Bug 84235 (CVE-2005-1455)

Haven't heared about it until now. I will investigate.

this is the answer of the upstream maintainer to my question:

> yesterday there was a security advisory from Gentoo about FreeRADIUS
> 1.0.2 on bugtraq.
> http://www.securityfocus.com/bid/13540/
> http://www.securityfocus.com/bid/13541/
>
> As I didn't heared about it before, a few questions.
>
> Are you aware of that? I hope so. And what are the details about these
> problems?

  I heard rumors, but the originator did not contact security@freeradius.org

  The details are:

  1) non-ASCII characters are printed as \ddd, but the buffer length
check is incorrect, so the digits can over-run the buffer.  This may
crash the server, but I have a hard time seeing how it's exploitable.

  2) In some cases, the data being used in SQL queries wasn't being
properly sanitized, which could allow SQL injection attacks, for the
following situations:

  a) The user was doing dynamic SELECT's via %{sql:data...}
  b) group comparisons via "SQL-Group == foo"
  c) Simultaneous-Use checking was done via SQL

  We will be issuing 1.0.3 soon.

  Alan DeKok.

Gentoo... Anyways, I'll post that to vendor-sec. Thanks for clarification! 

Date: Thu, 19 May 2005 11:38:43 +0200                                                                                    
From: Thierry Carrez <koon@gentoo.org>                                                                                   
To: vendor-sec@lst.de                                                                                                    
Subject: Re: [vendor-sec] freeradius buffer overflow & SQL injection                                                     
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050325)                                                                     
 
Ludwig Nussel wrote: 
 
> There was a security advisory from Gentoo about FreeRADIUS 1.0.2 on bugtraq.                                           
> http://www.securityfocus.com/bid/13540/                                                                                
> http://www.securityfocus.com/bid/13541/                                                                                
 
In fact we aren't the origin of this, we just reacted to the BID 
creation on May 6... I suppose it was originally created from : 
 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307720 (created May 4) 
 
Our bugzilla entry is at: 
https://bugs.gentoo.org/show_bug.cgi?id=91736 (created May 6) 
 
We mistakenly thought upstream was in the loop on the Debian bug and 
released without doublechecking... 
 
Note that the patch we applied introduces new problems and we should 
release new packages (ans an updated GLSA) soon. 
 
--                                                                                                                       
Thierry Carrez                                                                                                           
Gentoo Linux Security                                                          

According to the debian bug this is the patch: 
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/rlm_sql.c.diff?r1=1.131.2.1&r2=1.131.2.3 
 
CAN-2005-1454 for the overflow. 
CAN-2005-1455 for the SQL injection 

I will apply this patch to the packages.

status: I have fixed packages ready for all versions but SLES8.
The freeradius version there doesn't have any SQL-escape filter at all IMHO.
What to do?

is is possible to extract the code used on newer versions? 

I will try this and if I fail, I will reassign this bug to security-team.

all packages were submitted to autobuild. Please provide patchinfos and SWAMPs
as you like ;-)

SM-Tracker-1400

/work/src/done/PATCHINFO/freeradius.patch.box
/work/src/done/PATCHINFO/freeradius.patch.maintained

updates released. 

CVE-2005-1455: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)