Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 624674 (CVE-2017-11103)

Summary: <app-crypt/heimdal-7.4.0: Orpheus' Lyre KDC-REP service name validation
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: john_r_graham, kerberos, samba
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
Whiteboard: B4 [noglsa cve]
Package list:
app-crypt/heimdal-7.4.0
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-12 11:55:37 UTC
From $URL:
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-12 20:55:45 UTC
Update:

https://www.samba.org/samba/security/CVE-2017-11103.html
Comment 2 Eray Aslan gentoo-dev 2017-07-13 05:52:33 UTC
Arches, please test and mark stable
=app-crypt/heimdal-7.4.0

Thank you.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-13 07:58:23 UTC
@samba: Can you please comment on whether we're affected by samba embedding c.f comment 1 (i.e whether we unbundle heimdal and use system libraries)?

If we embed it in any form please clone this bug and create a tracker.
Comment 4 John R. Graham gentoo-dev 2017-07-13 17:03:10 UTC
The Samba Security Announcement states:

    Samba versions built against MIT Kerberos are not impacted.  Unless
    you are running Samba as an AD DC, then rebuild samba using:

     ./configure --with-system-mitkrb5.

Our in-tree ebuilds do appear to already use this configure option.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-13 17:15:01 UTC
(In reply to John R. Graham from comment #4)
> The Samba Security Announcement states:
> 
>     Samba versions built against MIT Kerberos are not impacted.  Unless
>     you are running Samba as an AD DC, then rebuild samba using:
> 
>      ./configure --with-system-mitkrb5.
> 
> Our in-tree ebuilds do appear to already use this configure option.

Thank you for the confirmation
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-15 09:58:34 UTC
Stable on alpha.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-15 10:04:15 UTC
(In reply to Tobias Klausmann from comment #6)
> Stable on alpha.

Bullshit. Amd64 stable.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-15 11:33:03 UTC
ia64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-16 11:15:14 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2017-07-25 18:52:26 UTC
arm stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 21:02:57 UTC
x86 stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:10:02 UTC
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-30 06:36:19 UTC
ppc/ppc64 stable
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 02:46:25 UTC
ohhhhhhhhhh HPPA....
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 20:31:48 UTC
hppa stable
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-10-29 19:10:26 UTC
GLSA Vote: No

Maintainer(s), please clean the vulnerable versions.
Comment 17 Eray Aslan gentoo-dev 2017-10-31 10:18:34 UTC
cleanup done
Comment 18 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 14:20:26 UTC
Thank you all