Fix heimdal KDC-REP service name validation vulnerability [SA-17:05]

Approved by: so
2026-06-09 08:43:19 -04:00 · 2017-07-12 08:07:36 +00:00 · 2017-07-12 08:07:36 +00:00 · 2f211ff5a7
commit 2f211ff5a7
parent 8882afecbe
3 changed files with 8 additions and 4 deletions
--- a/6
+++ b/6
@ -16,7 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.

-20170427        p10     FreeBSD-SA-17:04.ipfilter
+20170712	p11	FreeBSD-SA-17:05.heimdal
+
+	Fix heimdal KDC-REP service name validation vulnerability.
+
+20170427	p10	FreeBSD-SA-17:04.ipfilter

 	Fix ipfilter(4) fragment handling panic. [SA-17:04]

--- a/crypto/heimdal/lib/krb5/ticket.c
+++ b/crypto/heimdal/lib/krb5/ticket.c
@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
    /* check server referral and save principal */
    ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
    if (ret)
 	goto out;
    if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@ -32,7 +32,7 @@

 TYPE="FreeBSD"
 REVISION="11.0"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi