guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: heimdal: Fix CVE-2017-{6594,11103}.

From: Leo Famulari
Subject: 01/01: gnu: heimdal: Fix CVE-2017-{6594,11103}.
Date: Thu, 20 Jul 2017 15:50:11 -0400 (EDT) 
lfam pushed a commit to branch master
in repository guix.

commit 81c35029d4ee4fa7cd517998844229a514b35531
Author: Alex Vong <address@hidden>
Date:   Thu Jul 20 15:30:12 2017 -0400

    gnu: heimdal: Fix CVE-2017-{6594,11103}.
    
    * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
    gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
---
 gnu/local.mk                                      |  2 +
 gnu/packages/kerberos.scm                         |  2 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 ++++++++++++
 gnu/packages/patches/heimdal-CVE-2017-6594.patch  | 85 +++++++++++++++++++++++
 4 files changed, 134 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index bf9143a..6d9e570 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch              \
   %D%/packages/patches/hdf-eos5-fix-szip.patch                 \
   %D%/packages/patches/hdf-eos5-fortrantests.patch             \
+  %D%/packages/patches/heimdal-CVE-2017-6594.patch             \
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch            \
   %D%/packages/patches/hmmer-remove-cpu-specificity.patch      \
   %D%/packages/patches/higan-remove-march-native-flag.patch    \
   %D%/packages/patches/hubbub-sort-entities.patch              \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f6197..59fd944 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,8 @@ secure manner through client-server mutual authentication 
via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-6594.patch"
+                                       "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch 
b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 0000000..d76f0df
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <address@hidden>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+                                             &tmp_principal,
+-                                            rep->kdc_rep.ticket.sname,
+-                                            rep->kdc_rep.ticket.realm);
++                                            rep->enc_part.sname,
++                                            rep->enc_part.srealm);
+     if (ret)
+       goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.3
+
diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch 
b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
new file mode 100644
index 0000000..714af60
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
@@ -0,0 +1,85 @@
+Fix CVE-2017-6594:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
+https://security-tracker.debian.org/tracker/CVE-2017-6594
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
+
+To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and
+files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.
+
+From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <address@hidden>
+Date: Wed, 10 Aug 2016 23:31:14 +0000
+Subject: [PATCH] Fix transit path validation CVE-2017-6594
+
+Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
+to not be added to the transit path of issued tickets.  This may, in
+some cases, enable bypass of capath policy in Heimdal versions 1.5
+through 7.2.
+
+Note, this may break sites that rely on the bug.  With the bug some
+incomplete [capaths] worked, that should not have.  These may now break
+authentication in some cross-realm configurations.
+---
+ NEWS                   | 14 ++++++++++++++
+ kdc/krb5tgs.c          | 12 ++++++++++--
+ tests/kdc/check-kdc.in | 17 +++++++++++++++++
+ tests/kdc/krb5.conf.in |  4 ++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+
+diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
+index 6048b9c55..98503812f 100644
+--- a/kdc/krb5tgs.c
++++ b/kdc/krb5tgs.c
+@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
+                 "Decoding transited encoding");
+       return ret;
+     }
++
++    /*
++     * If the realm of the presented tgt is neither the client nor the server
++     * realm, it is a transit realm and must be added to transited set.
++     */
+     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+-      /* not us, so add the previous realm to transited set */
+       if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+           ret = ERANGE;
+           goto free_realms;
+@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
+              const char *server_name,
+              hdb_entry_ex *client,
+              krb5_principal client_principal,
++               const char *tgt_realm,
+              hdb_entry_ex *krbtgt,
+              krb5_enctype krbtgt_etype,
+              krb5_principals spp,
+@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
+                                &tgt->transited, &et,
+                                krb5_principal_get_realm(context, 
client_principal),
+                                krb5_principal_get_realm(context, 
server->entry.principal),
+-                               krb5_principal_get_realm(context, 
krbtgt->entry.principal));
++                               tgt_realm);
+     if(ret)
+       goto out;
+ 
+@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,
+     krb5_keyblock sessionkey;
+     krb5_kvno kvno;
+     krb5_data rspac;
++    const char *tgt_realm = /* Realm of TGT issuer */
++        krb5_principal_get_realm(context, krbtgt->entry.principal);
+
+@@ -2324,6 +2331,7 @@ server_lookup:
+                        spn,
+                        client,
+                        cp,
++                         tgt_realm,
+                        krbtgt_out,
+                        tkey_sign->key.keytype,
+                        spp,
+-- 
+2.13.3
+
reply via email to
[Prev in Thread] Current Thread [Next in Thread]