Accepting request 224192 from home:vitezslav_cizek:branches:network

- fix for CVE-2014-2015 (bnc#864576) * denial of service in rlm_pap hash processing * added freeradius-server-CVE-2014-2015.patch - remove the old 3.0.0 sources OBS-URL: https://build.opensuse.org/request/show/224192 OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=57
2014-03-03 08:59:27 +00:00 · 2014-03-03 08:59:27 +00:00 · 6ba8ba0f84
commit 6ba8ba0f84
parent 426b6db0cc
3 changed files with 63 additions and 0 deletions
--- a/freeradius-server-CVE-2014-2015.patch
+++ b/freeradius-server-CVE-2014-2015.patch
@ -0,0 +1,49 @@
+From ff5147c9e5088c7cf5c0b6ec6bfdd3a9d2042a28 Mon Sep 17 00:00:00 2001
+From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
+Date: Thu, 13 Feb 2014 13:49:54 +0000
+Subject: [PATCH] Fix potential crash with SSHA and salts > 44bytes
+
+---
+ src/modules/rlm_pap/rlm_pap.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
+index 689acf0..1bf6d4e 100644
+--- a/src/modules/rlm_pap/rlm_pap.c
+++ b/src/modules/rlm_pap/rlm_pap.c
+@@ -123,7 +123,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance)
+ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
+ {
+ 
+-	uint8_t buffer[64];
+	uint8_t buffer[256];
+ 
+ 	if (min_length >= sizeof(buffer)) return; /* paranoia */
+ 
+@@ -132,9 +132,10 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
+ 	 */
+ 	if (vp->length >= (2 * min_length)) {
+ 		size_t decoded;
+-		decoded = fr_hex2bin(buffer, vp->vp_strvalue, vp->length >> 1);
+		decoded = fr_hex2bin(buffer, vp->vp_strvalue, sizeof(buffer));
+ 		if (decoded == (vp->length >> 1)) {
+-			RDEBUG2("Normalizing %s from hex encoding", vp->da->name);
+			RDEBUG2("Normalizing %s from hex encoding, %zu bytes -> %zu bytes",
+				vp->da->name, vp->length, decoded);
+ 			pairmemcpy(vp, buffer, decoded);
+ 			return;
+ 		}
+@@ -150,7 +151,8 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
+ 					   sizeof(buffer));
+ 		if (decoded < 0) return;
+ 		if (decoded >= (ssize_t) min_length) {
+-			RDEBUG2("Normalizing %s from base64 encoding", vp->da->name);
+			RDEBUG2("Normalizing %s from base64 encoding, %zu bytes -> %zu bytes",
+				vp->da->name, vp->length, decoded);
+ 			pairmemcpy(vp, buffer, decoded);
+ 			return;
+ 		}
+-- 
+1.8.5.5
+
+
--- a/freeradius-server.changes
+++ b/freeradius-server.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Fri Feb 28 09:04:08 UTC 2014 - vcizek@suse.com
+
+- fix for CVE-2014-2015 (bnc#864576)
+  * denial of service in rlm_pap hash processing
+  * added freeradius-server-CVE-2014-2015.patch
+
+-------------------------------------------------------------------
+Wed Jan 29 13:53:30 UTC 2014 - vcizek@suse.com
+
+- remove the old 3.0.0 sources
+
 -------------------------------------------------------------------
 Sat Jan 25 14:44:31 UTC 2014 - mardnh@gmx.de

--- a/freeradius-server.spec
+++ b/freeradius-server.spec
@ -40,6 +40,7 @@ Patch8:         freeradius-server-initscript-pidfile.patch
 Patch9:         freeradius-server-radius-reload-logrotate.patch
 # PATCH-FIX-SUSE use 'su' logrotate option (bnc#677335)
 Patch12:        freeradius-server-2.1.1-logrotate_su.patch
+Patch13:        freeradius-server-CVE-2014-2015.patch
 BuildRequires:  apache2-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  db-devel
@ -224,6 +225,7 @@ This plugin provides the SQLite support for the FreeRADIUS server project.
 %patch8 -p1
 %patch9 -p1
 %patch12 -p1
+%patch13 -p1

 %build
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"