aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfeld <feld@FreeBSD.org>2017-06-09 23:57:30 +0800
committerfeld <feld@FreeBSD.org>2017-06-09 23:57:30 +0800
commitda6df02c22e94b3a3868cf95306416d21f067f44 (patch)
tree3db7e5b59d607733c734e50fcacb966957c2bcc7
parent0c1052e70ad4881f7dd3506adb4eff1148077cb4 (diff)
downloadfreebsd-ports-gnome-da6df02c22e94b3a3868cf95306416d21f067f44.tar.gz
freebsd-ports-gnome-da6df02c22e94b3a3868cf95306416d21f067f44.tar.zst
freebsd-ports-gnome-da6df02c22e94b3a3868cf95306416d21f067f44.zip
security/heimdal: Backport security fix
PR: 219657 MFH: 2017Q2 Security: CVE-2017-6594
-rw-r--r--security/heimdal/Makefile2
-rw-r--r--security/heimdal/files/patch-CVE-2017-6594168
2 files changed, 169 insertions, 1 deletions
diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile
index 9ddcf2e07b76..3db24d757ce3 100644
--- a/security/heimdal/Makefile
+++ b/security/heimdal/Makefile
@@ -3,7 +3,7 @@
PORTNAME= heimdal
PORTVERSION= 7.1.0
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= security ipv6
MASTER_SITES= http://www.h5l.org/dist/src/ \
http://ftp.pdc.kth.se/pub/heimdal/src/ \
diff --git a/security/heimdal/files/patch-CVE-2017-6594 b/security/heimdal/files/patch-CVE-2017-6594
new file mode 100644
index 000000000000..0a44a32b648d
--- /dev/null
+++ b/security/heimdal/files/patch-CVE-2017-6594
@@ -0,0 +1,168 @@
+diff -ru NEWS NEWS
+--- NEWS 2016-11-29 01:35:27.000000000 +0000
++++ NEWS 2017-06-03 15:23:36.264325000 +0000
+@@ -1,4 +1,18 @@
+-Release Notes - Heimdal - Version Heimdal 1.6
++Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port)
++
++ Security
++
++ - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently
++ caused the previous hop realm to not be added to the transit path
++ of issued tickets. This may, in some cases, enable bypass of capath
++ policy in Heimdal versions 1.5 through 7.2.
++
++ Note, this may break sites that rely on the bug. With the bug some
++ incomplete [capaths] worked, that should not have. These may now break
++ authentication in some cross-realm configurations.
++ (CVE-2017-6594)
++
++Release Notes - Heimdal - Version Heimdal 7.1
+
+ Security
+ - ...
+diff -ru kdc/krb5tgs.c kdc/krb5tgs.c
+--- kdc/krb5tgs.c 2016-11-29 01:35:27.000000000 +0000
++++ kdc/krb5tgs.c 2017-06-03 15:23:36.271738000 +0000
+@@ -655,8 +655,12 @@
+ "Decoding transited encoding");
+ return ret;
+ }
++
++ /*
++ * If the realm of the presented tgt is neither the client nor the server
++ * realm, it is a transit realm and must be added to transited set.
++ */
+ if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+- /* not us, so add the previous realm to transited set */
+ if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+ ret = ERANGE;
+ goto free_realms;
+@@ -737,6 +741,7 @@
+ const char *server_name,
+ hdb_entry_ex *client,
+ krb5_principal client_principal,
++ const char *tgt_realm,
+ hdb_entry_ex *krbtgt,
+ krb5_enctype krbtgt_etype,
+ krb5_principals spp,
+@@ -798,7 +803,7 @@
+ &tgt->transited, &et,
+ krb5_principal_get_realm(context, client_principal),
+ krb5_principal_get_realm(context, server->entry.principal),
+- krb5_principal_get_realm(context, krbtgt->entry.principal));
++ tgt_realm);
+ if(ret)
+ goto out;
+
+@@ -1519,6 +1524,8 @@
+ krb5_keyblock sessionkey;
+ krb5_kvno kvno;
+ krb5_data rspac;
++ const char *tgt_realm = /* Realm of TGT issuer */
++ krb5_principal_get_realm(context, krbtgt->entry.principal);
+ const char *our_realm = /* Realm of this KDC */
+ krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);
+ char **capath = NULL;
+@@ -2324,6 +2331,7 @@
+ spn,
+ client,
+ cp,
++ tgt_realm,
+ krbtgt_out,
+ tkey_sign->key.keytype,
+ spp,
+diff -ru tests/kdc/check-kdc.in tests/kdc/check-kdc.in
+--- tests/kdc/check-kdc.in 2016-12-14 18:01:18.000000000 +0000
++++ tests/kdc/check-kdc.in 2017-06-03 15:23:36.276571000 +0000
+@@ -53,6 +53,7 @@
+ R5=SOME-REALM5.FR
+ R6=SOME-REALM6.US
+ R7=SOME-REALM7.UK
++R8=SOME-REALM8.UK
+
+ H1=H1.$R
+ H2=H2.$R
+@@ -152,6 +153,12 @@
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
++ ${R8} || exit 1
++
++${kadmin} \
++ init \
++ --realm-max-ticket-life=1day \
++ --realm-max-renewable-life=1month \
+ ${H1} || exit 1
+
+ ${kadmin} \
+@@ -191,6 +198,7 @@
+ ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
++${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
+ ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
+ ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
+@@ -249,6 +257,9 @@
+ ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
+
++${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
++${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
++
+ ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
+ ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
+
+@@ -284,6 +295,7 @@
+ ${kadmin5} check ${R5} || exit 1
+ ${kadmin} check ${R6} || exit 1
+ ${kadmin} check ${R7} || exit 1
++${kadmin} check ${R8} || exit 1
+ ${kadmin} check ${H1} || exit 1
+ ${kadmin} check ${H2} || exit 1
+ ${kadmin} check ${H3} || exit 1
+@@ -388,6 +400,8 @@
+ ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with capaths for $R -> $R7"
+ ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
++echo "Should not get x-realm tickets with capaths for $R -> $R8"
++${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+
+ echo "Testing capaths logic (reverse order)"
+@@ -418,10 +432,13 @@
+
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
+ ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"
+ ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
+ ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; }
++fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+
+ echo "Testing multi-hop [capaths] referral logic"
+diff -ru tests/kdc/krb5.conf.in tests/kdc/krb5.conf.in
+--- tests/kdc/krb5.conf.in 2016-11-29 01:35:28.000000000 +0000
++++ tests/kdc/krb5.conf.in 2017-06-03 15:23:36.278848000 +0000
+@@ -40,6 +40,9 @@
+ SOME-REALM7.UK = {
+ kdc = localhost:@port@
+ }
++ SOME-REALM8.UK = {
++ kdc = localhost:@port@
++ }
+ TEST-HTTP.H5L.SE = {
+ kdc = http/localhost:@port@
+ }
+@@ -147,6 +150,7 @@
+ SOME-REALM6.US = SOME-REALM5.FR
+ SOME-REALM7.UK = SOME-REALM6.US
+ SOME-REALM7.UK = SOME-REALM5.FR
++ SOME-REALM8.UK = SOME-REALM6.US
+ }
+ H4.H2.TEST.H5L.SE = {
+ H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE