Attachment #475900 for bug #621394

View | Details | Raw Unified | Return to bug 621394
Collapse All | Expand All




Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port)

 Security

 - Fix transit path validation.  Commit f469fc6 (2010-10-02) inadvertently
   caused the previous hop realm to not be added to the transit path
   of issued tickets.  This may, in some cases, enable bypass of capath
   policy in Heimdal versions 1.5 through 7.2.

   Note, this may break sites that rely on the bug.  With the bug some
   incomplete [capaths] worked, that should not have.  These may now break
   authentication in some cross-realm configurations.
   (CVE-2017-6594)

Release Notes - Heimdal - Version Heimdal 7.1

 Security
 - ...

Lines 655-662 Link Here

(-)kdc/krb5tgs.c (-2 / +10 lines)
655	"Decoding transited encoding");	655	"Decoding transited encoding");
656	return ret;	656	return ret;
657	}	657	}
		658
		659	/*
		660	* If the realm of the presented tgt is neither the client nor the server
		661	* realm, it is a transit realm and must be added to transited set.
		662	*/
658	if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {	663	if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
659	/* not us, so add the previous realm to transited set */
660	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {	664	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
661	ret = ERANGE;	665	ret = ERANGE;
662	goto free_realms;	666	goto free_realms;
Lines 737-742 Link Here
737	const char *server_name,	741	const char *server_name,
738	hdb_entry_ex *client,	742	hdb_entry_ex *client,
739	krb5_principal client_principal,	743	krb5_principal client_principal,
		744	const char *tgt_realm,
740	hdb_entry_ex *krbtgt,	745	hdb_entry_ex *krbtgt,
741	krb5_enctype krbtgt_etype,	746	krb5_enctype krbtgt_etype,
742	krb5_principals spp,	747	krb5_principals spp,
Lines 798-804 Link Here
798	&tgt->transited, &et,	803	&tgt->transited, &et,
799	krb5_principal_get_realm(context, client_principal),	804	krb5_principal_get_realm(context, client_principal),
800	krb5_principal_get_realm(context, server->entry.principal),	805	krb5_principal_get_realm(context, server->entry.principal),
801	krb5_principal_get_realm(context, krbtgt->entry.principal));	806	tgt_realm);
802	if(ret)	807	if(ret)
803	goto out;	808	goto out;
804		809
Lines 1519-1524 Link Here
1519	krb5_keyblock sessionkey;	1524	krb5_keyblock sessionkey;
1520	krb5_kvno kvno;	1525	krb5_kvno kvno;
1521	krb5_data rspac;	1526	krb5_data rspac;
		1527	const char tgt_realm = / Realm of TGT issuer */
		1528	krb5_principal_get_realm(context, krbtgt->entry.principal);
1522	const char our_realm = / Realm of this KDC */	1529	const char our_realm = / Realm of this KDC */
1523	krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);	1530	krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);
1524	char **capath = NULL;	1531	char **capath = NULL;
Lines 2324-2329 Link Here
2324	spn,	2331	spn,
2325	client,	2332	client,
2326	cp,	2333	cp,
		2334	tgt_realm,
2327	krbtgt_out,	2335	krbtgt_out,
2328	tkey_sign->key.keytype,	2336	tkey_sign->key.keytype,
2329	spp,	2337	spp,

Lines 53-58 Link Here

(-)tests/kdc/check-kdc.in (+17 lines)
53	R5=SOME-REALM5.FR	53	R5=SOME-REALM5.FR
54	R6=SOME-REALM6.US	54	R6=SOME-REALM6.US
55	R7=SOME-REALM7.UK	55	R7=SOME-REALM7.UK
		56	R8=SOME-REALM8.UK
56		57
57	H1=H1.$R	58	H1=H1.$R
58	H2=H2.$R	59	H2=H2.$R
Lines 152-157 Link Here
152	init \	153	init \
153	--realm-max-ticket-life=1day \	154	--realm-max-ticket-life=1day \
154	--realm-max-renewable-life=1month \	155	--realm-max-renewable-life=1month \
		156	${R8} \|\| exit 1
		157
		158	${kadmin} \
		159	init \
		160	--realm-max-ticket-life=1day \
		161	--realm-max-renewable-life=1month \
155	${H1} \|\| exit 1	162	${H1} \|\| exit 1
156		163
157	${kadmin} \	164	${kadmin} \
Lines 191-196 Link Here
191	${kadmin5} add -p foo --use-defaults foo@${R5} \|\| exit 1	198	${kadmin5} add -p foo --use-defaults foo@${R5} \|\| exit 1
192	${kadmin} add -p foo --use-defaults foo@${R6} \|\| exit 1	199	${kadmin} add -p foo --use-defaults foo@${R6} \|\| exit 1
193	${kadmin} add -p foo --use-defaults foo@${R7} \|\| exit 1	200	${kadmin} add -p foo --use-defaults foo@${R7} \|\| exit 1
		201	${kadmin} add -p foo --use-defaults foo@${R8} \|\| exit 1
194	${kadmin} add -p foo --use-defaults foo@${H1} \|\| exit 1	202	${kadmin} add -p foo --use-defaults foo@${H1} \|\| exit 1
195	${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} \|\| exit 1	203	${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} \|\| exit 1
196	${kadmin} add -p foo --use-defaults foo@${H2} \|\| exit 1	204	${kadmin} add -p foo --use-defaults foo@${H2} \|\| exit 1
Lines 249-254 Link Here
249	${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} \|\| exit 1	257	${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} \|\| exit 1
250	${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} \|\| exit 1	258	${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} \|\| exit 1
251		259
		260	${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} \|\| exit 1
		261	${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} \|\| exit 1
		262
252	${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} \|\| exit 1	263	${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} \|\| exit 1
253	${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} \|\| exit 1	264	${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} \|\| exit 1
254		265
Lines 284-289 Link Here
284	${kadmin5} check ${R5} \|\| exit 1	295	${kadmin5} check ${R5} \|\| exit 1
285	${kadmin} check ${R6} \|\| exit 1	296	${kadmin} check ${R6} \|\| exit 1
286	${kadmin} check ${R7} \|\| exit 1	297	${kadmin} check ${R7} \|\| exit 1
		298	${kadmin} check ${R8} \|\| exit 1
287	${kadmin} check ${H1} \|\| exit 1	299	${kadmin} check ${H1} \|\| exit 1
288	${kadmin} check ${H2} \|\| exit 1	300	${kadmin} check ${H2} \|\| exit 1
289	${kadmin} check ${H3} \|\| exit 1	301	${kadmin} check ${H3} \|\| exit 1
Lines 388-393 Link Here
388	${kgetcred} foo@${R6} \|\| { ec=1 ; eval "${testfailed}"; }	400	${kgetcred} foo@${R6} \|\| { ec=1 ; eval "${testfailed}"; }
389	echo "Getting x-realm tickets with capaths for $R -> $R7"	401	echo "Getting x-realm tickets with capaths for $R -> $R7"
390	${kgetcred} foo@${R7} \|\| { ec=1 ; eval "${testfailed}"; }	402	${kgetcred} foo@${R7} \|\| { ec=1 ; eval "${testfailed}"; }
		403	echo "Should not get x-realm tickets with capaths for $R -> $R8"
		404	${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
391	${kdestroy}	405	${kdestroy}
392		406
393	echo "Testing capaths logic (reverse order)"	407	echo "Testing capaths logic (reverse order)"
Lines 418-427 Link Here
418		432
419	echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"	433	echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
420	${kgetcred} --hostbased --canonicalize foo host.${h1} \|\| { ec=1 ; eval "${testfailed}"; }	434	${kgetcred} --hostbased --canonicalize foo host.${h1} \|\| { ec=1 ; eval "${testfailed}"; }
		435	fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null \|\| { ec=1 ; eval "${testfailed}"; }
421	echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"	436	echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"
422	${kgetcred} --hostbased --canonicalize foo host.${r} \|\| { ec=1 ; eval "${testfailed}"; }	437	${kgetcred} --hostbased --canonicalize foo host.${r} \|\| { ec=1 ; eval "${testfailed}"; }
		438	fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null \|\| { ec=1 ; eval "${testfailed}"; }
423	echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"	439	echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
424	${kgetcred} --hostbased --canonicalize foo host.${h2} \|\| { ec=1 ; eval "${testfailed}"; }	440	${kgetcred} --hostbased --canonicalize foo host.${h2} \|\| { ec=1 ; eval "${testfailed}"; }
		441	fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null \|\| { ec=1 ; eval "${testfailed}"; }
425	${kdestroy}	442	${kdestroy}
426		443
427	echo "Testing multi-hop [capaths] referral logic"	444	echo "Testing multi-hop [capaths] referral logic"

Lines 40-45 Link Here

(-)tests/kdc/krb5.conf.in (+4 lines)
40	SOME-REALM7.UK = {	40	SOME-REALM7.UK = {
41	kdc = localhost:@port@	41	kdc = localhost:@port@
42	}	42	}
		43	SOME-REALM8.UK = {
		44	kdc = localhost:@port@
		45	}
43	TEST-HTTP.H5L.SE = {	46	TEST-HTTP.H5L.SE = {
44	kdc = http/localhost:@port@	47	kdc = http/localhost:@port@
45	}	48	}
Lines 147-152 Link Here
147	SOME-REALM6.US = SOME-REALM5.FR	150	SOME-REALM6.US = SOME-REALM5.FR
148	SOME-REALM7.UK = SOME-REALM6.US	151	SOME-REALM7.UK = SOME-REALM6.US
149	SOME-REALM7.UK = SOME-REALM5.FR	152	SOME-REALM7.UK = SOME-REALM5.FR
		153	SOME-REALM8.UK = SOME-REALM6.US
150	}	154	}
151	H4.H2.TEST.H5L.SE = {	155	H4.H2.TEST.H5L.SE = {
152	H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE	156	H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE

Return to bug 621394

Lines 1-4 Link Here

(-)NEWS (-1 / +15 lines)
1	Release Notes - Heimdal - Version Heimdal 1.6	1	Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port)
		2
		3	Security
		4
		5	- Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently
		6	caused the previous hop realm to not be added to the transit path
		7	of issued tickets. This may, in some cases, enable bypass of capath
		8	policy in Heimdal versions 1.5 through 7.2.
		9
		10	Note, this may break sites that rely on the bug. With the bug some
		11	incomplete [capaths] worked, that should not have. These may now break
		12	authentication in some cross-realm configurations.
		13	(CVE-2017-6594)
		14
		15	Release Notes - Heimdal - Version Heimdal 7.1
2		16
3	Security	17	Security
4	- ...	18	- ...