[SCM] Samba Shared Repository - branch master updated

Wed Oct 20 10:59:02 UTC 2021

The branch, master has been updated
       via  7e961f3f7a8 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
      from  83a654a4efd tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7e961f3f7a815960ae25377d5b7515184d439690
Author: Viktor Dukhovni <viktor at twosigma.com>
Date:   Wed Aug 10 23:31:14 2016 +0000

    HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
    
    Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
    to not be added to the transit path of issued tickets.  This may, in
    some cases, enable bypass of capath policy in Heimdal versions 1.5
    through 7.2.
    
    Note, this may break sites that rely on the bug.  With the bug some
    incomplete [capaths] worked, that should not have.  These may now break
    authentication in some cross-realm configurations.
    
    (similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
    
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source4/heimdal/kdc/krb5tgs.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 2de3b099199..7e9379db64a 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -409,8 +409,12 @@ fix_transited_encoding(krb5_context context,
 		  "Decoding transited encoding");
 	return ret;
     }
+
+    /*
+     * If the realm of the presented tgt is neither the client nor the server
+     * realm, it is a transit realm and must be added to transited set.
+     */
     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
-	/* not us, so add the previous realm to transited set */
 	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
 	    ret = ERANGE;
 	    goto free_realms;
@@ -492,6 +496,7 @@ tgs_make_reply(krb5_context context,
 	       const char *server_name,
 	       hdb_entry_ex *client,
 	       krb5_principal client_principal,
+               const char *tgt_realm,
 	       hdb_entry_ex *krbtgt,
 	       krb5_pac mspac,
 	       uint16_t rodc_id,
@@ -553,7 +558,7 @@ tgs_make_reply(krb5_context context,
 				 &tgt->transited, &et,
 				 krb5_principal_get_realm(context, client_principal),
 				 krb5_principal_get_realm(context, server->entry.principal),
-				 krb5_principal_get_realm(context, krbtgt->entry.principal));
+				 tgt_realm);
     if(ret)
 	goto out;
 
@@ -1292,13 +1297,14 @@ tgs_build_reply(krb5_context context,
     HDB *clientdb, *s4u2self_impersonated_clientdb;
     krb5_realm ref_realm = NULL;
     EncTicketPart *tgt = &ticket->ticket;
+    const char *tgt_realm = /* Realm of TGT issuer */
+        krb5_principal_get_realm(context, krbtgt->entry.principal);
     const EncryptionKey *ekey;
     krb5_keyblock sessionkey;
     krb5_kvno kvno;
     krb5_pac mspac = NULL;
     uint16_t rodc_id;
     krb5_boolean add_ticket_sig = FALSE;
-
     hdb_entry_ex *krbtgt_out = NULL;
 
     METHOD_DATA enc_pa_data;
@@ -2036,6 +2042,7 @@ server_lookup:
 			 spn,
 			 client,
 			 cp,
+			 tgt_realm,
 			 krbtgt_out,
 			 mspac,
 			 rodc_id,


-- 
Samba Shared Repository

