, 12 Apr 2017 15:40:42 -0400 +Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + +In _krb5_extract_ticket() the KDC-REP service name must be obtained from +encrypted version stored in 'enc_part' instead of the unencrypted version +stored in 'ticket'. Use of the unecrypted version provides an +opportunity for successful server impersonation and other attacks. + +Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. + +Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c +--- + lib/krb5/ticket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c +index d95d96d1b..b8d81c6ad 100644 +--- a/lib/krb5/ticket.c ++++ b/lib/krb5/ticket.c +@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context, + /* check server referral and save principal */ + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, +- rep->kdc_rep.ticket.sname, +- rep->kdc_rep.ticket.realm); ++ rep->enc_part.sname, ++ rep->enc_part.srealm); + if (ret) + goto out; + if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ +-- +2.13.3 + diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch new file mode 100644 index 0000000000..714af60304 --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch @@ -0,0 +1,85 @@ +Fix CVE-2017-6594: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594 +https://security-tracker.debian.org/tracker/CVE-2017-6594 + +Patch lifted from upstream source repository: + +https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837 + +To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and +files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified. + +From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Wed, 10 Aug 2016 23:31:14 +0000 +Subject: [PATCH] Fix transit path validation CVE-2017-6594 + +Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm +to not be added to the transit path of issued tickets. This may, in +some cases, enable bypass of capath policy in Heimdal versions 1.5 +through 7.2. + +Note, this may break sites that rely on the bug. With the bug some +incomplete [capaths] worked, that should not have. These may now break +authentication in some cross-realm configurations. +--- + NEWS | 14 ++++++++++++++ + kdc/krb5tgs.c | 12 ++++++++++-- + tests/kdc/check-kdc.in | 17 +++++++++++++++++ + tests/kdc/krb5.conf.in | 4 ++++ + 4 files changed, 45 insertions(+), 2 deletions(-) + +diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c +index 6048b9c55..98503812f 100644 +--- a/kdc/krb5tgs.c ++++ b/kdc/krb5tgs.c +@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context, + "Decoding transited encoding"); + return ret; + } ++ ++ /* ++ * If the realm of the presented tgt is neither the client nor the server ++ * realm, it is a transit realm and must be added to transited set. ++ */ + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { +- /* not us, so add the previous realm to transited set */ + if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { + ret = ERANGE; + goto free_realms; +@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context, + const char *server_name, + hdb_entry_ex *client, + krb5_principal client_principal, ++ const char *tgt_realm, + hdb_entry_ex *krbtgt, + krb5_enctype krbtgt_etype, + krb5_principals spp, +@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context, + &tgt->transited, &et, + krb5_principal_get_realm(context, client_principal), + krb5_principal_get_realm(context, server->entry.principal), +- krb5_principal_get_realm(context, krbtgt->entry.principal)); ++ tgt_realm); + if(ret) + goto out; + +@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context, + krb5_keyblock sessionkey; + krb5_kvno kvno; + krb5_data rspac; ++ const char *tgt_realm = /* Realm of TGT issuer */ ++ krb5_principal_get_realm(context, krbtgt->entry.principal); + +@@ -2324,6 +2331,7 @@ server_lookup: + spn, + client, + cp, ++ tgt_realm, + krbtgt_out, + tkey_sign->key.keytype, + spp, +-- +2.13.3 + -- cgit 1.4.1