[freeradius/f19] Fix CVE-2014-2015 stack-based overflow in rlm_pap

Nikolai Kondrashov nkondras at fedoraproject.org
Wed Feb 26 18:33:49 UTC 2014 

commit 460ef6819bcee5c733601ec37bb32c4905de42bd
Author: Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com>
Date:   Fri Feb 21 14:52:32 2014 +0200

    Fix CVE-2014-2015 stack-based overflow in rlm_pap
    
    Fix CVE-2014-2015 "freeradius: stack-based buffer overflow flaw in
    rlm_pap module"

 freeradius-rlm_pap-overflow.patch |   35 +++++++++++++++++++++++++++++++++++
 freeradius.spec                   |    9 ++++++++-
 2 files changed, 43 insertions(+), 1 deletions(-)
---
diff --git a/freeradius-rlm_pap-overflow.patch b/freeradius-rlm_pap-overflow.patch
new file mode 100644
index 0000000..3d6d7aa
--- /dev/null
+++ b/freeradius-rlm_pap-overflow.patch
@@ -0,0 +1,35 @@
+From 0d606cfc29ab2e91764854e733d4525e6c667eb9 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland at freeradius.org>
+Date: Thu, 13 Feb 2014 09:29:35 -0500
+Subject: [PATCH 1/1] Increase buffer size.  Use output buffer size as limit
+ for hex2bin
+
+---
+ src/modules/rlm_pap/rlm_pap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
+index 8ef2152..1492a44 100644
+--- a/src/modules/rlm_pap/rlm_pap.c
++++ b/src/modules/rlm_pap/rlm_pap.c
+@@ -247,7 +247,7 @@ static int base64_decode (const char *src, uint8_t *dst)
+ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
+ {
+ 	size_t decoded;
+-	uint8_t buffer[64];
++	uint8_t buffer[256];
+ 
+ 	if (min_length >= sizeof(buffer)) return; /* paranoia */
+ 
+@@ -255,7 +255,7 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
+ 	 *	Hex encoding.
+ 	 */
+ 	if (vp->length >= (2 * min_length)) {
+-		decoded = fr_hex2bin(vp->vp_strvalue, buffer, vp->length >> 1);
++		decoded = fr_hex2bin(vp->vp_strvalue, buffer, sizeof(buffer));
+ 		if (decoded == (vp->length >> 1)) {
+ 			RDEBUG2("Normalizing %s from hex encoding", vp->name);
+ 			memcpy(vp->vp_octets, buffer, decoded);
+-- 
+1.8.5.3
+
diff --git a/freeradius.spec b/freeradius.spec
index 373e972..d76020d 100644
--- a/freeradius.spec
+++ b/freeradius.spec
@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 2.2.3
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -14,6 +14,7 @@ Source104: %{name}-tmpfiles.conf
 
 Patch1: freeradius-cert-config.patch
 Patch2: freeradius-dhcp_sqlippool.patch
+Patch3: freeradius-rlm_pap-overflow.patch
 
 Obsoletes: freeradius-devel
 Obsoletes: freeradius-libs
@@ -148,6 +149,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
 %patch1 -p1 -b .cert-config
 # do not make backup file for module configs, the backup will be installed
 %patch2 -p1
+%patch3 -p1
 
 # Some source files mistakenly have execute permissions set
 find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} +
@@ -601,6 +603,11 @@ exit 0
 %{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so
 
 %changelog
+* Fri Feb 21 2014 Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com> - 2.2.3-7
+- Fix CVE-2014-2015 "freeradius: stack-based buffer overflow flaw in rlm_pap
+  module"
+- resolves: bug#1066984 (fedora 1066763)
+
 * Tue Jan 14 2014 John Dennis <jdennis at redhat.com> - 2.2.3-6
 - Upgrade to upstream 2.2.3 release
   See /usr/share/doc/freeradius-2.2.3/ChangeLog for details

More information about the scm-commits mailing list