Your message dated Thu, 26 May 2005 21:17:09 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#307720: fixed in freeradius 1.0.2-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 May 2005 22:59:38 +0000
>From [EMAIL PROTECTED] Wed May 04 15:59:38 2005
Return-path: <[EMAIL PROTECTED]>
Received: from master.debian.org [146.82.138.7]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DTSqA-0000ZU-00; Wed, 04 May 2005 15:59:38 -0700
Received: from bsn-77-143-219.dsl.siol.net [193.77.143.219]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DTSq9-0005oc-00; Wed, 04 May 2005 17:59:37 -0500
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Primoz Bratanic <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: freeradius: Few possible security problems
X-Mailer: reportbug 3.11
Date: Thu, 05 May 2005 00:59:45 +0200
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-9.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
OUR_MTA_MSGID,X_DEBBUGS_CC autolearn=ham
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: freeradius
Version: 1.0.2-3
Severity: wishlist
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In /src/modules/rlm_sql/rlm_sql.c there are few possible problems (IMHO).
Please disregard the message if you disagree.
In sql_escape_func (line 406) there is a loop with special break condition
in line 414 ("if (outlen <= 1)"), which is fine unless we have three (3) or
less characters available and input character needs escaping (with =XX). In
this case this loop causes minor buffer overflow (few characters). As output
buffer is huge, this should not be easily exploitable problem.
The other three problems are in lines 520, 1152, 1196 where radius_xlat is
called for generation of sql query for execution. It's called without escape
function (NULL), which is afterwards replaced with simple copy. As this
queries may contain reference to user supplied data (username ...), this may
result in SQL injection. This is also hard to exploit as user has to be
authenticated already before any of these sql statements can get executed.
Primoz Bratanic
- -- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages freeradius depends on:
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime
ii libltdl3 1.5.6-6 A system independent dlopen wrappe
ii libpam0g 0.76-22 Pluggable Authentication Modules l
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCeVPhHOuqnSwJthERAvvhAKCS917GnwK+t9W6mqUCznfxeuKEygCffDbT
S9UM07PrA9Sfl1OPq2vsVb4=
=HaZ7
-----END PGP SIGNATURE-----
---------------------------------------
Received: (at 307720-close) by bugs.debian.org; 27 May 2005 01:26:37 +0000
>From [EMAIL PROTECTED] Thu May 26 18:26:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DbTcS-00036W-00; Thu, 26 May 2005 18:26:36 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DbTTJ-0008FS-00; Thu, 26 May 2005 21:17:09 -0400
From: Paul Hampson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#307720: fixed in freeradius 1.0.2-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 26 May 2005 21:17:09 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: freeradius
Source-Version: 1.0.2-4
We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive:
freeradius-dialupadmin_1.0.2-4_all.deb
to pool/main/f/freeradius/freeradius-dialupadmin_1.0.2-4_all.deb
freeradius-iodbc_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius-iodbc_1.0.2-4_i386.deb
freeradius-krb5_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius-krb5_1.0.2-4_i386.deb
freeradius-ldap_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius-ldap_1.0.2-4_i386.deb
freeradius-mysql_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius-mysql_1.0.2-4_i386.deb
freeradius_1.0.2-4.diff.gz
to pool/main/f/freeradius/freeradius_1.0.2-4.diff.gz
freeradius_1.0.2-4.dsc
to pool/main/f/freeradius/freeradius_1.0.2-4.dsc
freeradius_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius_1.0.2-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Hampson <[EMAIL PROTECTED]> (supplier of updated freeradius package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 23 May 2005 18:53:51 +1000
Source: freeradius
Binary: freeradius-mysql freeradius-krb5 freeradius freeradius-iodbc
freeradius-ldap freeradius-dialupadmin
Architecture: source i386 all
Version: 1.0.2-4
Distribution: unstable
Urgency: high
Maintainer: Paul Hampson <[EMAIL PROTECTED]>
Changed-By: Paul Hampson <[EMAIL PROTECTED]>
Description:
freeradius - a high-performance and highly configurable RADIUS server
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS
server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
Closes: 307720
Changes:
freeradius (1.0.2-4) unstable; urgency=high
.
* Security fix stolen from CVS release_1_0 branch:
- Always use sql_escape_func when calling radius_xlat
- Add a test in sql_escape_func() to check buffer bound when
input character needs escaping.
- Urgency high as these are (theoretical) security issues.
Closes: #307720 (Thanks to Primoz Bratanic and Nicolas Baradakis)
Files:
c5bbf558bb19a4127273de6b32d0cb9d 885 net optional freeradius_1.0.2-4.dsc
f398e368fa522b55ecd648550eeeca6b 15048 net optional freeradius_1.0.2-4.diff.gz
f4f526580ffcab989e3dcbdb704abdea 2032072 net optional
freeradius_1.0.2-4_i386.deb
bc144be31021e77cd92699ca87a246fa 52394 net optional
freeradius-krb5_1.0.2-4_i386.deb
183f4bb81d3e041f786bed55bd573cd3 97356 net optional
freeradius-ldap_1.0.2-4_i386.deb
48b58846c2ed81a1699c43c704762313 53142 net optional
freeradius-mysql_1.0.2-4_i386.deb
fe4cde7cd0941c1ff7d0c62da5227e8d 51294 net optional
freeradius-iodbc_1.0.2-4_i386.deb
c7c153d619b6b951524691472fd86c3e 111214 net optional
freeradius-dialupadmin_1.0.2-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFClnEhdu+M6Iexz7URAsxhAJ9NN9fEJQ+FnnxLDPNpsGWsnc2a6QCfZtMI
4Z+JJo3LBp4rcsC1qNU4yFI=
=TS+f
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
