Hi, I've uploaded heimdal packages fixing CVE-2017-11103 to https://people.debian.org/~agx/debian-lts/ please give them a try. I've tested a KDC and several client applications so far but didn't test any replication. The debdiff is attached. Cheers, -- Guido
diff --git a/debian/changelog b/debian/changelog index af43ef3..9349d61 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +heimdal (1.6~git20120403+dfsg1-2+deb7u1) wheezy-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation. + (Closes: #868208) + + -- Guido Günther <agx@sigxcpu.org> Thu, 13 Jul 2017 09:56:50 +0200 + heimdal (1.6~git20120403+dfsg1-2) unstable; urgency=low * Enable libcap-ng-dev only on Linux. Fixes FTBFS on kfreebsd-* and diff --git a/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch new file mode 100644 index 0000000..18bdbbd --- /dev/null +++ b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch @@ -0,0 +1,31 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org> +Date: Thu, 13 Jul 2017 09:55:39 +0200 +Subject: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + +In _krb5_extract_ticket() the KDC-REP service name must be obtained from +encrypted version stored in 'enc_part' instead of the unencrypted version +stored in 'ticket'. Use of the unecrypted version provides an +opportunity for successful server impersonation and other attacks. + +Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. + +Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c +--- + lib/krb5/ticket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c +index 979d5ff..6927763 100644 +--- a/lib/krb5/ticket.c ++++ b/lib/krb5/ticket.c +@@ -758,8 +758,8 @@ _krb5_extract_ticket(krb5_context context, + /* check server referral and save principal */ + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, +- rep->kdc_rep.ticket.sname, +- rep->kdc_rep.ticket.realm); ++ rep->enc_part.sname, ++ rep->enc_part.srealm); + if (ret) + goto out; + if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ diff --git a/debian/patches/series b/debian/patches/series index 05811da..28c3b5b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,4 @@ nfs_des 041_hurd_maxhostnamelen installsh 042_hurd_path_max +CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch
Attachment:
signature.asc
Description: PGP signature