Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624674 (CVE-2017-11103) - <app-crypt/heimdal-7.4.0: Orpheus' Lyre KDC-REP service name validation
Summary: <app-crypt/heimdal-7.4.0: Orpheus' Lyre KDC-REP service name validation
Status: RESOLVED FIXED
Alias: CVE-2017-11103
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/heimdal/heimdal/co...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-12 11:55 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-10-31 14:20 UTC (History)
3 users (show)

See Also:
Package list:
app-crypt/heimdal-7.4.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-12 11:55:37 UTC
From $URL:
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-12 20:55:45 UTC
Update:

https://www.samba.org/samba/security/CVE-2017-11103.html
Comment 2 Eray Aslan gentoo-dev 2017-07-13 05:52:33 UTC
Arches, please test and mark stable
=app-crypt/heimdal-7.4.0

Thank you.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-13 07:58:23 UTC
@samba: Can you please comment on whether we're affected by samba embedding c.f comment 1 (i.e whether we unbundle heimdal and use system libraries)?

If we embed it in any form please clone this bug and create a tracker.
Comment 4 John R. Graham gentoo-dev 2017-07-13 17:03:10 UTC
The Samba Security Announcement states:

    Samba versions built against MIT Kerberos are not impacted.  Unless
    you are running Samba as an AD DC, then rebuild samba using:

     ./configure --with-system-mitkrb5.

Our in-tree ebuilds do appear to already use this configure option.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-13 17:15:01 UTC
(In reply to John R. Graham from comment #4)
> The Samba Security Announcement states:
> 
>     Samba versions built against MIT Kerberos are not impacted.  Unless
>     you are running Samba as an AD DC, then rebuild samba using:
> 
>      ./configure --with-system-mitkrb5.
> 
> Our in-tree ebuilds do appear to already use this configure option.

Thank you for the confirmation
Comment 6 Tobias Klausmann gentoo-dev 2017-07-15 09:58:34 UTC
Stable on alpha.
Comment 7 Tobias Klausmann gentoo-dev 2017-07-15 10:04:15 UTC
(In reply to Tobias Klausmann from comment #6)
> Stable on alpha.

Bullshit. Amd64 stable.
Comment 8 Sergei Trofimovich gentoo-dev 2017-07-15 11:33:03 UTC
ia64 stable
Comment 9 Tobias Klausmann gentoo-dev 2017-07-16 11:15:14 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2017-07-25 18:52:26 UTC
arm stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2017-08-18 21:02:57 UTC
x86 stable
Comment 13 Sergei Trofimovich gentoo-dev 2017-09-30 06:36:19 UTC
ppc/ppc64 stable
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:46:25 UTC
ohhhhhhhhhh HPPA....
Comment 15 Sergei Trofimovich gentoo-dev 2017-10-28 20:31:48 UTC
hppa stable
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-29 19:10:26 UTC
GLSA Vote: No

Maintainer(s), please clean the vulnerable versions.
Comment 17 Eray Aslan gentoo-dev 2017-10-31 10:18:34 UTC
cleanup done
Comment 18 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 14:20:26 UTC
Thank you all