gnu: heimdal: Fix CVE-2017-{6594,11103}.

* gnu/packages/patches/heimdal-CVE-2017-6594.patch, gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
2024-11-07 07:26:13 -05:00 · 2017-07-20 15:30:12 -04:00 · 2017-07-20 15:30:12 -04:00 · 81c35029d4
commit 81c35029d4
parent cfd6a3b1ee
4 changed files with 134 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -691,6 +691,8 @@ dist_patch_DATA =						\
  %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
  %D%/packages/patches/hdf-eos5-fix-szip.patch			\
  %D%/packages/patches/hdf-eos5-fortrantests.patch		\
  %D%/packages/patches/heimdal-CVE-2017-6594.patch		\
  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
  %D%/packages/patches/hmmer-remove-cpu-specificity.patch	\
  %D%/packages/patches/higan-remove-march-native-flag.patch	\
  %D%/packages/patches/hubbub-sort-entities.patch		\
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@ -144,6 +144,8 @@ (define-public heimdal
              (sha256
               (base32
                "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
              (patches (search-patches "heimdal-CVE-2017-6594.patch"
                                       "heimdal-CVE-2017-11103.patch"))
              (modules '((guix build utils)))
              (snippet
               '(substitute* "configure"
--- a/gnu/packages/patches/heimdal-CVE-2017-11103.patch
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@ -0,0 +1,45 @@
 Fix CVE-2017-11103:
 https://orpheus-lyre.info/
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
 https://security-tracker.debian.org/tracker/CVE-2017-11103
 Patch lifted from upstream source repository:
 https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
 From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
 From: Jeffrey Altman <jaltman@secure-endpoints.com>
 Date: Wed, 12 Apr 2017 15:40:42 -0400
 Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
 In _krb5_extract_ticket() the KDC-REP service name must be obtained from
 encrypted version stored in 'enc_part' instead of the unencrypted version
 stored in 'ticket'.  Use of the unecrypted version provides an
 opportunity for successful server impersonation and other attacks.
 Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
 Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
 ---
 lib/krb5/ticket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
 index d95d96d1b..b8d81c6ad 100644
 --- a/lib/krb5/ticket.c
 +++ b/lib/krb5/ticket.c
@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
 -					      rep->kdc_rep.ticket.sname,
 -					      rep->kdc_rep.ticket.realm);
 +					      rep->enc_part.sname,
 +					      rep->enc_part.srealm);
     if (ret)
 	goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
 -- 
 2.13.3
--- a/gnu/packages/patches/heimdal-CVE-2017-6594.patch
+++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
@ -0,0 +1,85 @@
 Fix CVE-2017-6594:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
 https://security-tracker.debian.org/tracker/CVE-2017-6594
 Patch lifted from upstream source repository:
 https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
 To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and
 files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.
 From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001
 From: Viktor Dukhovni <viktor@twosigma.com>
 Date: Wed, 10 Aug 2016 23:31:14 +0000
 Subject: [PATCH] Fix transit path validation CVE-2017-6594
 Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
 to not be added to the transit path of issued tickets.  This may, in
 some cases, enable bypass of capath policy in Heimdal versions 1.5
 through 7.2.
 Note, this may break sites that rely on the bug.  With the bug some
 incomplete [capaths] worked, that should not have.  These may now break
 authentication in some cross-realm configurations.
 ---
 NEWS                   | 14 ++++++++++++++
 kdc/krb5tgs.c          | 12 ++++++++++--
 tests/kdc/check-kdc.in | 17 +++++++++++++++++
 tests/kdc/krb5.conf.in |  4 ++++
 4 files changed, 45 insertions(+), 2 deletions(-)
 diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
 index 6048b9c55..98503812f 100644
 --- a/kdc/krb5tgs.c
 +++ b/kdc/krb5tgs.c
@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
 		  "Decoding transited encoding");
 	return ret;
     }
 +
 +    /*
 +     * If the realm of the presented tgt is neither the client nor the server
 +     * realm, it is a transit realm and must be added to transited set.
 +     */
     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
 -	/* not us, so add the previous realm to transited set */
 	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
 	    ret = ERANGE;
 	    goto free_realms;
@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
 	       const char *server_name,
 	       hdb_entry_ex *client,
 	       krb5_principal client_principal,
 +               const char *tgt_realm,
 	       hdb_entry_ex *krbtgt,
 	       krb5_enctype krbtgt_etype,
 	       krb5_principals spp,
@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
 				 &tgt->transited, &et,
 				 krb5_principal_get_realm(context, client_principal),
 				 krb5_principal_get_realm(context, server->entry.principal),
 -				 krb5_principal_get_realm(context, krbtgt->entry.principal));
 +				 tgt_realm);
     if(ret)
 	goto out;
@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,
     krb5_keyblock sessionkey;
     krb5_kvno kvno;
     krb5_data rspac;
 +    const char *tgt_realm = /* Realm of TGT issuer */
 +        krb5_principal_get_realm(context, krbtgt->entry.principal);
@@ -2324,6 +2331,7 @@ server_lookup:
 			 spn,
 			 client,
 			 cp,
 +                         tgt_realm,
 			 krbtgt_out,
 			 tkey_sign->key.keytype,
 			 spp,
 -- 
 2.13.3