FreeBSD Bugzilla – Attachment 183175 Details for
Bug 219657
security/heimdal: not marked vulnerable, below 7.3 vulnerable - CVE-2017-6594
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Backported fix for CVE-2017-6594 to 7.1.0
patch-heimdal-7.0.1,3 (text/plain), 6.74 KB, created by
Marcin Cieślak
on 2017-06-03 15:42:36 UTC
(
hide
)
Description:
Backported fix for CVE-2017-6594 to 7.1.0
Filename:
MIME Type:
Creator:
Marcin Cieślak
Created:
2017-06-03 15:42:36 UTC
Size:
6.74 KB
patch
obsolete
>diff -ruN heimdal.orig/Makefile heimdal/Makefile >--- heimdal.orig/Makefile 2017-06-03 15:22:06.077139000 +0000 >+++ heimdal/Makefile 2017-06-03 15:22:12.607054000 +0000 >@@ -3,7 +3,7 @@ > > PORTNAME= heimdal > PORTVERSION= 7.1.0 >-PORTREVISION= 2 >+PORTREVISION= 3 > CATEGORIES= security ipv6 > MASTER_SITES= http://www.h5l.org/dist/src/ \ > http://ftp.pdc.kth.se/pub/heimdal/src/ \ >diff -ruN heimdal.orig/files/patch-CVE-2017-6594 heimdal/files/patch-CVE-2017-6594 >--- heimdal.orig/files/patch-CVE-2017-6594 1970-01-01 00:00:00.000000000 +0000 >+++ heimdal/files/patch-CVE-2017-6594 2017-06-03 15:26:36.625970000 +0000 >@@ -0,0 +1,168 @@ >+diff -ru NEWS NEWS >+--- NEWS 2016-11-29 01:35:27.000000000 +0000 >++++ NEWS 2017-06-03 15:23:36.264325000 +0000 >+@@ -1,4 +1,18 @@ >+-Release Notes - Heimdal - Version Heimdal 1.6 >++Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port) >++ >++ Security >++ >++ - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently >++ caused the previous hop realm to not be added to the transit path >++ of issued tickets. This may, in some cases, enable bypass of capath >++ policy in Heimdal versions 1.5 through 7.2. >++ >++ Note, this may break sites that rely on the bug. With the bug some >++ incomplete [capaths] worked, that should not have. These may now break >++ authentication in some cross-realm configurations. >++ (CVE-2017-6594) >++ >++Release Notes - Heimdal - Version Heimdal 7.1 >+ >+ Security >+ - ... >+diff -ru kdc/krb5tgs.c kdc/krb5tgs.c >+--- kdc/krb5tgs.c 2016-11-29 01:35:27.000000000 +0000 >++++ kdc/krb5tgs.c 2017-06-03 15:23:36.271738000 +0000 >+@@ -655,8 +655,12 @@ >+ "Decoding transited encoding"); >+ return ret; >+ } >++ >++ /* >++ * If the realm of the presented tgt is neither the client nor the server >++ * realm, it is a transit realm and must be added to transited set. >++ */ >+ if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { >+- /* not us, so add the previous realm to transited set */ >+ if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { >+ ret = ERANGE; >+ goto free_realms; >+@@ -737,6 +741,7 @@ >+ const char *server_name, >+ hdb_entry_ex *client, >+ krb5_principal client_principal, >++ const char *tgt_realm, >+ hdb_entry_ex *krbtgt, >+ krb5_enctype krbtgt_etype, >+ krb5_principals spp, >+@@ -798,7 +803,7 @@ >+ &tgt->transited, &et, >+ krb5_principal_get_realm(context, client_principal), >+ krb5_principal_get_realm(context, server->entry.principal), >+- krb5_principal_get_realm(context, krbtgt->entry.principal)); >++ tgt_realm); >+ if(ret) >+ goto out; >+ >+@@ -1519,6 +1524,8 @@ >+ krb5_keyblock sessionkey; >+ krb5_kvno kvno; >+ krb5_data rspac; >++ const char *tgt_realm = /* Realm of TGT issuer */ >++ krb5_principal_get_realm(context, krbtgt->entry.principal); >+ const char *our_realm = /* Realm of this KDC */ >+ krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1); >+ char **capath = NULL; >+@@ -2324,6 +2331,7 @@ >+ spn, >+ client, >+ cp, >++ tgt_realm, >+ krbtgt_out, >+ tkey_sign->key.keytype, >+ spp, >+diff -ru tests/kdc/check-kdc.in tests/kdc/check-kdc.in >+--- tests/kdc/check-kdc.in 2016-12-14 18:01:18.000000000 +0000 >++++ tests/kdc/check-kdc.in 2017-06-03 15:23:36.276571000 +0000 >+@@ -53,6 +53,7 @@ >+ R5=SOME-REALM5.FR >+ R6=SOME-REALM6.US >+ R7=SOME-REALM7.UK >++R8=SOME-REALM8.UK >+ >+ H1=H1.$R >+ H2=H2.$R >+@@ -152,6 +153,12 @@ >+ init \ >+ --realm-max-ticket-life=1day \ >+ --realm-max-renewable-life=1month \ >++ ${R8} || exit 1 >++ >++${kadmin} \ >++ init \ >++ --realm-max-ticket-life=1day \ >++ --realm-max-renewable-life=1month \ >+ ${H1} || exit 1 >+ >+ ${kadmin} \ >+@@ -191,6 +198,7 @@ >+ ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1 >+ ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1 >+ ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1 >++${kadmin} add -p foo --use-defaults foo@${R8} || exit 1 >+ ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1 >+ ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1 >+ ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1 >+@@ -249,6 +257,9 @@ >+ ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1 >+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1 >+ >++${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1 >++${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1 >++ >+ ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1 >+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1 >+ >+@@ -284,6 +295,7 @@ >+ ${kadmin5} check ${R5} || exit 1 >+ ${kadmin} check ${R6} || exit 1 >+ ${kadmin} check ${R7} || exit 1 >++${kadmin} check ${R8} || exit 1 >+ ${kadmin} check ${H1} || exit 1 >+ ${kadmin} check ${H2} || exit 1 >+ ${kadmin} check ${H3} || exit 1 >+@@ -388,6 +400,8 @@ >+ ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } >+ echo "Getting x-realm tickets with capaths for $R -> $R7" >+ ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } >++echo "Should not get x-realm tickets with capaths for $R -> $R8" >++${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } >+ ${kdestroy} >+ >+ echo "Testing capaths logic (reverse order)" >+@@ -418,10 +432,13 @@ >+ >+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1" >+ ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } >++fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } >+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R" >+ ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; } >++fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } >+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2" >+ ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; } >++fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } >+ ${kdestroy} >+ >+ echo "Testing multi-hop [capaths] referral logic" >+diff -ru tests/kdc/krb5.conf.in tests/kdc/krb5.conf.in >+--- tests/kdc/krb5.conf.in 2016-11-29 01:35:28.000000000 +0000 >++++ tests/kdc/krb5.conf.in 2017-06-03 15:23:36.278848000 +0000 >+@@ -40,6 +40,9 @@ >+ SOME-REALM7.UK = { >+ kdc = localhost:@port@ >+ } >++ SOME-REALM8.UK = { >++ kdc = localhost:@port@ >++ } >+ TEST-HTTP.H5L.SE = { >+ kdc = http/localhost:@port@ >+ } >+@@ -147,6 +150,7 @@ >+ SOME-REALM6.US = SOME-REALM5.FR >+ SOME-REALM7.UK = SOME-REALM6.US >+ SOME-REALM7.UK = SOME-REALM5.FR >++ SOME-REALM8.UK = SOME-REALM6.US >+ } >+ H4.H2.TEST.H5L.SE = { >+ H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=183175">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 219657
:
183072
| 183175