Your message dated Tue, 11 Sep 2012 18:17:59 +0000
with message-id <e1tbv27-0002gk...@franck.debian.org>
and subject line Bug#687175: fixed in freeradius 2.1.12+dfsg-1.1
has caused the Debian Bug report #687175,
regarding freeradius: CVE-2012-3547 stack-based buffer overflow in EAP-TLS
handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
687175: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: freeradius
Severity: grave
Tags: security
Hi,
the following vulnerability was published for freeradius.
CVE-2012-3547[0]:
| PRE-CERT Security Advisory
| ==========================
|
| * Advisory: PRE-SA-2012-06
| * Released on: 10 September 2012
| * Affected product: FreeRADIUS 2.1.10 - 2.1.12
| * Impact: remote code execution
| * Origin: specially crafted client certificates
| * CVSS Base Score: 10
| Impact Subscore: 10
| Exploitability Subscore: 10
| CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| * Credit: Timo Warns (PRESENSE Technologies GmbH)
| * CVE Identifier: CVE-2012-3547
|
|
| Summary
| - -------
|
| A stack overflow vulnerability has been identified in FreeRADIUS that allows
to
| remotely execute arbitrary code via specially crafted client certificates
| (before authentication). The vulnerability affects setups using TLS-based EAP
| methods (including EAP-TLS, EAP-TTLS, and PEAP).
|
| FreeRADIUS defines a callback function cbtls_verify() for certificate
| verification. The function has a local buf array with a size of 64
| bytes. It copies the validity timestamp "not after" of a client
| certificate to the buf array:
|
| asn_time = X509_get_notAfter(client_cert);
| if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
| memcpy(buf, (char*) asn_time->data, asn_time->length);
| buf[asn_time->length] = '\0';
|
| The MAX_STRING_LEN constant is defined to be 254. If asn_time->length is
| greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy.
|
| Depending on the stack layout chosen by the compiler, the vulnerability allows
| to overflow the return address on the stack, which can be exploited for code
| execution.
|
|
| Solution
| - --------
|
| The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as
| soon as possible.
|
|
| References
| - ----------
|
| When further information becomes available, this advisory will be
| updated. The most recent version of this advisory is available at:
|
| http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
http://security-tracker.debian.org/tracker/CVE-2012-3547
Cheers
Nico
pgp32EWYiFiVJ.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: freeradius
Source-Version: 2.1.12+dfsg-1.1
We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 687...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated freeradius package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 11 Sep 2012 19:38:02 +0200
Source: freeradius
Binary: freeradius freeradius-common freeradius-utils libfreeradius2
libfreeradius-dev freeradius-krb5 freeradius-ldap freeradius-postgresql
freeradius-mysql freeradius-iodbc freeradius-dialupadmin freeradius-dbg
Architecture: source amd64 all
Version: 2.1.12+dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Josip Rodin <joy-packa...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description:
freeradius - high-performance and highly configurable RADIUS server
freeradius-common - FreeRADIUS common files
freeradius-dbg - debug symbols for the FreeRADIUS packages
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS
server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
freeradius-postgresql - PostgreSQL module for FreeRADIUS server
freeradius-utils - FreeRADIUS client utilities
libfreeradius-dev - FreeRADIUS shared library development files
libfreeradius2 - FreeRADIUS shared library
Closes: 687175 687178
Changes:
freeradius (2.1.12+dfsg-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix pre-authentication buffer overflow in EAP handling
(CVE-2012-3547; Closes: #687175, #687178).
Checksums-Sha1:
39522c76115d1333daf771f43c9f26b4fabb518e 2075 freeradius_2.1.12+dfsg-1.1.dsc
4b8c6a4e2527ea909bdca9be30dae3b502b599d4 32062
freeradius_2.1.12+dfsg-1.1.debian.tar.gz
15f90a19cae4087556f66999cedb47e806ccb516 717356
freeradius_2.1.12+dfsg-1.1_amd64.deb
179d229a9aec9fbb6765c625c3ca1bed32083cfd 105730
freeradius-utils_2.1.12+dfsg-1.1_amd64.deb
c7d2b026f618f143f9ed0554a9d582e3a8ddd1ae 120082
libfreeradius2_2.1.12+dfsg-1.1_amd64.deb
a75f258f7131eaad855136ea323d0d3265727c4d 161552
libfreeradius-dev_2.1.12+dfsg-1.1_amd64.deb
9af3cd80c4e61e2ad92f9db6b67cd43d7a706e0c 38852
freeradius-krb5_2.1.12+dfsg-1.1_amd64.deb
1a58fe056b00a7a90582ce27faa514e76adfcef8 58514
freeradius-ldap_2.1.12+dfsg-1.1_amd64.deb
a192f35810cb2e3dbc3fe1322338b5ef2ee51961 59004
freeradius-postgresql_2.1.12+dfsg-1.1_amd64.deb
9dda0daa1c5c364b8843c24d864d978611305860 47260
freeradius-mysql_2.1.12+dfsg-1.1_amd64.deb
c5824fc63073921bdf644adf2870994eba222ab8 38214
freeradius-iodbc_2.1.12+dfsg-1.1_amd64.deb
fd15168b78df2e0c29ab82d6d65f37698fd0f8d4 1732644
freeradius-dbg_2.1.12+dfsg-1.1_amd64.deb
aafa3374f08c07a0cc10b6f2f512583fd3f20bd8 271540
freeradius-common_2.1.12+dfsg-1.1_all.deb
aa6ccd4eb536d4b256cdf9bf45d08d7a0dfdc87a 136742
freeradius-dialupadmin_2.1.12+dfsg-1.1_all.deb
Checksums-Sha256:
5687882c1386eb7dce7b69200cc69dd3bbfb693a9491fc27031988bd702e4851 2075
freeradius_2.1.12+dfsg-1.1.dsc
27267fc2950c496c4c92d4bf47e3c22e1d148d18e2bf4d5ecfc69bf963fd9b19 32062
freeradius_2.1.12+dfsg-1.1.debian.tar.gz
d2cc9fc382ec2f643c0788ca23c8b9a6b30aac49bdf7ce7fddc967cec105f4e5 717356
freeradius_2.1.12+dfsg-1.1_amd64.deb
68465c79b860dcd67ef7894fd6d4bd0692407d70cbd18c49727f271bf78d0bc6 105730
freeradius-utils_2.1.12+dfsg-1.1_amd64.deb
834c8d04d03d7790117c21f022546cd2670bde497d23e8c4590a68bc5bb8b6bf 120082
libfreeradius2_2.1.12+dfsg-1.1_amd64.deb
548bc89bb6c4e6c6675e288b47e10c30316634a9553d6427a507373e0c300b8d 161552
libfreeradius-dev_2.1.12+dfsg-1.1_amd64.deb
08ff325980ade0f3420eac78120dbbd7ef1971291dd9ebe2b0e8f0b1dfc3cf9e 38852
freeradius-krb5_2.1.12+dfsg-1.1_amd64.deb
f93981949ef6c59e9d71833cc3aecf85de45b5adc295166c7c8958a9d24d290b 58514
freeradius-ldap_2.1.12+dfsg-1.1_amd64.deb
861858c1efc48d235121195067faf7ea9a82688b9ddca248801c2bc40d704de4 59004
freeradius-postgresql_2.1.12+dfsg-1.1_amd64.deb
3b2b2a91c6e9fb4ff95c8b382aaa6f5d10c9141b19c86a7f3d19bcdc488d062b 47260
freeradius-mysql_2.1.12+dfsg-1.1_amd64.deb
a9c228ecf620d2154774e5aea1cd7f68b111202ad964d4592aafbff873169bc2 38214
freeradius-iodbc_2.1.12+dfsg-1.1_amd64.deb
4afd36342b759c9a3afa57ccfe47040338d05e648bdcc1398b767040718b00ae 1732644
freeradius-dbg_2.1.12+dfsg-1.1_amd64.deb
5e6ed92ac57ef6d850050288c1fa80f60fd5e75ad4eae01927fdd2c946174b2f 271540
freeradius-common_2.1.12+dfsg-1.1_all.deb
7910f3e391c52f47ed8af68510a80bca7396b0bb76445c1b68f7887fac4d2222 136742
freeradius-dialupadmin_2.1.12+dfsg-1.1_all.deb
Files:
c189182e99f1b9bc5ad5d1eb1a796ac2 2075 net optional
freeradius_2.1.12+dfsg-1.1.dsc
99b00a7ea8e4fbcdac58b196ced7d0dd 32062 net optional
freeradius_2.1.12+dfsg-1.1.debian.tar.gz
ac60386dacc0a2a1627b98904b4d4958 717356 net optional
freeradius_2.1.12+dfsg-1.1_amd64.deb
805ad39da53b49b7cbad0b43c5d6b872 105730 net optional
freeradius-utils_2.1.12+dfsg-1.1_amd64.deb
d9f9c64b7d00e346b030d0d21dea2c39 120082 net optional
libfreeradius2_2.1.12+dfsg-1.1_amd64.deb
6318124631fd350f166c1c341da75ed5 161552 libdevel optional
libfreeradius-dev_2.1.12+dfsg-1.1_amd64.deb
3c3b06d5022ba01a6248b24e9e1cc5d1 38852 net optional
freeradius-krb5_2.1.12+dfsg-1.1_amd64.deb
7a02bfe29f8c80d82151045d988903bc 58514 net optional
freeradius-ldap_2.1.12+dfsg-1.1_amd64.deb
5a0c1f677a1cda80c5150ae41c57efab 59004 net optional
freeradius-postgresql_2.1.12+dfsg-1.1_amd64.deb
2af02dbf09bff39f7879fa754fa10c43 47260 net optional
freeradius-mysql_2.1.12+dfsg-1.1_amd64.deb
5372beb4a6dd3770cb5d868446e629f4 38214 net optional
freeradius-iodbc_2.1.12+dfsg-1.1_amd64.deb
952af552352c8e4e6155264dddb73cf5 1732644 debug extra
freeradius-dbg_2.1.12+dfsg-1.1_amd64.deb
c79bd1a9090b8dfb42784833c345329a 271540 net optional
freeradius-common_2.1.12+dfsg-1.1_all.deb
85995460851d7bc5184b6d53c18362a4 136742 net optional
freeradius-dialupadmin_2.1.12+dfsg-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBPeqoACgkQHYflSXNkfP+SYACeKMbsRcogmsgFHg31d8sHAbRO
rmQAn3viACPvW2OuSXCkDWiJll2053cc
=bYIS
-----END PGP SIGNATURE-----
--- End Message ---
