diff --git a/freeradius-rlm_pap-overflow.patch b/freeradius-rlm_pap-overflow.patch new file mode 100644 index 0000000..a1ae93a --- /dev/null +++ b/freeradius-rlm_pap-overflow.patch @@ -0,0 +1,48 @@ +From ff5147c9e5088c7cf5c0b6ec6bfdd3a9d2042a28 Mon Sep 17 00:00:00 2001 +From: Arran Cudbard-Bell +Date: Thu, 13 Feb 2014 13:49:54 +0000 +Subject: [PATCH 1/1] Fix potential crash with SSHA and salts > 44bytes + +--- + src/modules/rlm_pap/rlm_pap.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c +index 689acf0..1bf6d4e 100644 +--- a/src/modules/rlm_pap/rlm_pap.c ++++ b/src/modules/rlm_pap/rlm_pap.c +@@ -123,7 +123,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + { + +- uint8_t buffer[64]; ++ uint8_t buffer[256]; + + if (min_length >= sizeof(buffer)) return; /* paranoia */ + +@@ -132,9 +132,10 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + */ + if (vp->length >= (2 * min_length)) { + size_t decoded; +- decoded = fr_hex2bin(buffer, vp->vp_strvalue, vp->length >> 1); ++ decoded = fr_hex2bin(buffer, vp->vp_strvalue, sizeof(buffer)); + if (decoded == (vp->length >> 1)) { +- RDEBUG2("Normalizing %s from hex encoding", vp->da->name); ++ RDEBUG2("Normalizing %s from hex encoding, %zu bytes -> %zu bytes", ++ vp->da->name, vp->length, decoded); + pairmemcpy(vp, buffer, decoded); + return; + } +@@ -150,7 +151,8 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + sizeof(buffer)); + if (decoded < 0) return; + if (decoded >= (ssize_t) min_length) { +- RDEBUG2("Normalizing %s from base64 encoding", vp->da->name); ++ RDEBUG2("Normalizing %s from base64 encoding, %zu bytes -> %zu bytes", ++ vp->da->name, vp->length, decoded); + pairmemcpy(vp, buffer, decoded); + return; + } +-- +1.8.5.3 + diff --git a/freeradius.spec b/freeradius.spec index 47a49d6..107956f 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.1 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -27,6 +27,7 @@ Patch3: freeradius-ippool.patch Patch4: freeradius-imacros.patch Patch5: freeradius-mysql-schema.patch Patch6: freeradius-perl.patch +Patch7: freeradius-rlm_pap-overflow.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -189,6 +190,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -750,6 +752,11 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc.so %changelog +* Mon Feb 24 2014 Nikolai Kondrashov - 3.0.1-4 +- Fix CVE-2014-2015 "freeradius: stack-based buffer overflow flaw in rlm_pap + module" +- resolves: bug#1066984 (fedora 1066763) + * Fri Feb 21 2014 John Dennis - 3.0.1-3 - resolves: bug#1068798 (fedora 1068795) rlm_perl attribute values truncated