From: Alex Vong <alexvong1995@gmail.com>
To: Leo Famulari <leo@famulari.name>
Cc: 27749@debbugs.gnu.org
Subject: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
Date: Wed, 19 Jul 2017 19:04:53 +0800 [thread overview]
Message-ID: <877ez4znze.fsf@gmail.com> (raw)
In-Reply-To: <87bmogzspe.fsf@gmail.com> (Alex Vong's message of "Wed, 19 Jul 2017 17:22:53 +0800")
[-- Attachment #1.1: Type: text/plain, Size: 379 bytes --]
I find out that our version of heimdal is also affected by
CVE-2017-6594. So I amend the previous patch to fix it as well.
Changes to 'NEWS' and files in 'tests/' does not apply, so I remove
them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.
It used to be:
foo
foo*
+bar
+bar*
baz
baz*
Now it is:
foo
foo*
+bar
+bar*
<empty-line>
Here is the updated patch:
[-- Attachment #1.2: 0001-gnu-heimdal-Fix-CVE-2017-6594-11103.patch --]
[-- Type: scm, Size: 7339 bytes --]
From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
* gnu/packages/patches/heimdal-CVE-2017-6594.patch,
gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/kerberos.scm (heimdal)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/kerberos.scm | 2 +
gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 ++++++++++++
gnu/packages/patches/heimdal-CVE-2017-6594.patch | 85 +++++++++++++++++++++++
4 files changed, 134 insertions(+)
create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch
create mode 100644 gnu/packages/patches/heimdal-CVE-2017-6594.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..5f4bc47a0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,8 @@ dist_patch_DATA = \
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
%D%/packages/patches/hdf-eos5-fix-szip.patch \
%D%/packages/patches/hdf-eos5-fortrantests.patch \
+ %D%/packages/patches/heimdal-CVE-2017-6594.patch \
+ %D%/packages/patches/heimdal-CVE-2017-11103.patch \
%D%/packages/patches/higan-remove-march-native-flag.patch \
%D%/packages/patches/hubbub-sort-entities.patch \
%D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..59fd944c6 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,8 @@ secure manner through client-server mutual authentication via tickets.")
(sha256
(base32
"19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+ (patches (search-patches "heimdal-CVE-2017-6594.patch"
+ "heimdal-CVE-2017-11103.patch"))
(modules '((guix build utils)))
(snippet
'(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'. Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+ /* check server referral and save principal */
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
+- rep->kdc_rep.ticket.sname,
+- rep->kdc_rep.ticket.realm);
++ rep->enc_part.sname,
++ rep->enc_part.srealm);
+ if (ret)
+ goto out;
+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+--
+2.13.3
+
diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
new file mode 100644
index 000000000..714af6030
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
@@ -0,0 +1,85 @@
+Fix CVE-2017-6594:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
+https://security-tracker.debian.org/tracker/CVE-2017-6594
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
+
+To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and
+files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.
+
+From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@twosigma.com>
+Date: Wed, 10 Aug 2016 23:31:14 +0000
+Subject: [PATCH] Fix transit path validation CVE-2017-6594
+
+Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
+to not be added to the transit path of issued tickets. This may, in
+some cases, enable bypass of capath policy in Heimdal versions 1.5
+through 7.2.
+
+Note, this may break sites that rely on the bug. With the bug some
+incomplete [capaths] worked, that should not have. These may now break
+authentication in some cross-realm configurations.
+---
+ NEWS | 14 ++++++++++++++
+ kdc/krb5tgs.c | 12 ++++++++++--
+ tests/kdc/check-kdc.in | 17 +++++++++++++++++
+ tests/kdc/krb5.conf.in | 4 ++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+
+diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
+index 6048b9c55..98503812f 100644
+--- a/kdc/krb5tgs.c
++++ b/kdc/krb5tgs.c
+@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
+ "Decoding transited encoding");
+ return ret;
+ }
++
++ /*
++ * If the realm of the presented tgt is neither the client nor the server
++ * realm, it is a transit realm and must be added to transited set.
++ */
+ if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+- /* not us, so add the previous realm to transited set */
+ if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+ ret = ERANGE;
+ goto free_realms;
+@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
+ const char *server_name,
+ hdb_entry_ex *client,
+ krb5_principal client_principal,
++ const char *tgt_realm,
+ hdb_entry_ex *krbtgt,
+ krb5_enctype krbtgt_etype,
+ krb5_principals spp,
+@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
+ &tgt->transited, &et,
+ krb5_principal_get_realm(context, client_principal),
+ krb5_principal_get_realm(context, server->entry.principal),
+- krb5_principal_get_realm(context, krbtgt->entry.principal));
++ tgt_realm);
+ if(ret)
+ goto out;
+
+@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,
+ krb5_keyblock sessionkey;
+ krb5_kvno kvno;
+ krb5_data rspac;
++ const char *tgt_realm = /* Realm of TGT issuer */
++ krb5_principal_get_realm(context, krbtgt->entry.principal);
+
+@@ -2324,6 +2331,7 @@ server_lookup:
+ spn,
+ client,
+ cp,
++ tgt_realm,
+ krbtgt_out,
+ tkey_sign->key.keytype,
+ spp,
+--
+2.13.3
+
--
2.13.3
[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2017-07-19 11:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-18 8:26 [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103] Alex Vong
2017-07-18 15:49 ` Leo Famulari
2017-07-18 15:51 ` Leo Famulari
2017-07-18 15:53 ` Leo Famulari
2017-07-19 9:22 ` Alex Vong
2017-07-19 11:04 ` Alex Vong [this message]
2017-07-20 19:51 ` Leo Famulari
2017-10-18 21:31 ` Ricardo Wurmus
2017-10-19 14:57 ` Alex Vong
2017-10-21 9:52 ` Alex Vong
2017-11-26 22:59 ` Leo Famulari
2018-06-10 8:04 ` bug#27749: " 宋文武
2018-06-25 3:16 ` [bug#27749] " Alex Vong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877ez4znze.fsf@gmail.com \
--to=alexvong1995@gmail.com \
--cc=27749@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).