MFC r320906: MFV r320905: Import upstream fix for CVE-2017-11103.

In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Submitted by: hrs Obtained from: Heimdal Security: FreeBSD-SA-17:05.heimdal Security: CVE-2017-11103
author: delphij <delphij@FreeBSD.org> 2017-07-12 07:26:07 +0000
committer: delphij <delphij@FreeBSD.org> 2017-07-12 07:26:07 +0000
commit: 3955ce48cb5593628cb375c519160dc0ecb4f210 (patch)
tree: 35563bc36b11daf01a42920378568eb9e4ecc355 /crypto
parent: 44bd82a8b21678770c1eacf8b554fa8ea715ab17 (diff)
download: FreeBSD-src-3955ce48cb5593628cb375c519160dc0ecb4f210.zip
FreeBSD-src-3955ce48cb5593628cb375c519160dc0ecb4f210.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c
index 4845a93..5b6eabe 100644
--- a/crypto/heimdal/lib/krb5/ticket.c
+++ b/crypto/heimdal/lib/krb5/ticket.c
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
     if (ret)
 	goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
author	delphij <delphij@FreeBSD.org>	2017-07-12 07:26:07 +0000
committer	delphij <delphij@FreeBSD.org>	2017-07-12 07:26:07 +0000
commit	3955ce48cb5593628cb375c519160dc0ecb4f210 (patch)
tree	35563bc36b11daf01a42920378568eb9e4ecc355 /crypto
parent	44bd82a8b21678770c1eacf8b554fa8ea715ab17 (diff)
download	FreeBSD-src-3955ce48cb5593628cb375c519160dc0ecb4f210.zip FreeBSD-src-3955ce48cb5593628cb375c519160dc0ecb4f210.tar.gz