From 6ba8ba0f8492917625825e3876a4306cf10262e953047a2321b5f290852fd8c8 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 3 Mar 2014 08:59:27 +0000 Subject: [PATCH] Accepting request 224192 from home:vitezslav_cizek:branches:network - fix for CVE-2014-2015 (bnc#864576) * denial of service in rlm_pap hash processing * added freeradius-server-CVE-2014-2015.patch - remove the old 3.0.0 sources OBS-URL: https://build.opensuse.org/request/show/224192 OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=57 --- freeradius-server-CVE-2014-2015.patch | 49 +++++++++++++++++++++++++++ freeradius-server.changes | 12 +++++++ freeradius-server.spec | 2 ++ 3 files changed, 63 insertions(+) create mode 100644 freeradius-server-CVE-2014-2015.patch diff --git a/freeradius-server-CVE-2014-2015.patch b/freeradius-server-CVE-2014-2015.patch new file mode 100644 index 0000000..f105e81 --- /dev/null +++ b/freeradius-server-CVE-2014-2015.patch @@ -0,0 +1,49 @@ +From ff5147c9e5088c7cf5c0b6ec6bfdd3a9d2042a28 Mon Sep 17 00:00:00 2001 +From: Arran Cudbard-Bell +Date: Thu, 13 Feb 2014 13:49:54 +0000 +Subject: [PATCH] Fix potential crash with SSHA and salts > 44bytes + +--- + src/modules/rlm_pap/rlm_pap.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c +index 689acf0..1bf6d4e 100644 +--- a/src/modules/rlm_pap/rlm_pap.c ++++ b/src/modules/rlm_pap/rlm_pap.c +@@ -123,7 +123,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + { + +- uint8_t buffer[64]; ++ uint8_t buffer[256]; + + if (min_length >= sizeof(buffer)) return; /* paranoia */ + +@@ -132,9 +132,10 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + */ + if (vp->length >= (2 * min_length)) { + size_t decoded; +- decoded = fr_hex2bin(buffer, vp->vp_strvalue, vp->length >> 1); ++ decoded = fr_hex2bin(buffer, vp->vp_strvalue, sizeof(buffer)); + if (decoded == (vp->length >> 1)) { +- RDEBUG2("Normalizing %s from hex encoding", vp->da->name); ++ RDEBUG2("Normalizing %s from hex encoding, %zu bytes -> %zu bytes", ++ vp->da->name, vp->length, decoded); + pairmemcpy(vp, buffer, decoded); + return; + } +@@ -150,7 +151,8 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + sizeof(buffer)); + if (decoded < 0) return; + if (decoded >= (ssize_t) min_length) { +- RDEBUG2("Normalizing %s from base64 encoding", vp->da->name); ++ RDEBUG2("Normalizing %s from base64 encoding, %zu bytes -> %zu bytes", ++ vp->da->name, vp->length, decoded); + pairmemcpy(vp, buffer, decoded); + return; + } +-- +1.8.5.5 + + diff --git a/freeradius-server.changes b/freeradius-server.changes index c73e227..a207bc1 100644 --- a/freeradius-server.changes +++ b/freeradius-server.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri Feb 28 09:04:08 UTC 2014 - vcizek@suse.com + +- fix for CVE-2014-2015 (bnc#864576) + * denial of service in rlm_pap hash processing + * added freeradius-server-CVE-2014-2015.patch + +------------------------------------------------------------------- +Wed Jan 29 13:53:30 UTC 2014 - vcizek@suse.com + +- remove the old 3.0.0 sources + ------------------------------------------------------------------- Sat Jan 25 14:44:31 UTC 2014 - mardnh@gmx.de diff --git a/freeradius-server.spec b/freeradius-server.spec index 6efb356..46d1a70 100644 --- a/freeradius-server.spec +++ b/freeradius-server.spec @@ -40,6 +40,7 @@ Patch8: freeradius-server-initscript-pidfile.patch Patch9: freeradius-server-radius-reload-logrotate.patch # PATCH-FIX-SUSE use 'su' logrotate option (bnc#677335) Patch12: freeradius-server-2.1.1-logrotate_su.patch +Patch13: freeradius-server-CVE-2014-2015.patch BuildRequires: apache2-devel BuildRequires: cyrus-sasl-devel BuildRequires: db-devel @@ -224,6 +225,7 @@ This plugin provides the SQLite support for the FreeRADIUS server project. %patch8 -p1 %patch9 -p1 %patch12 -p1 +%patch13 -p1 %build modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"