Bug#1119085: trixie-pu: package openvpn-auth-radius/2.1-9+deb13u1
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: openvpn-auth-radius@packages.debian.org
Control: affects -1 + src:openvpn-auth-radius
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I have uploaded openvpn-auth-radius 2.1-9+deb13u1 for inclusion in
trixie.
Samuel
[ Reason ]
As reported on #1118479, the version in trixie of openvpn-auth-radius
introduced a use-after-free, which in a hardened environment makes it
completely non-working, while it was working in debian 12.
[ Impact ]
I hadn't noticed the issue in my testing environment, but the reporter
of #1118479 ended up in a completely non-working situation.
[ Tests ]
This was tested manually by the reporter.
[ Risks ]
The code is very trivial, it just extends the liveness of the underlying
string.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
server->getSharedSecret().c_str() doesn't work because the string
returned by getSharedSecret can actually be thrown away before we use
the secret. Storing the string extends its liveness so the char*
returned by c_str() can be read safely.
diff -Nru openvpn-auth-radius-2.1/debian/changelog openvpn-auth-radius-2.1/debian/changelog
--- openvpn-auth-radius-2.1/debian/changelog 2024-10-20 17:28:08.000000000 +0200
+++ openvpn-auth-radius-2.1/debian/changelog 2025-10-26 18:28:22.000000000 +0100
@@ -1,3 +1,10 @@
+openvpn-auth-radius (2.1-9+deb13u1) trixie; urgency=medium
+
+ * patches/0008-authenticate-fix: Fix packet authentication
+ (Closes: Bug#1118479)
+
+ -- Samuel Thibault <sthibault@debian.org> Sun, 26 Oct 2025 18:28:22 +0100
+
openvpn-auth-radius (2.1-9) unstable; urgency=medium
* QA upload.
diff -Nru openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix
--- openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix 1970-01-01 01:00:00.000000000 +0100
+++ openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix 2025-10-21 00:11:25.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Fix RADIUS Packet Authentication use-after-free
+ The BLASTRadius vulnerability mitigation introduced a use-after-free
+ in the RadiusPacket::authenticateReceivedPacket method.
+ This fix prevents use-after-free by assigning the string to a
+ variable before relying on the c_str result.
+Author: Martin Rampersad <martin.rampersad@emkal.ca>
+Last-Update: 2025-10-20
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/RadiusClass/RadiusPacket.cpp
++++ b/RadiusClass/RadiusPacket.cpp
+@@ -706,7 +706,8 @@
+
+ int RadiusPacket::authenticateReceivedPacket(RadiusServer *server)
+ {
+- const char *secret = server->getSharedSecret().c_str();
++ string secretString = server->getSharedSecret();
++ const char *secret = secretString.c_str();
+ gcry_md_hd_t context;
+ int res;
+
diff -Nru openvpn-auth-radius-2.1/debian/patches/series openvpn-auth-radius-2.1/debian/patches/series
--- openvpn-auth-radius-2.1/debian/patches/series 2024-10-20 17:27:15.000000000 +0200
+++ openvpn-auth-radius-2.1/debian/patches/series 2025-10-21 00:11:25.000000000 +0200
@@ -5,3 +5,4 @@
40_use_cppflags.diff
0006-Support-verify-client-cert-directive-in-openvpn-2.4.patch
0007-RadiusBLAST
+0008-authenticate-fix
Reply to: