Bug#964898: buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1
Hi,
On Sat, Jul 11, 2020 at 09:35:32PM +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Hi
>
> libpam-radius-auth is affected by CVE-2015-9542 (cf. #951396) in
> buster as well. A while ago Utkarsh Gupta prepared a QA update for
> unstable.
>
> libpam-radius-pam should not be included in bullseye if there is not
> active maintainer, but for stable we can fix the CVE based on the
> upload in unstable (minus the packaging changes).
>
> Attached the debdiff.
The correct debdiff attached now (with the packaging changes
reverted).
Regards,
Salvatore
diff -Nru libpam-radius-auth-1.4.0/debian/changelog libpam-radius-auth-1.4.0/debian/changelog
--- libpam-radius-auth-1.4.0/debian/changelog 2018-09-05 21:44:07.000000000 +0200
+++ libpam-radius-auth-1.4.0/debian/changelog 2020-07-11 21:24:48.000000000 +0200
@@ -1,3 +1,21 @@
+libpam-radius-auth (1.4.0-3~deb10u1) buster; urgency=medium
+
+ * Rebuild for buster.
+ * Revert packaging changes:
+ - Lower Standards-Version to 4.2.0
+ - Lower Debhelper compat level to 11
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 11 Jul 2020 21:24:48 +0200
+
+libpam-radius-auth (1.4.0-3) unstable; urgency=medium
+
+ * QA upload
+ * Add patch to fix buffer overflow in password field.
+ (Fixes: CVE-2015-9542) (Closes: #951396)
+ * Bump Standards-Version to 4.5.0 and dh-compat to 12
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Fri, 21 Feb 2020 15:47:11 +0530
+
libpam-radius-auth (1.4.0-2) unstable; urgency=medium
* QA upload.
diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix
--- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 1970-01-01 01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 2020-02-21 10:52:32.000000000 +0100
@@ -0,0 +1,31 @@
+Description: This patch fixes CVE-2015-9542.
+Author: Justin Standring <me@justinstandring.com>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Bug-Debian: https://bugs.debian.org/951396
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/01173ec
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677
+Last-Update: 2020-02-21
+
+--- a/src/pam_radius_auth.c
++++ b/src/pam_radius_auth.c
+@@ -528,6 +528,9 @@
+ length = MAXPASS;
+ }
+
++ memcpy(hashed, password, length);
++ memset(hashed + length, 0, sizeof(hashed) - length);
++
+ if (length == 0) {
+ length = AUTH_PASS_LEN; /* 0 maps to 16 */
+ } if ((length & (AUTH_PASS_LEN - 1)) != 0) {
+@@ -535,9 +538,6 @@
+ length &= ~(AUTH_PASS_LEN - 1); /* chop it off */
+ } /* 16*N maps to itself */
+
+- memset(hashed, 0, length);
+- memcpy(hashed, password, strlen(password));
+-
+ attr = find_attribute(request, PW_PASSWORD);
+
+ if (type == PW_PASSWORD) {
diff -Nru libpam-radius-auth-1.4.0/debian/patches/series libpam-radius-auth-1.4.0/debian/patches/series
--- libpam-radius-auth-1.4.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/series 2020-02-21 11:13:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-9542.fix
Reply to: