[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1119085: marked as done (trixie-pu: package openvpn-auth-radius/2.1-9+deb13u1)

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1119085,
regarding trixie-pu: package openvpn-auth-radius/2.1-9+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1119085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119085
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: openvpn-auth-radius@packages.debian.org
Control: affects -1 + src:openvpn-auth-radius
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I have uploaded openvpn-auth-radius 2.1-9+deb13u1 for inclusion in
trixie.

Samuel

[ Reason ]
As reported on #1118479, the version in trixie of openvpn-auth-radius
introduced a use-after-free, which in a hardened environment makes it
completely non-working, while it was working in debian 12.

[ Impact ]
I hadn't noticed the issue in my testing environment, but the reporter
of #1118479 ended up in a completely non-working situation.

[ Tests ]
This was tested manually by the reporter.

[ Risks ]
The code is very trivial, it just extends the liveness of the underlying
string.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
server->getSharedSecret().c_str() doesn't work because the string
returned by getSharedSecret can actually be thrown away before we use
the secret. Storing the string extends its liveness so the char*
returned by c_str() can be read safely.

diff -Nru openvpn-auth-radius-2.1/debian/changelog openvpn-auth-radius-2.1/debian/changelog
--- openvpn-auth-radius-2.1/debian/changelog	2024-10-20 17:28:08.000000000 +0200
+++ openvpn-auth-radius-2.1/debian/changelog	2025-10-26 18:28:22.000000000 +0100
@@ -1,3 +1,10 @@
+openvpn-auth-radius (2.1-9+deb13u1) trixie; urgency=medium
+
+  * patches/0008-authenticate-fix: Fix packet authentication
+    (Closes: Bug#1118479)
+
+ -- Samuel Thibault <sthibault@debian.org>  Sun, 26 Oct 2025 18:28:22 +0100
+
 openvpn-auth-radius (2.1-9) unstable; urgency=medium
 
   * QA upload.
diff -Nru openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix
--- openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix	1970-01-01 01:00:00.000000000 +0100
+++ openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix	2025-10-21 00:11:25.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Fix RADIUS Packet Authentication use-after-free
+ The BLASTRadius vulnerability mitigation introduced a use-after-free
+ in the RadiusPacket::authenticateReceivedPacket method.
+ This fix prevents use-after-free by assigning the string to a
+ variable before relying on the c_str result.
+Author: Martin Rampersad <martin.rampersad@emkal.ca>
+Last-Update: 2025-10-20
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/RadiusClass/RadiusPacket.cpp
++++ b/RadiusClass/RadiusPacket.cpp
+@@ -706,7 +706,8 @@
+ 
+ int	RadiusPacket::authenticateReceivedPacket(RadiusServer *server)
+ {
+-	const char *secret = server->getSharedSecret().c_str();
++	string secretString = server->getSharedSecret();
++	const char *secret = secretString.c_str();
+ 	gcry_md_hd_t	context;
+ 	int res;
+ 	
diff -Nru openvpn-auth-radius-2.1/debian/patches/series openvpn-auth-radius-2.1/debian/patches/series
--- openvpn-auth-radius-2.1/debian/patches/series	2024-10-20 17:27:15.000000000 +0200
+++ openvpn-auth-radius-2.1/debian/patches/series	2025-10-21 00:11:25.000000000 +0200
@@ -5,3 +5,4 @@
 40_use_cppflags.diff
 0006-Support-verify-client-cert-directive-in-openvpn-2.4.patch
 0007-RadiusBLAST
+0008-authenticate-fix

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam

--- End Message ---
Reply to: