CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
commit6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
authorJeffrey Altman <jaltman@secure-endpoints.com>
Wed, 12 Apr 2017 19:40:42 +0000 (12 15:40 -0400)
committerJeffrey Altman <jaltman@secure-endpoints.com>
Mon, 10 Jul 2017 20:51:25 +0000 (10 16:51 -0400)
tree48610b35107c70f18b50be4146d4397e6de73743
parent0fc03c5c6ba5c63f3d69d22b3fe24eb95fd95164
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
lib/krb5/ticket.c