Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 475900 Details for
Bug 621394
<app-crypt/heimdal-7.4.0: bypass of capath policy
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
heimdal-7.1.0-CVE-2017-6594.patch
heimdal-7.1.0-CVE-2017-6594.patch (text/plain), 5.96 KB, created by
Andrey Ovcharov
on 2017-06-10 13:44:10 UTC
(
hide
)
Description:
heimdal-7.1.0-CVE-2017-6594.patch
Filename:
MIME Type:
Creator:
Andrey Ovcharov
Created:
2017-06-10 13:44:10 UTC
Size:
5.96 KB
patch
obsolete
>diff -ru NEWS NEWS >--- NEWS 2016-11-29 01:35:27.000000000 +0000 >+++ NEWS 2017-06-03 15:23:36.264325000 +0000 >@@ -1,4 +1,18 @@ >-Release Notes - Heimdal - Version Heimdal 1.6 >+Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port) >+ >+ Security >+ >+ - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently >+ caused the previous hop realm to not be added to the transit path >+ of issued tickets. This may, in some cases, enable bypass of capath >+ policy in Heimdal versions 1.5 through 7.2. >+ >+ Note, this may break sites that rely on the bug. With the bug some >+ incomplete [capaths] worked, that should not have. These may now break >+ authentication in some cross-realm configurations. >+ (CVE-2017-6594) >+ >+Release Notes - Heimdal - Version Heimdal 7.1 > > Security > - ... >diff -ru kdc/krb5tgs.c kdc/krb5tgs.c >--- kdc/krb5tgs.c 2016-11-29 01:35:27.000000000 +0000 >+++ kdc/krb5tgs.c 2017-06-03 15:23:36.271738000 +0000 >@@ -655,8 +655,12 @@ > "Decoding transited encoding"); > return ret; > } >+ >+ /* >+ * If the realm of the presented tgt is neither the client nor the server >+ * realm, it is a transit realm and must be added to transited set. >+ */ > if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { >- /* not us, so add the previous realm to transited set */ > if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { > ret = ERANGE; > goto free_realms; >@@ -737,6 +741,7 @@ > const char *server_name, > hdb_entry_ex *client, > krb5_principal client_principal, >+ const char *tgt_realm, > hdb_entry_ex *krbtgt, > krb5_enctype krbtgt_etype, > krb5_principals spp, >@@ -798,7 +803,7 @@ > &tgt->transited, &et, > krb5_principal_get_realm(context, client_principal), > krb5_principal_get_realm(context, server->entry.principal), >- krb5_principal_get_realm(context, krbtgt->entry.principal)); >+ tgt_realm); > if(ret) > goto out; > >@@ -1519,6 +1524,8 @@ > krb5_keyblock sessionkey; > krb5_kvno kvno; > krb5_data rspac; >+ const char *tgt_realm = /* Realm of TGT issuer */ >+ krb5_principal_get_realm(context, krbtgt->entry.principal); > const char *our_realm = /* Realm of this KDC */ > krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1); > char **capath = NULL; >@@ -2324,6 +2331,7 @@ > spn, > client, > cp, >+ tgt_realm, > krbtgt_out, > tkey_sign->key.keytype, > spp, >diff -ru tests/kdc/check-kdc.in tests/kdc/check-kdc.in >--- tests/kdc/check-kdc.in 2016-12-14 18:01:18.000000000 +0000 >+++ tests/kdc/check-kdc.in 2017-06-03 15:23:36.276571000 +0000 >@@ -53,6 +53,7 @@ > R5=SOME-REALM5.FR > R6=SOME-REALM6.US > R7=SOME-REALM7.UK >+R8=SOME-REALM8.UK > > H1=H1.$R > H2=H2.$R >@@ -152,6 +153,12 @@ > init \ > --realm-max-ticket-life=1day \ > --realm-max-renewable-life=1month \ >+ ${R8} || exit 1 >+ >+${kadmin} \ >+ init \ >+ --realm-max-ticket-life=1day \ >+ --realm-max-renewable-life=1month \ > ${H1} || exit 1 > > ${kadmin} \ >@@ -191,6 +198,7 @@ > ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1 > ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1 > ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1 >+${kadmin} add -p foo --use-defaults foo@${R8} || exit 1 > ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1 > ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1 > ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1 >@@ -249,6 +257,9 @@ > ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1 > ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1 > >+${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1 >+${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1 >+ > ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1 > ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1 > >@@ -284,6 +295,7 @@ > ${kadmin5} check ${R5} || exit 1 > ${kadmin} check ${R6} || exit 1 > ${kadmin} check ${R7} || exit 1 >+${kadmin} check ${R8} || exit 1 > ${kadmin} check ${H1} || exit 1 > ${kadmin} check ${H2} || exit 1 > ${kadmin} check ${H3} || exit 1 >@@ -388,6 +400,8 @@ > ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } > echo "Getting x-realm tickets with capaths for $R -> $R7" > ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } >+echo "Should not get x-realm tickets with capaths for $R -> $R8" >+${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } > ${kdestroy} > > echo "Testing capaths logic (reverse order)" >@@ -418,10 +432,13 @@ > > echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1" > ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } >+fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } > echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R" > ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; } >+fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } > echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2" > ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; } >+fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } > ${kdestroy} > > echo "Testing multi-hop [capaths] referral logic" >diff -ru tests/kdc/krb5.conf.in tests/kdc/krb5.conf.in >--- tests/kdc/krb5.conf.in 2016-11-29 01:35:28.000000000 +0000 >+++ tests/kdc/krb5.conf.in 2017-06-03 15:23:36.278848000 +0000 >@@ -40,6 +40,9 @@ > SOME-REALM7.UK = { > kdc = localhost:@port@ > } >+ SOME-REALM8.UK = { >+ kdc = localhost:@port@ >+ } > TEST-HTTP.H5L.SE = { > kdc = http/localhost:@port@ > } >@@ -147,6 +150,7 @@ > SOME-REALM6.US = SOME-REALM5.FR > SOME-REALM7.UK = SOME-REALM6.US > SOME-REALM7.UK = SOME-REALM5.FR >+ SOME-REALM8.UK = SOME-REALM6.US > } > H4.H2.TEST.H5L.SE = { > H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=475900">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 621394
: 475900
