From f81ebbe2ed86f29a1c5dc2b2b4b9e58d1e61bdd7 Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 12 Jul 2017 07:26:07 +0000
Subject: [PATCH] MFC r320906: MFV r320905: Import upstream fix for
 CVE-2017-11103.

In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Submitted by:	hrs
Obtained from:	Heimdal
Security:	FreeBSD-SA-17:05.heimdal
Security:	CVE-2017-11103


git-svn-id: svn://svn.freebsd.org/base/stable/10@320907 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 crypto/heimdal/lib/krb5/ticket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c
index 4845a93d9..5b6eabe2b 100644
--- a/crypto/heimdal/lib/krb5/ticket.c
+++ b/crypto/heimdal/lib/krb5/ticket.c
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
     if (ret)
 	goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
-- 
2.45.0