Bug 1686980 (CVE-2015-9542)

Summary: CVE-2015-9542 pam_radius: buffer overflow in password field
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ascheel, cbuissar, jdennis, jtfas90, mhonek, mreynolds, rmeggins, security-response-team, spichugi, tbordaz, timlank, vashirov, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: pam_radius 2.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 13:38:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1802060    
Bug Blocks: Embargoed1686981    

Description Laura Pardo 2019-03-08 19:30:07 UTC
A vulnerability was found in pam_radius : the password length check was done incorrectly in the add_password() function, resulting in a stack based buffer overflow.

This could be used to crash (DoS) an application using the PAM stack for authentication.

Comment 2 Cedric Buissart 2020-02-12 09:43:05 UTC
Created pam_radius tracking bugs for this issue:

Affects: epel-6 [bug 1802060]

Comment 3 Alex Scheel 2020-02-12 13:28:47 UTC
- Fixed in epel-8 since release,
- Fixed in Fedora since pam_radius-1.4.0-14 (in Fedora 28),
- Fixed in epel-7 since pam_radius-1.4.0-4.

Comment 4 Cedric Buissart 2020-02-12 13:41:54 UTC

As shipped in epel-6, the gcc compiler opts for __memcpy_chk() [with the correct buffer length] to ensure that there is a crash instead of an an overflow. Thus it is believed that only a Deianl of Service can be triggered using this flaw.