Bug#964898: buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#964898: buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 11 Jul 2020 21:35:32 +0200
Message-id: <[🔎] 159449613235.11976.18027313884902922705.reportbug@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 964898@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi

libpam-radius-auth is affected by CVE-2015-9542 (cf. #951396) in
buster as well. A while ago Utkarsh Gupta prepared a QA update for
unstable.

libpam-radius-pam should not be included in bullseye if there is not
active maintainer, but for stable we can fix the CVE based on the
upload in unstable (minus the packaging changes).

Attached the debdiff.

Can it be included in the next buster point release?

Regards,
Salvatore

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru libpam-radius-auth-1.4.0/debian/changelog libpam-radius-auth-1.4.0/debian/changelog
--- libpam-radius-auth-1.4.0/debian/changelog	2018-09-05 21:44:07.000000000 +0200
+++ libpam-radius-auth-1.4.0/debian/changelog	2020-07-11 21:24:48.000000000 +0200
@@ -1,3 +1,21 @@
+libpam-radius-auth (1.4.0-3~deb10u1) buster; urgency=medium
+
+  * Rebuild for buster.
+  * Revert packaging changes:
+    - Lower Standards-Version to 4.2.0
+    - Lower Debhelper compat level to 11   
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 11 Jul 2020 21:24:48 +0200
+
+libpam-radius-auth (1.4.0-3) unstable; urgency=medium
+
+  * QA upload
+  * Add patch to fix buffer overflow in password field.
+    (Fixes: CVE-2015-9542) (Closes: #951396)
+  * Bump Standards-Version to 4.5.0 and dh-compat to 12
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Fri, 21 Feb 2020 15:47:11 +0530
+
 libpam-radius-auth (1.4.0-2) unstable; urgency=medium
 
   * QA upload.
diff -Nru libpam-radius-auth-1.4.0/debian/control libpam-radius-auth-1.4.0/debian/control
--- libpam-radius-auth-1.4.0/debian/control	2018-09-05 21:44:07.000000000 +0200
+++ libpam-radius-auth-1.4.0/debian/control	2020-02-21 11:17:11.000000000 +0100
@@ -2,8 +2,8 @@
 Maintainer: Debian QA Group <packages@qa.debian.org>
 Section: admin
 Priority: optional
-Standards-Version: 4.2.0
-Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 11)
+Standards-Version: 4.5.0
+Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 12)
 Rules-Requires-Root: no
 Homepage: https://www.freeradius.org/pam_radius_auth/
 
diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix
--- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix	1970-01-01 01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix	2020-02-21 10:52:32.000000000 +0100
@@ -0,0 +1,31 @@
+Description: This patch fixes CVE-2015-9542.
+Author: Justin Standring <me@justinstandring.com>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Bug-Debian: https://bugs.debian.org/951396
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/01173ec
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677
+Last-Update: 2020-02-21
+
+--- a/src/pam_radius_auth.c
++++ b/src/pam_radius_auth.c
+@@ -528,6 +528,9 @@
+ 		length = MAXPASS;
+ 	}
+ 
++	memcpy(hashed, password, length);
++	memset(hashed + length, 0, sizeof(hashed) - length);
++
+ 	if (length == 0) {
+ 		length = AUTH_PASS_LEN;			/* 0 maps to 16 */
+ 	} if ((length & (AUTH_PASS_LEN - 1)) != 0) {
+@@ -535,9 +538,6 @@
+ 		length &= ~(AUTH_PASS_LEN - 1);		/* chop it off */
+ 	}						/* 16*N maps to itself */
+ 
+-	memset(hashed, 0, length);
+-	memcpy(hashed, password, strlen(password));
+-
+ 	attr = find_attribute(request, PW_PASSWORD);
+ 
+ 	if (type == PW_PASSWORD) {
diff -Nru libpam-radius-auth-1.4.0/debian/patches/series libpam-radius-auth-1.4.0/debian/patches/series
--- libpam-radius-auth-1.4.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/series	2020-02-21 11:13:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-9542.fix

Reply to:

Follow-Ups:
- Bug#964898: buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#964898: libpam-radius-auth 1.4.0-3~deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Processed: closing 964881
Next by thread: Bug#964898: buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1
Index(es):
- Date
- Thread