Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre
Salvatore Bonaccorsowrites: > I just have prepared both and uploading to security-master for jessie- > and stretch-security (the patch applied straightforward). Thanks! -- Brian May
Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre
Hi On Sat, Jul 15, 2017 at 07:14:29PM +0200, Guido Günther wrote: > Hi, > On Sat, Jul 15, 2017 at 09:08:37PM +1000, Brian May wrote: > > Guido Güntherwrites: > > > > > I've uploaded heimdal with the attached debdiff to delayed/2. Let me > > > know if you're o.k. with it and I'll reuplod without delay. > > > > Thanks a lot for this. > > > > I just uploaded version 7.4.0 so your upload is not required. > > Great. Are you going to handle stable and oldstable as well? I just have prepared both and uploading to security-master for jessie- and stretch-security (the patch applied straightforward). Regards, Salvatore
Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre
Hi, On Sat, Jul 15, 2017 at 09:08:37PM +1000, Brian May wrote: > Guido Güntherwrites: > > > I've uploaded heimdal with the attached debdiff to delayed/2. Let me > > know if you're o.k. with it and I'll reuplod without delay. > > Thanks a lot for this. > > I just uploaded version 7.4.0 so your upload is not required. Great. Are you going to handle stable and oldstable as well? Cheers, -- Guido > -- > Brian May >
Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre
Guido Güntherwrites: > I've uploaded heimdal with the attached debdiff to delayed/2. Let me > know if you're o.k. with it and I'll reuplod without delay. Thanks a lot for this. I just uploaded version 7.4.0 so your upload is not required. -- Brian May
Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre
Hi Brian, I've uploaded heimdal with the attached debdiff to delayed/2. Let me know if you're o.k. with it and I'll reuplod without delay. Cheers, -- Guido diff --git a/debian/changelog b/debian/changelog index ff30793..8d5c8be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +heimdal (7.1.0+dfsg-13.1) unstable; urgency=medium + + * Non-maintainer upload + * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation. +(Closes: #868208) + + -- Guido GüntherFri, 14 Jul 2017 14:43:35 +0200 + heimdal (7.1.0+dfsg-13) unstable; urgency=medium * Add missing symbols base64_decode and base64_encode back into diff --git a/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch new file mode 100644 index 000..2ba14d8 --- /dev/null +++ b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch @@ -0,0 +1,30 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= +Date: Fri, 14 Jul 2017 14:41:53 +0200 +Subject: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + +In _krb5_extract_ticket() the KDC-REP service name must be obtained from +encrypted version stored in 'enc_part' instead of the unencrypted +version +stored in 'ticket'. Use of the unecrypted version provides an +opportunity for successful server impersonation and other attacks. + +Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. +--- + lib/krb5/ticket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c +index d95d96d..b8d81c6 100644 +--- a/lib/krb5/ticket.c b/lib/krb5/ticket.c +@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context, + /* check server referral and save principal */ + ret = _krb5_principalname2krb5_principal (context, + _principal, +- rep->kdc_rep.ticket.sname, +- rep->kdc_rep.ticket.realm); ++ rep->enc_part.sname, ++ rep->enc_part.srealm); + if (ret) + goto out; + if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ diff --git a/debian/patches/series b/debian/patches/series index 4189cdf..1045627 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -16,3 +16,4 @@ disable_iprop canonical_host CVE-2017-6594 0018-Add-back-in-base64_encode-and-base64_decode.patch +CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch
Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre
Source: heimdal Severity: grave Tags: security patch Version: 1.6~git20120403+dfsg1-2 Hi, the following vulnerability was published for heimdal. CVE-2017-11103[0]: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre A dedicated website is here: https://orpheus-lyre.info/ The heimdal patch is here: https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea All Debian releases are affected (from wheezy to sid). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-11103 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 Please adjust the affected versions in the BTS as needed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/