Your message dated Wed, 19 Jan 2005 07:17:16 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#289976: fixed in libapache-mod-auth-radius 1.5.7-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Jan 2005 07:07:18 +0000
>From [EMAIL PROTECTED] Tue Jan 11 23:07:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cocb8-0000pE-00; Tue, 11 Jan 2005 23:07:18 -0800
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id 03317366B74; Wed, 12 Jan 2005 08:07:20 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Wed, 12 Jan 2005 08:02:58 +0100 (CET)
Date: Wed, 12 Jan 2005 08:02:57 +0100
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [EMAIL PROTECTED]: Apache mod_auth_radius remote integer overflow]
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: libapache-mod-auth-radius
Version: 1.5.7-5
Severity: grave
Tags: woody sid security
I haven't checked if this problem exists in the Debian package. Please check.
If the Debian package is fixed, too old or too new, please close this bug
report.
Regards,
Joey
----- Forwarded message from LSS Security <[EMAIL PROTECTED]> -----
Date: Tue, 11 Jan 2005 12:45:50 +0100
From: LSS Security <[EMAIL PROTECTED]>
To: bugtraq@securityfocus.com
Subject: Apache mod_auth_radius remote integer overflow
LSS Security Advisory #LSS-2005-01-02
http://security.lss.hr
---
Title : Apache mod_auth_radius remote integer overflow
Advisory ID : LSS-2005-01-02
Date : 2005-01-10
Advisory URL: :
http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02
Impact : Denial of service attack
Risk level : Low
Vulnerability type : Remote
Vendors contacted : 10.12.2004
---
===[ Overview
Mod_auth_radius is RADIUS authentication module for Apache. It allows
any Apache web-server to become a RADIUS client for authentication,
authorization and accounting requests. You will, however, need to supply
your own RADIUS server to perform the actual authentication.
Mod_auth_radius can be downloaded from
http://www.freeradius.org/mod_auth_radius/.
===[ Vulnerability
When mod_auth_radius authenticate user against remote RADIUS server,
it will send RADIUS packet with RADIUS_ACCESS_REQUEST code. Server
can responde with RADIUS packet with RADIUS_ACCESS_CHALLENGE code.
When mod_auth_radius gets RADIUS_ACCESS_CHALLENGE, with attribute
code set to RADIUS_STATE, and another attribute code in same packet set
to RADIUS_REPLY_MESSAGE, RADIUS server reply will be copied in local
buffer with function radcpy(). Size of the data that will be copied in
local buffer is taken from 'length' value of packet attribute received
from RADIUS server.
mod_auth_radius.c:
....
#define radcpy(STRING, ATTR) {memcpy(STRING, ATTR->data, ATTR->length - 2);\
(STRING)[ATTR->length - 2] = 0;}
....
Before the data is copied with memcpy() RADIUS attribute length is
subtracted by two. If attribute length is 1, after subtract it will be -1,
and memcpy will lead to segfault.
If an attacker can sniff RADIUS request packets (that is vulnerability by
itself), he can spoof RADIUS server replies with attribute length 1 that
will segfault mod_auth_radius.
===[ Affected versions
All mod_auth_radius versions. Tested on 1.5.4 (1.5.7).
===[ Fix
Not available yet.
===[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/en/PoC
===[ Credits
Credits for this vulnerability goes to Leon Juranic.
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : [EMAIL PROTECTED]
Tel : +385 1 6129 775
----- End forwarded message -----
--
Those who don't understand Unix are condemned to reinvent it, poorly.
Please always Cc to me when replying to me on the lists.
---------------------------------------
Received: (at 289976-close) by bugs.debian.org; 19 Jan 2005 12:23:12 +0000
>From [EMAIL PROTECTED] Wed Jan 19 04:23:12 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CrErg-0000yE-00; Wed, 19 Jan 2005 04:23:12 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CrElw-00043X-00; Wed, 19 Jan 2005 07:17:16 -0500
From: [EMAIL PROTECTED] (Fabio M. Di Nitto)
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#289976: fixed in libapache-mod-auth-radius 1.5.7-6
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 19 Jan 2005 07:17:16 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: libapache-mod-auth-radius
Source-Version: 1.5.7-6
We believe that the bug you reported is fixed in the latest version of
libapache-mod-auth-radius, which is due to be installed in the Debian FTP
archive:
libapache-mod-auth-radius_1.5.7-6.diff.gz
to
pool/main/liba/libapache-mod-auth-radius/libapache-mod-auth-radius_1.5.7-6.diff.gz
libapache-mod-auth-radius_1.5.7-6.dsc
to
pool/main/liba/libapache-mod-auth-radius/libapache-mod-auth-radius_1.5.7-6.dsc
libapache-mod-auth-radius_1.5.7-6_i386.deb
to
pool/main/liba/libapache-mod-auth-radius/libapache-mod-auth-radius_1.5.7-6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio M. Di Nitto <[EMAIL PROTECTED]> (supplier of updated
libapache-mod-auth-radius package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 19 Jan 2005 11:07:11 +0100
Source: libapache-mod-auth-radius
Binary: libapache-mod-auth-radius
Architecture: source i386
Version: 1.5.7-6
Distribution: unstable
Urgency: high
Maintainer: Fabio M. Di Nitto <[EMAIL PROTECTED]>
Changed-By: Fabio M. Di Nitto <[EMAIL PROTECTED]>
Description:
libapache-mod-auth-radius - Apache module for RADIUS authentication
Closes: 289976
Changes:
libapache-mod-auth-radius (1.5.7-6) unstable; urgency=high
.
* [SECURITY] Fix Denial of service:
- Add patch 002.CAN2005-0108.diff. (CAN2005-0108)
(Closes: #289976)
Files:
72bf0eac186501597030a5764c131d62 655 web optional
libapache-mod-auth-radius_1.5.7-6.dsc
325d0c9ea854773662c0c4d6817569dd 3387 web optional
libapache-mod-auth-radius_1.5.7-6.diff.gz
09732a4919087e390ed8012a9adfe61b 15068 web optional
libapache-mod-auth-radius_1.5.7-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB7kywhCzbekR3nhgRAt2MAJ429yc6hHEz508utC6pPwfa60G50wCeIaCB
Hf3SJpGk9ewwA09sgCsdfSI=
=sLZM
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
