git: aac9dda7f844 - releng/13.3 - Heimdal: Fix transit path validation CVE-2017-6594

Wed, 21 Feb 2024 06:02:02 -0800 

The branch releng/13.3 has been updated by cy:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=aac9dda7f8446c2c3badecb9fa3473ab008ee59b

commit aac9dda7f8446c2c3badecb9fa3473ab008ee59b
Author:     Cy Schubert <[email protected]>
AuthorDate: 2024-02-14 19:56:18 +0000
Commit:     Cy Schubert <[email protected]>
CommitDate: 2024-02-21 14:01:48 +0000

    Heimdal: Fix transit path validation CVE-2017-6594
    
    Apply upstream b1e699103. This fixes a bug introduced by upstream
    f469fc6 which may in some cases enable bypass of capath policy.
    
    Upstream writes in their commit log:
    
        Note, this may break sites that rely on the bug.  With the bug some
        incomplete [capaths] worked, that should not have.  These may now break
        authentication in some cross-realm configurations.
    
    Reported by:    emaste
    Security:       CVE-2017-6594
    Obtained from:  upstream b1e699103
    MFS requested by:       re (cperciva
    Approved by:            re (cperciva)
    
    (cherry picked from commit f8041e3628bd70cf5562a9c13eb3d6af8463e720)
    (cherry picked from commit 9a7121454dc0f68af2687699d5feabf736692fa6)
---
 crypto/heimdal/kdc/krb5tgs.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/crypto/heimdal/kdc/krb5tgs.c b/crypto/heimdal/kdc/krb5tgs.c
index 19d669798830..cde869522e23 100644
--- a/crypto/heimdal/kdc/krb5tgs.c
+++ b/crypto/heimdal/kdc/krb5tgs.c
@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
                  "Decoding transited encoding");
        return ret;
     }
+
+    /*
+     * If the realm of the presented tgt is neither the client nor the server
+     * realm, it is a transit realm and must be added to transited set.
+     */     
     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
-       /* not us, so add the previous realm to transited set */
        if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
            ret = ERANGE;
            goto free_realms;
@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
               const char *server_name,
               hdb_entry_ex *client,
               krb5_principal client_principal,
+              const char *tgt_realm,
               hdb_entry_ex *krbtgt,
               krb5_enctype krbtgt_etype,
               krb5_principals spp,
@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
                                 &tgt->transited, &et,
                                 krb5_principal_get_realm(context, 
client_principal),
                                 krb5_principal_get_realm(context, 
server->entry.principal),
-                                krb5_principal_get_realm(context, 
krbtgt->entry.principal));
+                                tgt_realm);
     if(ret)
        goto out;
 
@@ -1494,6 +1499,8 @@ tgs_build_reply(krb5_context context,
     krb5_keyblock sessionkey;
     krb5_kvno kvno;
     krb5_data rspac;
+    const char *tgt_realm = /* Realm of TGT issuer */
+        krb5_principal_get_realm(context, krbtgt->entry.principal);
 
     hdb_entry_ex *krbtgt_out = NULL;
 
@@ -2240,6 +2247,7 @@ server_lookup:
                         spn,
                         client,
                         cp,
+                        tgt_realm,
                         krbtgt_out,
                         krbtgt_etype,
                         spp,

Reply via email to