Bug#860288: marked as done (unblock: heimdal/7.1.0+dfsg-12)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 14 Apr 2017 13:11:10 +0000
with message-id <E1cz10I-0005eg-1B@respighi.debian.org>
and subject line unblock heimdal
has caused the Debian Bug report #860288,
regarding unblock: heimdal/7.1.0+dfsg-12
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860288
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: heimdal/7.1.0+dfsg-12
• From: Brian May <bam@debian.org>
• Date: Fri, 14 Apr 2017 16:11:08 +1000
• Message-id: <[🔎] 149215026851.14751.6470750949470944279.reportbug@prune.linuxpenguins.xyz>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package heimdal

Security update from upstream. For CVE-2017-6594. Seee
https://www.h5l.org/releases.html?show=7.3.0

diff -Nru heimdal-7.1.0+dfsg/debian/changelog heimdal-7.1.0+dfsg/debian/changelog
--- heimdal-7.1.0+dfsg/debian/changelog	2017-04-08 11:38:13.000000000 +1000
+++ heimdal-7.1.0+dfsg/debian/changelog	2017-04-10 17:21:35.000000000 +1000
@@ -1,3 +1,9 @@
+heimdal (7.1.0+dfsg-12) unstable; urgency=high
+
+  * Fix transit path validation CVE-2017-6594.
+
+ -- Brian May <bam@debian.org>  Mon, 10 Apr 2017 17:21:35 +1000
+
 heimdal (7.1.0+dfsg-11) unstable; urgency=medium
 
   * Remove legacy provides/conflicts/replaces headers. Old daemons
diff -Nru heimdal-7.1.0+dfsg/debian/patches/CVE-2017-6594 heimdal-7.1.0+dfsg/debian/patches/CVE-2017-6594
--- heimdal-7.1.0+dfsg/debian/patches/CVE-2017-6594	1970-01-01 10:00:00.000000000 +1000
+++ heimdal-7.1.0+dfsg/debian/patches/CVE-2017-6594	2017-04-10 17:21:35.000000000 +1000
@@ -0,0 +1,163 @@
+commit d7bf245e793a9f9ec565e07dae9372597c0ece69
+Author: Viktor Dukhovni <viktor@twosigma.com>
+Date:   Wed Aug 10 23:31:14 2016 +0000
+
+    Fix transit path validation CVE-2017-6594
+    
+    Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
+    to not be added to the transit path of issued tickets.  This may, in
+    some cases, enable bypass of capath policy in Heimdal versions 1.5
+    through 7.2.
+    
+    Note, this may break sites that rely on the bug.  With the bug some
+    incomplete [capaths] worked, that should not have.  These may now break
+    authentication in some cross-realm configurations.
+
+diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
+index 6048b9c55..98503812f 100644
+--- a/kdc/krb5tgs.c
++++ b/kdc/krb5tgs.c
+@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
+ 		  "Decoding transited encoding");
+ 	return ret;
+     }
++
++    /*
++     * If the realm of the presented tgt is neither the client nor the server
++     * realm, it is a transit realm and must be added to transited set.
++     */
+     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+-	/* not us, so add the previous realm to transited set */
+ 	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+ 	    ret = ERANGE;
+ 	    goto free_realms;
+@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
+ 	       const char *server_name,
+ 	       hdb_entry_ex *client,
+ 	       krb5_principal client_principal,
++               const char *tgt_realm,
+ 	       hdb_entry_ex *krbtgt,
+ 	       krb5_enctype krbtgt_etype,
+ 	       krb5_principals spp,
+@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
+ 				 &tgt->transited, &et,
+ 				 krb5_principal_get_realm(context, client_principal),
+ 				 krb5_principal_get_realm(context, server->entry.principal),
+-				 krb5_principal_get_realm(context, krbtgt->entry.principal));
++				 tgt_realm);
+     if(ret)
+ 	goto out;
+ 
+@@ -1519,6 +1524,8 @@ tgs_build_reply(krb5_context context,
+     krb5_keyblock sessionkey;
+     krb5_kvno kvno;
+     krb5_data rspac;
++    const char *tgt_realm = /* Realm of TGT issuer */
++        krb5_principal_get_realm(context, krbtgt->entry.principal);
+     const char *our_realm = /* Realm of this KDC */
+         krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);
+     char **capath = NULL;
+@@ -2324,6 +2331,7 @@ server_lookup:
+ 			 spn,
+ 			 client,
+ 			 cp,
++                         tgt_realm,
+ 			 krbtgt_out,
+ 			 tkey_sign->key.keytype,
+ 			 spp,
+diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
+index 235113425..f6e78ccac 100644
+--- a/tests/kdc/check-kdc.in
++++ b/tests/kdc/check-kdc.in
+@@ -53,6 +53,7 @@ R4=TEST4.H5L.SE
+ R5=SOME-REALM5.FR
+ R6=SOME-REALM6.US
+ R7=SOME-REALM7.UK
++R8=SOME-REALM8.UK
+ 
+ H1=H1.$R
+ H2=H2.$R
+@@ -152,6 +153,12 @@ ${kadmin} \
+     init \
+     --realm-max-ticket-life=1day \
+     --realm-max-renewable-life=1month \
++    ${R8} || exit 1
++
++${kadmin} \
++    init \
++    --realm-max-ticket-life=1day \
++    --realm-max-renewable-life=1month \
+     ${H1} || exit 1
+ 
+ ${kadmin} \
+@@ -191,6 +198,7 @@ ${kadmin} add -p foo --use-defaults foo@${R4} || exit 1
+ ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
++${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
+ ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
+@@ -249,6 +257,9 @@ ${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1
+ ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
+ 
++${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
++${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
++
+ ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
+ 
+@@ -284,6 +295,7 @@ ${kadmin} check ${R4} || exit 1
+ ${kadmin5} check ${R5} || exit 1
+ ${kadmin} check ${R6} || exit 1
+ ${kadmin} check ${R7} || exit 1
++${kadmin} check ${R8} || exit 1
+ ${kadmin} check ${H1} || exit 1
+ ${kadmin} check ${H2} || exit 1
+ ${kadmin} check ${H3} || exit 1
+@@ -388,6 +400,8 @@ echo "Getting x-realm tickets with capaths for $R -> $R6"
+ ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with capaths for $R -> $R7"
+ ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
++echo "Should not get x-realm tickets with capaths for $R -> $R8"
++${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+ 
+ echo "Testing capaths logic (reverse order)"
+@@ -418,10 +432,13 @@ ${kinit} --password-file=${objdir}/foopassword \
+ 
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
+ ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"
+ ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
+ ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+ 
+ echo "Testing multi-hop [capaths] referral logic"
+diff --git a/tests/kdc/krb5.conf.in b/tests/kdc/krb5.conf.in
+index cc2dedb2d..849e773d0 100644
+--- a/tests/kdc/krb5.conf.in
++++ b/tests/kdc/krb5.conf.in
+@@ -40,6 +40,9 @@
+ 	SOME-REALM7.UK = {
+ 		kdc = localhost:@port@
+ 	}
++	SOME-REALM8.UK = {
++		kdc = localhost:@port@
++	}
+ 	TEST-HTTP.H5L.SE = {
+ 		kdc = http/localhost:@port@
+ 	}
+@@ -147,6 +150,7 @@
+ 		SOME-REALM6.US = SOME-REALM5.FR
+ 		SOME-REALM7.UK = SOME-REALM6.US
+ 		SOME-REALM7.UK = SOME-REALM5.FR
++		SOME-REALM8.UK = SOME-REALM6.US
+ 	}
+         H4.H2.TEST.H5L.SE = {
+                 H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
diff -Nru heimdal-7.1.0+dfsg/debian/patches/series heimdal-7.1.0+dfsg/debian/patches/series
--- heimdal-7.1.0+dfsg/debian/patches/series	2017-04-08 11:38:13.000000000 +1000
+++ heimdal-7.1.0+dfsg/debian/patches/series	2017-04-10 17:21:35.000000000 +1000
@@ -14,3 +14,4 @@
 check_iprop_races
 disable_iprop
 canonical_host
+CVE-2017-6594

unblock heimdal/7.1.0+dfsg-12

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

• To: 860288-done@bugs.debian.org
• Subject: unblock heimdal
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Fri, 14 Apr 2017 13:11:10 +0000
• Message-id: <E1cz10I-0005eg-1B@respighi.debian.org>

Unblocked heimdal.

--- End Message ---