--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: trixie-pu: package freeradius/3.2.7+dfsg-1+deb13u2
- From: Bernhard Schmidt <berni@debian.org>
- Date: Tue, 18 Nov 2025 22:20:53 +0100
- Message-id: <176350085350.2330706.9551574289749796184.reportbug@fliwatuet.svr02.mucip.net>
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: freeradius@packages.debian.org
Control: affects -1 + src:freeradius
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
FreeRADIUS 3.2.7 in Trixie contains a bug that causes it to segfault
when a certificate chain with two intermediate certificates are loaded, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927
https://github.com/FreeRADIUS/freeradius-server/issues/5515
It can be fixed by backporting a single commit from 3.2.8, therefor
unstable is already fixed.
The issue was found, the patch prepared and verified by OdyX
[ Impact ]
Segmentation fault when a new certificate chain is loaded
[ Tests ]
Fix verified by Didier 'OdyX' Radoud
FreeRADIUS has some non-trivial autopkgtest, however that does not test
EAP/TLS-related codepaths
[ Risks ]
Verified fix, direct backport of a commit released with a later upstream
version
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- Backporting fix
- Change salsa-ci to run in trixie
[ Other info ]
As CAs tend to change their intermediate structure and may introduce
intermediates with certificate refreshs (as it has happened here for the
original reporter) I consider this somewhat urgent. Therefor I would
like to push this to proposed as soon as possible.
diff -Nru freeradius-3.2.7+dfsg/debian/changelog freeradius-3.2.7+dfsg/debian/changelog
--- freeradius-3.2.7+dfsg/debian/changelog 2025-10-01 19:36:38.000000000 +0200
+++ freeradius-3.2.7+dfsg/debian/changelog 2025-11-18 21:51:33.000000000 +0100
@@ -1,3 +1,11 @@
+freeradius (3.2.7+dfsg-1+deb13u2) trixie; urgency=medium
+
+ [ Didier Raboud ]
+ * Backport patch to fix segfaults on TLS connections with more than one
+ intermediate certificate (Closes: #1120927)
+
+ -- Bernhard Schmidt <berni@debian.org> Tue, 18 Nov 2025 21:51:33 +0100
+
freeradius (3.2.7+dfsg-1+deb13u1) trixie; urgency=medium
* Non-maintainer upload.
diff -Nru freeradius-3.2.7+dfsg/debian/patches/series freeradius-3.2.7+dfsg/debian/patches/series
--- freeradius-3.2.7+dfsg/debian/patches/series 2025-10-01 19:31:39.000000000 +0200
+++ freeradius-3.2.7+dfsg/debian/patches/series 2025-11-18 21:51:33.000000000 +0100
@@ -6,3 +6,4 @@
dont-install-tests.diff
snakeoil-certs.diff
fips.patch
+wrap-crl_dp-checks-in-if-certs--lookup-=.patch
diff -Nru freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch
--- freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch 1970-01-01 01:00:00.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch 2025-11-18 21:51:33.000000000 +0100
@@ -0,0 +1,63 @@
+From: Alan T. DeKok <aland@freeradius.org>
+Date: Wed, 12 Feb 2025 07:03:13 -0500
+X-Dgit-Generated: 3.2.7+dfsg-1+deb13u1+OdyX0 05125f178649b7af17a1dc81642b91c937f4d93a
+Subject: wrap crl_dp checks in if (certs && (lookup <= 1). Fixes #5515
+
+
+---
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 2e97940..2821b93 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3077,30 +3077,33 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ /*
+ * Get the Certificate Distribution points
+ */
+- crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+- if (crl_dp) {
+- DIST_POINT *dp;
+- const char *url_ptr;
++ if (certs && (lookup <= 1)) {
++ crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+
+- for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
+- size_t len;
+- char cdp[1024];
++ if (crl_dp) {
++ DIST_POINT *dp;
++ const char *url_ptr;
+
+- dp = sk_DIST_POINT_value(crl_dp, i);
+- if (!dp) continue;
++ for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
++ size_t len;
++ char cdp[1024];
+
+- url_ptr = get_cdp_url(dp);
+- if (!url_ptr) continue;
++ dp = sk_DIST_POINT_value(crl_dp, i);
++ if (!dp) continue;
+
+- len = strlen(url_ptr);
+- if (len >= sizeof(cdp)) continue;
++ url_ptr = get_cdp_url(dp);
++ if (!url_ptr) continue;
+
+- memcpy(cdp, url_ptr, len + 1);
++ len = strlen(url_ptr);
++ if (len >= sizeof(cdp)) continue;
+
+- vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
+- rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++ memcpy(cdp, url_ptr, len + 1);
++
++ vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
++ rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++ }
++ sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ }
+- sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ }
+
+ /*
diff -Nru freeradius-3.2.7+dfsg/debian/salsa-ci.yml freeradius-3.2.7+dfsg/debian/salsa-ci.yml
--- freeradius-3.2.7+dfsg/debian/salsa-ci.yml 2025-02-10 22:50:22.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/salsa-ci.yml 2025-11-18 21:51:33.000000000 +0100
@@ -3,7 +3,7 @@
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
variables:
- RELEASE: 'unstable'
+ RELEASE: 'trixie'
# mark currently failing tests as allowed to fail
blhc:
--- End Message ---