gnu: heimdal: Fix CVE-2017-{6594,11103}.
* gnu/packages/patches/heimdal-CVE-2017-6594.patch, gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
This commit is contained in:
parent
cfd6a3b1ee
commit
81c35029d4
@ -691,6 +691,8 @@ dist_patch_DATA = \
|
||||
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
|
||||
%D%/packages/patches/hdf-eos5-fix-szip.patch \
|
||||
%D%/packages/patches/hdf-eos5-fortrantests.patch \
|
||||
%D%/packages/patches/heimdal-CVE-2017-6594.patch \
|
||||
%D%/packages/patches/heimdal-CVE-2017-11103.patch \
|
||||
%D%/packages/patches/hmmer-remove-cpu-specificity.patch \
|
||||
%D%/packages/patches/higan-remove-march-native-flag.patch \
|
||||
%D%/packages/patches/hubbub-sort-entities.patch \
|
||||
|
@ -144,6 +144,8 @@ secure manner through client-server mutual authentication via tickets.")
|
||||
(sha256
|
||||
(base32
|
||||
"19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
|
||||
(patches (search-patches "heimdal-CVE-2017-6594.patch"
|
||||
"heimdal-CVE-2017-11103.patch"))
|
||||
(modules '((guix build utils)))
|
||||
(snippet
|
||||
'(substitute* "configure"
|
||||
|
45
gnu/packages/patches/heimdal-CVE-2017-11103.patch
Normal file
45
gnu/packages/patches/heimdal-CVE-2017-11103.patch
Normal file
@ -0,0 +1,45 @@
|
||||
Fix CVE-2017-11103:
|
||||
|
||||
https://orpheus-lyre.info/
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-11103
|
||||
|
||||
Patch lifted from upstream source repository:
|
||||
|
||||
https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
|
||||
|
||||
From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
|
||||
From: Jeffrey Altman <jaltman@secure-endpoints.com>
|
||||
Date: Wed, 12 Apr 2017 15:40:42 -0400
|
||||
Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
|
||||
|
||||
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
|
||||
encrypted version stored in 'enc_part' instead of the unencrypted version
|
||||
stored in 'ticket'. Use of the unecrypted version provides an
|
||||
opportunity for successful server impersonation and other attacks.
|
||||
|
||||
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
|
||||
|
||||
Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
|
||||
---
|
||||
lib/krb5/ticket.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
|
||||
index d95d96d1b..b8d81c6ad 100644
|
||||
--- a/lib/krb5/ticket.c
|
||||
+++ b/lib/krb5/ticket.c
|
||||
@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
|
||||
/* check server referral and save principal */
|
||||
ret = _krb5_principalname2krb5_principal (context,
|
||||
&tmp_principal,
|
||||
- rep->kdc_rep.ticket.sname,
|
||||
- rep->kdc_rep.ticket.realm);
|
||||
+ rep->enc_part.sname,
|
||||
+ rep->enc_part.srealm);
|
||||
if (ret)
|
||||
goto out;
|
||||
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
|
||||
--
|
||||
2.13.3
|
||||
|
85
gnu/packages/patches/heimdal-CVE-2017-6594.patch
Normal file
85
gnu/packages/patches/heimdal-CVE-2017-6594.patch
Normal file
@ -0,0 +1,85 @@
|
||||
Fix CVE-2017-6594:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-6594
|
||||
|
||||
Patch lifted from upstream source repository:
|
||||
|
||||
https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
|
||||
|
||||
To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and
|
||||
files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.
|
||||
|
||||
From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001
|
||||
From: Viktor Dukhovni <viktor@twosigma.com>
|
||||
Date: Wed, 10 Aug 2016 23:31:14 +0000
|
||||
Subject: [PATCH] Fix transit path validation CVE-2017-6594
|
||||
|
||||
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
|
||||
to not be added to the transit path of issued tickets. This may, in
|
||||
some cases, enable bypass of capath policy in Heimdal versions 1.5
|
||||
through 7.2.
|
||||
|
||||
Note, this may break sites that rely on the bug. With the bug some
|
||||
incomplete [capaths] worked, that should not have. These may now break
|
||||
authentication in some cross-realm configurations.
|
||||
---
|
||||
NEWS | 14 ++++++++++++++
|
||||
kdc/krb5tgs.c | 12 ++++++++++--
|
||||
tests/kdc/check-kdc.in | 17 +++++++++++++++++
|
||||
tests/kdc/krb5.conf.in | 4 ++++
|
||||
4 files changed, 45 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
|
||||
index 6048b9c55..98503812f 100644
|
||||
--- a/kdc/krb5tgs.c
|
||||
+++ b/kdc/krb5tgs.c
|
||||
@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
|
||||
"Decoding transited encoding");
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * If the realm of the presented tgt is neither the client nor the server
|
||||
+ * realm, it is a transit realm and must be added to transited set.
|
||||
+ */
|
||||
if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
|
||||
- /* not us, so add the previous realm to transited set */
|
||||
if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
|
||||
ret = ERANGE;
|
||||
goto free_realms;
|
||||
@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
|
||||
const char *server_name,
|
||||
hdb_entry_ex *client,
|
||||
krb5_principal client_principal,
|
||||
+ const char *tgt_realm,
|
||||
hdb_entry_ex *krbtgt,
|
||||
krb5_enctype krbtgt_etype,
|
||||
krb5_principals spp,
|
||||
@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
|
||||
&tgt->transited, &et,
|
||||
krb5_principal_get_realm(context, client_principal),
|
||||
krb5_principal_get_realm(context, server->entry.principal),
|
||||
- krb5_principal_get_realm(context, krbtgt->entry.principal));
|
||||
+ tgt_realm);
|
||||
if(ret)
|
||||
goto out;
|
||||
|
||||
@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,
|
||||
krb5_keyblock sessionkey;
|
||||
krb5_kvno kvno;
|
||||
krb5_data rspac;
|
||||
+ const char *tgt_realm = /* Realm of TGT issuer */
|
||||
+ krb5_principal_get_realm(context, krbtgt->entry.principal);
|
||||
|
||||
@@ -2324,6 +2331,7 @@ server_lookup:
|
||||
spn,
|
||||
client,
|
||||
cp,
|
||||
+ tgt_realm,
|
||||
krbtgt_out,
|
||||
tkey_sign->key.keytype,
|
||||
spp,
|
||||
--
|
||||
2.13.3
|
||||
|
Loading…
Reference in New Issue
Block a user