diff options
-rw-r--r-- | security/heimdal/Makefile | 2 | ||||
-rw-r--r-- | security/heimdal/files/patch-CVE-2017-6594 | 168 |
2 files changed, 169 insertions, 1 deletions
diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile index 9ddcf2e07b76..3db24d757ce3 100644 --- a/security/heimdal/Makefile +++ b/security/heimdal/Makefile @@ -3,7 +3,7 @@ PORTNAME= heimdal PORTVERSION= 7.1.0 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security ipv6 MASTER_SITES= http://www.h5l.org/dist/src/ \ http://ftp.pdc.kth.se/pub/heimdal/src/ \ diff --git a/security/heimdal/files/patch-CVE-2017-6594 b/security/heimdal/files/patch-CVE-2017-6594 new file mode 100644 index 000000000000..0a44a32b648d --- /dev/null +++ b/security/heimdal/files/patch-CVE-2017-6594 @@ -0,0 +1,168 @@ +diff -ru NEWS NEWS +--- NEWS 2016-11-29 01:35:27.000000000 +0000 ++++ NEWS 2017-06-03 15:23:36.264325000 +0000 +@@ -1,4 +1,18 @@ +-Release Notes - Heimdal - Version Heimdal 1.6 ++Release Notes - Heimdal - Version Heimdal 7.1.0,2 (FreeBSD port) ++ ++ Security ++ ++ - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently ++ caused the previous hop realm to not be added to the transit path ++ of issued tickets. This may, in some cases, enable bypass of capath ++ policy in Heimdal versions 1.5 through 7.2. ++ ++ Note, this may break sites that rely on the bug. With the bug some ++ incomplete [capaths] worked, that should not have. These may now break ++ authentication in some cross-realm configurations. ++ (CVE-2017-6594) ++ ++Release Notes - Heimdal - Version Heimdal 7.1 + + Security + - ... +diff -ru kdc/krb5tgs.c kdc/krb5tgs.c +--- kdc/krb5tgs.c 2016-11-29 01:35:27.000000000 +0000 ++++ kdc/krb5tgs.c 2017-06-03 15:23:36.271738000 +0000 +@@ -655,8 +655,12 @@ + "Decoding transited encoding"); + return ret; + } ++ ++ /* ++ * If the realm of the presented tgt is neither the client nor the server ++ * realm, it is a transit realm and must be added to transited set. ++ */ + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { +- /* not us, so add the previous realm to transited set */ + if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { + ret = ERANGE; + goto free_realms; +@@ -737,6 +741,7 @@ + const char *server_name, + hdb_entry_ex *client, + krb5_principal client_principal, ++ const char *tgt_realm, + hdb_entry_ex *krbtgt, + krb5_enctype krbtgt_etype, + krb5_principals spp, +@@ -798,7 +803,7 @@ + &tgt->transited, &et, + krb5_principal_get_realm(context, client_principal), + krb5_principal_get_realm(context, server->entry.principal), +- krb5_principal_get_realm(context, krbtgt->entry.principal)); ++ tgt_realm); + if(ret) + goto out; + +@@ -1519,6 +1524,8 @@ + krb5_keyblock sessionkey; + krb5_kvno kvno; + krb5_data rspac; ++ const char *tgt_realm = /* Realm of TGT issuer */ ++ krb5_principal_get_realm(context, krbtgt->entry.principal); + const char *our_realm = /* Realm of this KDC */ + krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1); + char **capath = NULL; +@@ -2324,6 +2331,7 @@ + spn, + client, + cp, ++ tgt_realm, + krbtgt_out, + tkey_sign->key.keytype, + spp, +diff -ru tests/kdc/check-kdc.in tests/kdc/check-kdc.in +--- tests/kdc/check-kdc.in 2016-12-14 18:01:18.000000000 +0000 ++++ tests/kdc/check-kdc.in 2017-06-03 15:23:36.276571000 +0000 +@@ -53,6 +53,7 @@ + R5=SOME-REALM5.FR + R6=SOME-REALM6.US + R7=SOME-REALM7.UK ++R8=SOME-REALM8.UK + + H1=H1.$R + H2=H2.$R +@@ -152,6 +153,12 @@ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ ++ ${R8} || exit 1 ++ ++${kadmin} \ ++ init \ ++ --realm-max-ticket-life=1day \ ++ --realm-max-renewable-life=1month \ + ${H1} || exit 1 + + ${kadmin} \ +@@ -191,6 +198,7 @@ + ${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${R6} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${R7} || exit 1 ++${kadmin} add -p foo --use-defaults foo@${R8} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${H1} || exit 1 + ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${H2} || exit 1 +@@ -249,6 +257,9 @@ + ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1 + ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1 + ++${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1 ++${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1 ++ + ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1 + ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1 + +@@ -284,6 +295,7 @@ + ${kadmin5} check ${R5} || exit 1 + ${kadmin} check ${R6} || exit 1 + ${kadmin} check ${R7} || exit 1 ++${kadmin} check ${R8} || exit 1 + ${kadmin} check ${H1} || exit 1 + ${kadmin} check ${H2} || exit 1 + ${kadmin} check ${H3} || exit 1 +@@ -388,6 +400,8 @@ + ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with capaths for $R -> $R7" + ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } ++echo "Should not get x-realm tickets with capaths for $R -> $R8" ++${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Testing capaths logic (reverse order)" +@@ -418,10 +432,13 @@ + + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1" + ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R" + ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2" + ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; } ++fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Testing multi-hop [capaths] referral logic" +diff -ru tests/kdc/krb5.conf.in tests/kdc/krb5.conf.in +--- tests/kdc/krb5.conf.in 2016-11-29 01:35:28.000000000 +0000 ++++ tests/kdc/krb5.conf.in 2017-06-03 15:23:36.278848000 +0000 +@@ -40,6 +40,9 @@ + SOME-REALM7.UK = { + kdc = localhost:@port@ + } ++ SOME-REALM8.UK = { ++ kdc = localhost:@port@ ++ } + TEST-HTTP.H5L.SE = { + kdc = http/localhost:@port@ + } +@@ -147,6 +150,7 @@ + SOME-REALM6.US = SOME-REALM5.FR + SOME-REALM7.UK = SOME-REALM6.US + SOME-REALM7.UK = SOME-REALM5.FR ++ SOME-REALM8.UK = SOME-REALM6.US + } + H4.H2.TEST.H5L.SE = { + H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE |