aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/heimdal-CVE-2017-11103.patch
diff options
context:
space:
mode:
authorAlex Vong <alexvong1995@gmail.com>2017-07-20 15:30:12 -0400
committerLeo Famulari <leo@famulari.name>2017-07-20 15:33:53 -0400
commit81c35029d4ee4fa7cd517998844229a514b35531 (patch)
treec70867ba9ab6e324064ac0836c7357b5b88274f7 /gnu/packages/patches/heimdal-CVE-2017-11103.patch
parentcfd6a3b1ee6b8c64d5e370f2a461a7882dbe58ab (diff)
downloadgnu-guix-81c35029d4ee4fa7cd517998844229a514b35531.tar
gnu-guix-81c35029d4ee4fa7cd517998844229a514b35531.tar.gz
gnu: heimdal: Fix CVE-2017-{6594,11103}.
* gnu/packages/patches/heimdal-CVE-2017-6594.patch, gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
Diffstat (limited to 'gnu/packages/patches/heimdal-CVE-2017-11103.patch')
-rw-r--r--gnu/packages/patches/heimdal-CVE-2017-11103.patch45
1 files changed, 45 insertions, 0 deletions
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 0000000000..d76f0df369
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'. Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+ /* check server referral and save principal */
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
+- rep->kdc_rep.ticket.sname,
+- rep->kdc_rep.ticket.realm);
++ rep->enc_part.sname,
++ rep->enc_part.srealm);
+ if (ret)
+ goto out;
+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+--
+2.13.3
+