Please test heimdal packages

To: debian-lts@lists.debian.org
Subject: Please test heimdal packages
From: Guido Günther <agx@sigxcpu.org>
Date: Thu, 13 Jul 2017 11:56:25 +0200
Message-id: <[🔎] 20170713095625.3jmctvncczivj2ib@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, debian-lts@lists.debian.org

Hi,
I've uploaded heimdal packages fixing CVE-2017-11103 to

    https://people.debian.org/~agx/debian-lts/

please give them a try. I've tested a KDC and several client
applications so far but didn't test any replication. The debdiff is
attached.
Cheers,
 -- Guido

diff --git a/debian/changelog b/debian/changelog
index af43ef3..9349d61 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+heimdal (1.6~git20120403+dfsg1-2+deb7u1) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation.
+    (Closes: #868208)
+
+ -- Guido Günther <agx@sigxcpu.org>  Thu, 13 Jul 2017 09:56:50 +0200
+
 heimdal (1.6~git20120403+dfsg1-2) unstable; urgency=low
 
   * Enable libcap-ng-dev only on Linux. Fixes FTBFS on kfreebsd-* and
diff --git a/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch
new file mode 100644
index 0000000..18bdbbd
--- /dev/null
+++ b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch
@@ -0,0 +1,31 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 13 Jul 2017 09:55:39 +0200
+Subject: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index 979d5ff..6927763 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -758,8 +758,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
diff --git a/debian/patches/series b/debian/patches/series
index 05811da..28c3b5b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ nfs_des
 041_hurd_maxhostnamelen
 installsh
 042_hurd_path_max
+CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: testing bind9 for Wheezy LTS
Next by Date: Re: samba4 package didn't bundle Heimdal
Previous by thread: Re: Wheezy update of nginx?
Next by thread: Re: samba4 package didn't bundle Heimdal
Index(es):
- Date
- Thread