mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-01 14:14:56 +00:00
Heimdal: Fix transit path validation CVE-2017-6594
Apply upstream b1e699103. This fixes a bug introduced by upstream f469fc6 which may in some cases enable bypass of capath policy. Upstream writes in their commit log: Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. Reported by: emaste Security: CVE-2017-6594 Obtained from: upstream b1e699103 MFC after: 1 week
This commit is contained in:
parent
57d312b8ea
commit
f8041e3628
|
@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
|
|||
"Decoding transited encoding");
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* If the realm of the presented tgt is neither the client nor the server
|
||||
* realm, it is a transit realm and must be added to transited set.
|
||||
*/
|
||||
if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
|
||||
/* not us, so add the previous realm to transited set */
|
||||
if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
|
||||
ret = ERANGE;
|
||||
goto free_realms;
|
||||
|
@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
|
|||
const char *server_name,
|
||||
hdb_entry_ex *client,
|
||||
krb5_principal client_principal,
|
||||
const char *tgt_realm,
|
||||
hdb_entry_ex *krbtgt,
|
||||
krb5_enctype krbtgt_etype,
|
||||
krb5_principals spp,
|
||||
|
@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
|
|||
&tgt->transited, &et,
|
||||
krb5_principal_get_realm(context, client_principal),
|
||||
krb5_principal_get_realm(context, server->entry.principal),
|
||||
krb5_principal_get_realm(context, krbtgt->entry.principal));
|
||||
tgt_realm);
|
||||
if(ret)
|
||||
goto out;
|
||||
|
||||
|
@ -1494,6 +1499,8 @@ tgs_build_reply(krb5_context context,
|
|||
krb5_keyblock sessionkey;
|
||||
krb5_kvno kvno;
|
||||
krb5_data rspac;
|
||||
const char *tgt_realm = /* Realm of TGT issuer */
|
||||
krb5_principal_get_realm(context, krbtgt->entry.principal);
|
||||
|
||||
hdb_entry_ex *krbtgt_out = NULL;
|
||||
|
||||
|
@ -2240,6 +2247,7 @@ tgs_build_reply(krb5_context context,
|
|||
spn,
|
||||
client,
|
||||
cp,
|
||||
tgt_realm,
|
||||
krbtgt_out,
|
||||
krbtgt_etype,
|
||||
spp,
|
||||
|
|
Loading…
Reference in a new issue