Heimdal: Fix transit path validation CVE-2017-6594

Apply upstream b1e699103. This fixes a bug introduced by upstream
f469fc6 which may in some cases enable bypass of capath policy.

Upstream writes in their commit log:

Note, this may break sites that rely on the bug.  With the bug some
incomplete [capaths] worked, that should not have.  These may now break
authentication in some cross-realm configurations.

Reported by: emaste
Security: CVE-2017-6594
Obtained from: upstream b1e699103

(cherry picked from commit f8041e3628bd70cf5562a9c13eb3d6af8463e720)