[Pkg-samba-maint] [samba] 02/03: Patch for "CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation" (Closes: #868209)

[Mathieu Parent]

This is an automated email from the git hooks/post-receive script.

sathieu pushed a commit to branch jessie
in repository samba.

commit b211aae75d56e5a5fa7bd1481209d2d55345ccce
Author: Mathieu Parent <math.parent at gmail.com>
Date:   Wed Jul 12 23:20:53 2017 +0200

    Patch for "CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation" (Closes: #868209)
---
 ...103-Orpheus-Lyre-KDC-REP-service-name-val.patch | 42 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 43 insertions(+)

diff --git a/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch
new file mode 100644
index 0000000..654cc67
--- /dev/null
+++ b/debian/patches/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch
@@ -0,0 +1,42 @@
+From fd4c30bf5266b0d3a8c9cb3a6ac44d4f7ee3ac75 Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman at secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894
+(based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea)
+
+Signed-off-by: Andrew Bartlett <abartlet at samba.org>
+Reviewed-by: Garming Sam <garming at catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze at samba.org>
+---
+ source4/heimdal/lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
+index 064bbfbb33c..5a317c7b971 100644
+--- a/source4/heimdal/lib/krb5/ticket.c
++++ b/source4/heimdal/lib/krb5/ticket.c
+@@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 3ec3c32..7c564c1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ fix-shadow_copy2-42-backport.patch
 shadow_copy2_tests_42.patch
 Fix-deadlock-when-re-joining-a-domain.patch
 CVE-2017-7494.patch
+CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git