[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#964898: marked as done (buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #964898,
regarding buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
964898: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964898
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi

libpam-radius-auth is affected by CVE-2015-9542 (cf. #951396) in
buster as well. A while ago Utkarsh Gupta prepared a QA update for
unstable.

libpam-radius-pam should not be included in bullseye if there is not
active maintainer, but for stable we can fix the CVE based on the
upload in unstable (minus the packaging changes).

Attached the debdiff.

Can it be included in the next buster point release?

Regards,
Salvatore

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru libpam-radius-auth-1.4.0/debian/changelog libpam-radius-auth-1.4.0/debian/changelog
--- libpam-radius-auth-1.4.0/debian/changelog	2018-09-05 21:44:07.000000000 +0200
+++ libpam-radius-auth-1.4.0/debian/changelog	2020-07-11 21:24:48.000000000 +0200
@@ -1,3 +1,21 @@
+libpam-radius-auth (1.4.0-3~deb10u1) buster; urgency=medium
+
+  * Rebuild for buster.
+  * Revert packaging changes:
+    - Lower Standards-Version to 4.2.0
+    - Lower Debhelper compat level to 11   
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 11 Jul 2020 21:24:48 +0200
+
+libpam-radius-auth (1.4.0-3) unstable; urgency=medium
+
+  * QA upload
+  * Add patch to fix buffer overflow in password field.
+    (Fixes: CVE-2015-9542) (Closes: #951396)
+  * Bump Standards-Version to 4.5.0 and dh-compat to 12
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Fri, 21 Feb 2020 15:47:11 +0530
+
 libpam-radius-auth (1.4.0-2) unstable; urgency=medium
 
   * QA upload.
diff -Nru libpam-radius-auth-1.4.0/debian/control libpam-radius-auth-1.4.0/debian/control
--- libpam-radius-auth-1.4.0/debian/control	2018-09-05 21:44:07.000000000 +0200
+++ libpam-radius-auth-1.4.0/debian/control	2020-02-21 11:17:11.000000000 +0100
@@ -2,8 +2,8 @@
 Maintainer: Debian QA Group <packages@qa.debian.org>
 Section: admin
 Priority: optional
-Standards-Version: 4.2.0
-Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 11)
+Standards-Version: 4.5.0
+Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 12)
 Rules-Requires-Root: no
 Homepage: https://www.freeradius.org/pam_radius_auth/
 
diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix
--- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix	1970-01-01 01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix	2020-02-21 10:52:32.000000000 +0100
@@ -0,0 +1,31 @@
+Description: This patch fixes CVE-2015-9542.
+Author: Justin Standring <me@justinstandring.com>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Bug-Debian: https://bugs.debian.org/951396
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/01173ec
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677
+Last-Update: 2020-02-21
+
+--- a/src/pam_radius_auth.c
++++ b/src/pam_radius_auth.c
+@@ -528,6 +528,9 @@
+ 		length = MAXPASS;
+ 	}
+ 
++	memcpy(hashed, password, length);
++	memset(hashed + length, 0, sizeof(hashed) - length);
++
+ 	if (length == 0) {
+ 		length = AUTH_PASS_LEN;			/* 0 maps to 16 */
+ 	} if ((length & (AUTH_PASS_LEN - 1)) != 0) {
+@@ -535,9 +538,6 @@
+ 		length &= ~(AUTH_PASS_LEN - 1);		/* chop it off */
+ 	}						/* 16*N maps to itself */
+ 
+-	memset(hashed, 0, length);
+-	memcpy(hashed, password, strlen(password));
+-
+ 	attr = find_attribute(request, PW_PASSWORD);
+ 
+ 	if (type == PW_PASSWORD) {
diff -Nru libpam-radius-auth-1.4.0/debian/patches/series libpam-radius-auth-1.4.0/debian/patches/series
--- libpam-radius-auth-1.4.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/series	2020-02-21 11:13:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-9542.fix

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: