The Samba-Bugzilla – Attachment 13514 Details for
Bug 12998
[SECURITY] HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Possible patch for master
sec.diff.txt (text/plain), 2.65 KB, created by
Stefan Metzmacher
on 2017-08-29 21:20:47 UTC
(
hide
)
Description:
Possible patch for master
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-08-29 21:20:47 UTC
Size:
2.65 KB
patch
obsolete
>From d9b0c819e43e4725fa1c9d11d6c25b2f5929a481 Mon Sep 17 00:00:00 2001 >From: Viktor Dukhovni <viktor@twosigma.com> >Date: Wed, 10 Aug 2016 23:31:14 +0000 >Subject: [PATCH] HEIMDAL:kdc: Fix transit path validation CVE-2017-6594 > >Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm >to not be added to the transit path of issued tickets. This may, in >some cases, enable bypass of capath policy in Heimdal versions 1.5 >through 7.2. > >Note, this may break sites that rely on the bug. With the bug some >incomplete [capaths] worked, that should not have. These may now break >authentication in some cross-realm configurations. > >(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998 > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > source4/heimdal/kdc/krb5tgs.c | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index a888788..43ed496 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -654,8 +654,12 @@ fix_transited_encoding(krb5_context context, > "Decoding transited encoding"); > return ret; > } >+ >+ /* >+ * If the realm of the presented tgt is neither the client nor the server >+ * realm, it is a transit realm and must be added to transited set. >+ */ > if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { >- /* not us, so add the previous realm to transited set */ > if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { > ret = ERANGE; > goto free_realms; >@@ -736,6 +740,7 @@ tgs_make_reply(krb5_context context, > const char *server_name, > hdb_entry_ex *client, > krb5_principal client_principal, >+ const char *tgt_realm, > hdb_entry_ex *krbtgt, > krb5_enctype krbtgt_etype, > krb5_principals spp, >@@ -797,7 +802,7 @@ tgs_make_reply(krb5_context context, > &tgt->transited, &et, > krb5_principal_get_realm(context, client_principal), > krb5_principal_get_realm(context, server->entry.principal), >- krb5_principal_get_realm(context, krbtgt->entry.principal)); >+ tgt_realm); > if(ret) > goto out; > >@@ -1516,7 +1521,8 @@ tgs_build_reply(krb5_context context, > krb5_keyblock sessionkey; > krb5_kvno kvno; > krb5_data rspac; >- >+ const char *tgt_realm = /* Realm of TGT issuer */ >+ krb5_principal_get_realm(context, krbtgt->entry.principal); > hdb_entry_ex *krbtgt_out = NULL; > > METHOD_DATA enc_pa_data; >@@ -2268,6 +2274,7 @@ server_lookup: > spn, > client, > cp, >+ tgt_realm, > krbtgt_out, > krbtgt_etype, > spp, >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13514">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12998
: 13514