Bug 1218467 (CVE-2015-8762, CVE-2015-8763, CVE-2015-8764)
Summary: | CVE-2015-8762 CVE-2015-8763 CVE-2015-8764 freeradius: the EAP-PWD module performs insufficient validation on packets received from an EAP peer | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Fabio Olive Leite <fleite> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dpal, ebenes, jrusnack, lemenkov, nikolai.kondrashov, vkaigoro |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | FreeRADIUS 3.0.9 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-02 03:30:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1248894 | ||
Bug Blocks: | 1218471 |
Description
Fabio Olive Leite
2015-05-05 01:41:53 UTC
CVE Request: http://seclists.org/oss-sec/2015/q3/261 Statement: This issue affects the version of freeradius as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1248894] Three CVEs were assigned (http://seclists.org/oss-sec/2016/q1/52): CVE-2015-8762: The EAP-PWD packet length is not checked before the first byte is dereferenced. A zero-length EAP-PWD packet will cause the module to dereference a NULL pointer, and will cause the server to crash. CVE-2015-8763: The commit message payload length is not validated before the packet is decoded. This can result in a read overflow in the server. The confirm message payload length is not validated before the packet is decoded. This can result in a read overflow in the server. CVE-2015-8764: A strcpy() was used to pack a C string into an EAP-PWD packet. This would result in an over-run of the destination buffer by one byte. |