--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 11 Jul 2020 21:35:32 +0200
- Message-id: <159449613235.11976.18027313884902922705.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
libpam-radius-auth is affected by CVE-2015-9542 (cf. #951396) in
buster as well. A while ago Utkarsh Gupta prepared a QA update for
unstable.
libpam-radius-pam should not be included in bullseye if there is not
active maintainer, but for stable we can fix the CVE based on the
upload in unstable (minus the packaging changes).
Attached the debdiff.
Can it be included in the next buster point release?
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru libpam-radius-auth-1.4.0/debian/changelog libpam-radius-auth-1.4.0/debian/changelog
--- libpam-radius-auth-1.4.0/debian/changelog 2018-09-05 21:44:07.000000000 +0200
+++ libpam-radius-auth-1.4.0/debian/changelog 2020-07-11 21:24:48.000000000 +0200
@@ -1,3 +1,21 @@
+libpam-radius-auth (1.4.0-3~deb10u1) buster; urgency=medium
+
+ * Rebuild for buster.
+ * Revert packaging changes:
+ - Lower Standards-Version to 4.2.0
+ - Lower Debhelper compat level to 11
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 11 Jul 2020 21:24:48 +0200
+
+libpam-radius-auth (1.4.0-3) unstable; urgency=medium
+
+ * QA upload
+ * Add patch to fix buffer overflow in password field.
+ (Fixes: CVE-2015-9542) (Closes: #951396)
+ * Bump Standards-Version to 4.5.0 and dh-compat to 12
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Fri, 21 Feb 2020 15:47:11 +0530
+
libpam-radius-auth (1.4.0-2) unstable; urgency=medium
* QA upload.
diff -Nru libpam-radius-auth-1.4.0/debian/control libpam-radius-auth-1.4.0/debian/control
--- libpam-radius-auth-1.4.0/debian/control 2018-09-05 21:44:07.000000000 +0200
+++ libpam-radius-auth-1.4.0/debian/control 2020-02-21 11:17:11.000000000 +0100
@@ -2,8 +2,8 @@
Maintainer: Debian QA Group <packages@qa.debian.org>
Section: admin
Priority: optional
-Standards-Version: 4.2.0
-Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 11)
+Standards-Version: 4.5.0
+Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 12)
Rules-Requires-Root: no
Homepage: https://www.freeradius.org/pam_radius_auth/
diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix
--- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 1970-01-01 01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 2020-02-21 10:52:32.000000000 +0100
@@ -0,0 +1,31 @@
+Description: This patch fixes CVE-2015-9542.
+Author: Justin Standring <me@justinstandring.com>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Bug-Debian: https://bugs.debian.org/951396
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/01173ec
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677
+Last-Update: 2020-02-21
+
+--- a/src/pam_radius_auth.c
++++ b/src/pam_radius_auth.c
+@@ -528,6 +528,9 @@
+ length = MAXPASS;
+ }
+
++ memcpy(hashed, password, length);
++ memset(hashed + length, 0, sizeof(hashed) - length);
++
+ if (length == 0) {
+ length = AUTH_PASS_LEN; /* 0 maps to 16 */
+ } if ((length & (AUTH_PASS_LEN - 1)) != 0) {
+@@ -535,9 +538,6 @@
+ length &= ~(AUTH_PASS_LEN - 1); /* chop it off */
+ } /* 16*N maps to itself */
+
+- memset(hashed, 0, length);
+- memcpy(hashed, password, strlen(password));
+-
+ attr = find_attribute(request, PW_PASSWORD);
+
+ if (type == PW_PASSWORD) {
diff -Nru libpam-radius-auth-1.4.0/debian/patches/series libpam-radius-auth-1.4.0/debian/patches/series
--- libpam-radius-auth-1.4.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/series 2020-02-21 11:13:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-9542.fix
--- End Message ---