MFC r320906: MFV r320905: Import upstream fix for CVE-2017-11103.

In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Submitted by: hrs Obtained from: Heimdal Security: FreeBSD-SA-17:05.heimdal Security: CVE-2017-11103
author: delphij <delphij@FreeBSD.org> 2017-07-12 07:26:07 +0000
committer: delphij <delphij@FreeBSD.org> 2017-07-12 07:26:07 +0000
commit: b47deba89752334874e76436e1b7ec2f448ad78e (patch)
tree: c8fd2567e8069ede79cad81eb125e7b5a1490ccd /crypto
parent: 0f2762b4eb929edb2c9e8319f9e16c9098bc9d0a (diff)
download: FreeBSD-src-b47deba89752334874e76436e1b7ec2f448ad78e.zip
FreeBSD-src-b47deba89752334874e76436e1b7ec2f448ad78e.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c
index 4845a93..5b6eabe 100644
--- a/crypto/heimdal/lib/krb5/ticket.c
+++ b/crypto/heimdal/lib/krb5/ticket.c
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
     if (ret)
 	goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
author	delphij <delphij@FreeBSD.org>	2017-07-12 07:26:07 +0000
committer	delphij <delphij@FreeBSD.org>	2017-07-12 07:26:07 +0000
commit	b47deba89752334874e76436e1b7ec2f448ad78e (patch)
tree	c8fd2567e8069ede79cad81eb125e7b5a1490ccd /crypto
parent	0f2762b4eb929edb2c9e8319f9e16c9098bc9d0a (diff)
download	FreeBSD-src-b47deba89752334874e76436e1b7ec2f448ad78e.zip FreeBSD-src-b47deba89752334874e76436e1b7ec2f448ad78e.tar.gz