|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0961: freeradius DoS | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Ludwig Nussel <lnussel> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | patch-request, security-team, stark, stefan.fent |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0961: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Ludwig Nussel
2004-10-19 16:25:48 UTC
I will check which version need to be fixed. seems that all our "maintained" versions are affected: 8.1/SLES8/UL: 0.5 8.2: 0.8.1 9.0: 0.9 9.1/SLES9: 0.9.3 9.2: 1.0.0 Do we want backports for all these versions? I have packages ready for every version which are building fine. The problem is to test them all. I don't have the time and ressources to install and test all of them. How do we proceed? QA will test the testcases you have in the pdb for SLES. Box version will be released untested unless we tell QA to test them as well. all packages have been submitted to /work/src/done and are waiting for checkin. Please provide the patchinfo files, thanks. you refer only to one of the bugs in the changelog, are we not affected by the others? oops, you are right, I forgot to mention the others. I've extracted the different fixes from project CVS and applied them as far as possible to older versions. Since our oldest version is 0.5 there are many differences in the code and for some changes I couldn't find an equivalent. So it would make sense if some of you would review the patches in addition. patch for 9.1 looks good. You added an additional fix so that the random pool doesn't get reinitialized all the time. Lack of that fix is probably an unmentioned weakness in older versions. Furthermore 1.0.1 contains a fix for regex matching in src/main/valuepair.c: compare = regexec(®, (char *)auth_item->strvalue, - 16, rxmatch, 0); + REQUEST_MAX_REGEX + 1, + rxmatch, 0); rxmatch has only 9 entries so it could overflow by 7 bytes in < 1.0.1. No idea if that is harmful there. I was in contact with the author and the security issues are all handled in src/lib/radius.c according to him. So I patched only this file. Ok, thanks. The patches for 8.1-9.0 also look good. The check for attrlen in rad_decode() apparently is not needed in pre 1.0 as it is already checked in rad_recv() Here is another patch to make it build correctly on x86_64
--- configure.ORG 2003-11-20 21:14:50.000000000 +0100
+++ configure 2004-11-05 10:33:48.382611892 +0100
@@ -1881,7 +1881,7 @@
# This must be Linux ELF.
linux-gnu*)
case $host_cpu in
- alpha* | hppa* | i*86 | powerpc* | sparc* | ia64* | s390* )
+ alpha* | hppa* | i*86 | powerpc* | sparc* | ia64* | s390* | x86_64*)
lt_cv_deplibs_check_method=pass_all ;;
*)
# glibc up to 2.1.1 does not perform some relocations on ARM
w/o this patch, freeradius doesn't work at all on x86_64
Ok, so what's with patchinfo 37eb5c6bf8b4aca8f550659a4f3926c1 and e2a19d65493e3f891fa2ffb498b81a4d? Should we cancel and resubmit them? (and what's with 9.2 and sles8 aka 8.1. Isn't the patch needed for them as well?) See below snippets from some mail - please "resubmit"
I will reject the current patches after checkin of the new patchinfos ...
> Is 9.2-x86_64 hit by this problem? Marked als directories to manipulate.
no the 9.2 versions seems to be fixed. The libs are in the RPM package
SLES8 is not affected but 9.0-x86_64 and 9.1-x86_64 are.
So I will submit a fixed package for 9.1/SLES9 and for 9.0.
Can you submit 9.0 with the old patchinfo, too?
Huh? Packages for 9.0/9.1 were just checked in. OK, let's sum up: 8.1, 8.2 and 9.2 were fixed some days ago as 9.0 and 9.1. But we found a problem with AMD64 on SLES9 which occurs on 9.0 and 9.1. So these two version got another small fix. All fixed packages are now checked in. Yes. The question was if I should resubmit the two patchinfos... Harald said yesterday that you are going to resubmit the patchinfos and he will reject the currently active ones then. Will do. He should not reject 9dbb825d4a68104e44f645e93d1bfd6c, 1e45eb63952773be3469e841fc17e9a7. He should reject 37eb5c6bf8b4aca8f550659a4f3926c1 and e2a19d65493e3f891fa2ffb498b81a4d. packages released. To: security-intern@suse.de, ro@suse.de From: patch_system@suse.de Date: Thu, 11 Nov 2004 11:50:17 +0100 (CET) Cc: Subject: [sec-int] [putonftp] secfix freeradius-0.8.1-156.i586.rpm Reply-To: security-intern@suse.de Errors-To: security-intern-bounces+thomas=suse.de@suse.de Script 'mail_hack' called by root package:freeradius-0.8.1-156.i586.rpm comment:Several bugs that would allow attackers to remotely crash freeradius have been fixed (CAN-2004-0938, CAN-2004-0960, CAN-2004-0961). comment_de:Mehrere Fehler, die es einem entfernten Angreifer erm\366glichen w\374rden, freeradius zum Absturz zu bringen, wurden behoben (CAN-2004-0938, CAN-2004-0960, CAN-2004-0961). md5sum:9dbb825d4a68104e44f645e93d1bfd6c url:ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/freeradius-0.8.1-156.i586.rpm CVE-2004-0961: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |