A vulnerability in the decryption of very long Tunnel-Passwords was found. The decryption routines could walk off of the end of a buffer and write to adjacent addresses. The data being written is not under control of an attacker. The end result is usually a crash of the server. The packet decoder in FreeRADIUS ensures that the only time this issue is exploitable is when a proxy server receives a long Tunnel-Password attribute in the reply from a home server. The attack cannot be performed by a RADIUS client, or an end user. As such, the exploitability of the attack is limited to systems within the trusted RADIUS environment. Vulnerability affects 3.0.x and 3.1.x versions. Versions 2.x don't seem to be exploitable. External reference: http://freeradius.org/security.html
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1264123]