Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

2017-07-16 Thread Brian May 
Salvatore Bonaccorso  writes:

> I just have prepared both and uploading to security-master for jessie-
> and stretch-security (the patch applied straightforward).

Thanks!
-- 
Brian May

Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

2017-07-16 Thread Salvatore Bonaccorso 
Hi

On Sat, Jul 15, 2017 at 07:14:29PM +0200, Guido Günther wrote:
> Hi,
> On Sat, Jul 15, 2017 at 09:08:37PM +1000, Brian May wrote:
> > Guido Günther  writes:
> > 
> > > I've uploaded heimdal with the attached debdiff to delayed/2. Let me
> > > know if you're o.k. with it and I'll reuplod without delay.
> > 
> > Thanks a lot for this.
> > 
> > I just uploaded version 7.4.0 so your upload is not required.
> 
> Great. Are you going to handle stable and oldstable as well?

I just have prepared both and uploading to security-master for jessie-
and stretch-security (the patch applied straightforward).

Regards,
Salvatore

Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

2017-07-15 Thread Guido Günther 
Hi,
On Sat, Jul 15, 2017 at 09:08:37PM +1000, Brian May wrote:
> Guido Günther  writes:
> 
> > I've uploaded heimdal with the attached debdiff to delayed/2. Let me
> > know if you're o.k. with it and I'll reuplod without delay.
> 
> Thanks a lot for this.
> 
> I just uploaded version 7.4.0 so your upload is not required.

Great. Are you going to handle stable and oldstable as well?
Cheers,
 -- Guido

> -- 
> Brian May 
>

Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

2017-07-15 Thread Brian May 
Guido Günther  writes:

> I've uploaded heimdal with the attached debdiff to delayed/2. Let me
> know if you're o.k. with it and I'll reuplod without delay.

Thanks a lot for this.

I just uploaded version 7.4.0 so your upload is not required.
-- 
Brian May

Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

2017-07-14 Thread Guido Günther 
Hi Brian,
I've uploaded heimdal with the attached debdiff to delayed/2. Let me
know if you're o.k. with it and I'll reuplod without delay.
Cheers,
 -- Guido
diff --git a/debian/changelog b/debian/changelog
index ff30793..8d5c8be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+heimdal (7.1.0+dfsg-13.1) unstable; urgency=medium
+
+  * Non-maintainer upload
+  * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation.
+(Closes: #868208)
+
+ -- Guido Günther   Fri, 14 Jul 2017 14:43:35 +0200
+
 heimdal (7.1.0+dfsg-13) unstable; urgency=medium
 
   * Add missing symbols base64_decode and base64_encode back into
diff --git a/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch
new file mode 100644
index 000..2ba14d8
--- /dev/null
+++ b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch
@@ -0,0 +1,30 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= 
+Date: Fri, 14 Jul 2017 14:41:53 +0200
+Subject: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted
+version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d..b8d81c6 100644
+--- a/lib/krb5/ticket.c
 b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+ /* check server referral and save principal */
+ ret = _krb5_principalname2krb5_principal (context,
+ 	  _principal,
+-	  rep->kdc_rep.ticket.sname,
+-	  rep->kdc_rep.ticket.realm);
++	  rep->enc_part.sname,
++	  rep->enc_part.srealm);
+ if (ret)
+ 	goto out;
+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
diff --git a/debian/patches/series b/debian/patches/series
index 4189cdf..1045627 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@ disable_iprop
 canonical_host
 CVE-2017-6594
 0018-Add-back-in-base64_encode-and-base64_decode.patch
+CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-validati.patch

Bug#868208: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

2017-07-12 Thread Raphael Hertzog 
Source: heimdal
Severity: grave
Tags: security patch
Version: 1.6~git20120403+dfsg1-2

Hi,

the following vulnerability was published for heimdal.

CVE-2017-11103[0]: MitM attack, impersonation of the Kerberos client, know as 
Orpheus Lyre

A dedicated website is here:
https://orpheus-lyre.info/

The heimdal patch is here:
https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea

All Debian releases are affected (from wheezy to sid).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103

Please adjust the affected versions in the BTS as needed.

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/