Red Hat Bugzilla – Bug 152820
CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961)
Last modified: 2008-05-01 11:38:06 EDT
From the freeradius ChangeLog: FreeRADIUS 1.0.1 ; $Date: 2004/09/02 10:52:03 $, urgency=high Denial-of-Service Security Fix * Fix two remote crashes and a memory leak in RADIUS packet decoding. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135825 http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=freeradius http://www.kb.cert.org/vuls/id/541574 http://secunia.com/advisories/12570/ Red Hat updated Freeradius in RHEL3 to 1.0.1...maybe we should too... ------- Additional Comments From rob.myers@gtri.gatech.edu 2004-10-29 02:46:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated freeradius packages to QA for fc1: these CAN's should all be fixed: CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 Freeradius < 1.0.1 DoS and remote crash sasl libraries and pam.d files were kept the same as freeradius-0.9.1-1. changelog: * Thu Oct 28 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.2.legacy - - disable sasl2 patch - - rebuild * Thu Oct 28 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.1.legacy - - revert /etc/pam.d/radiusd back to /etc/pam.d/radius - - change release version - - rebuild * Thu Oct 28 2004 Thomas Woerner <twoerner@redhat.com> 1.0.1-0.FC2 - - new version 1.0.1: fixes (#137424) CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961) - - applied radrelay CVS patch from Kevin Bonner sha1sums: 353534de706801c7cd876db1217f3ba29c145ecb freeradius-1.0.1-0.FC1.2.legacy.i386.rpm b9383233e7e6a8e532ac4ffda487ace1299c64a4 freeradius-1.0.1-0.FC1.2.legacy.src.rpm 5bb2d470dea0f2073c1eac9c17f257c9d3ff8156 freeradius-debuginfo-1.0.1-0.FC1.2.legacy.i386.rpm 3ce406824d37975367b7f5827e20e6c40219a0ee freeradius-mysql-1.0.1-0.FC1.2.legacy.i386.rpm 8136b6dfd8236602066544da38313e87e551ae03 freeradius-postgresql-1.0.1-0.FC1.2.legacy.i386.rpm 260d5e6aa7c5374fdecd04e94f728afe0ed0a762 freeradius-unixODBC-1.0.1-0.FC1.2.legacy.i386.rpm files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-1.0.1-0.FC1.2.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-1.0.1-0.FC1.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-debuginfo-1.0.1-0.FC1.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-mysql-1.0.1-0.FC1.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-postgresql-1.0.1-0.FC1.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-unixODBC-1.0.1-0.FC1.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBgjmHtU2XAt1OWnsRAodfAKDYYiqlXluA3+T7odVQDiMvvMfYuwCfbFX2 mltITd88Y5Oc9eB2AipjV8c= =ACgy -----END PGP SIGNATURE----- ------- Additional Comments From dom@earth.li 2004-11-15 14:18:09 ---- Red Hat advisory: https://rhn.redhat.com/errata/RHSA-2004-609.html ------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-26 18:06:35 ---- It seems to me that if you change the name of the pam config file, you need to change it in the source also. At least in src/modules/rlm_pam/rlm_pam.c and maybe in others as well. Besides, naming the file "radius" was a bug in the original FC1 package anyway. The default .conf file specified it as "radiusd" as does the one in your package. I don't understand why you disabled the sasl2 patch either...in fc1, openldap is linked against sasl2, so the sasl2 patch was added to freeradius to get rid of a segfault. IMHO, it needs to go back in. See: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130613 http://bugs.freeradius.org/show_bug.cgi?id=73 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126507 ------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-29 06:58:51 ---- i was attempting to make the new freeradius packages as backwards compatible as possible- warts and all. as far as the pam files go, is it better to say "this changed" in the advisory or to go in and change the source as appropriate? (i vote we just reversion and respin the FC2 rpm and say "this changed" in the advisory) segfaults are bad- lets link against sasl2. ------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-29 11:29:59 ---- Yeah, I agree with you...we should just document the pam module name change in the release notes. ------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-29 13:29:32 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated freeradius packages to QA for fc1: these CAN's should all be fixed: CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 Freeradius < 1.0.1 DoS and remote crash seems like it is a better idea to just respin the FC2 rpm. used freeradius-postgresql-1.0.1-0.FC1.3.legacy as the version so that i could cleanly upgrade from my other bad versions. changelog: * Mon Nov 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.3.legacy - - rebuild for FC1 - - fixes FL #2187 - - NB: pam file is renamed * Thu Oct 28 2004 Thomas Woerner <twoerner@redhat.com> 1.0.1-0.FC2 - - new version 1.0.1: fixes (#137424) CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961) - - applied radrelay CVS patch from Kevin Bonner sha1sums: 1c4bbdb7c64f3ba51b50fed94a988b69728219a9 freeradius-1.0.1-0.FC1.3.legacy.i386.rpm 96776c52ad7453bd3565c351b3d2ac850b450a73 freeradius-1.0.1-0.FC1.3.legacy.src.rpm 0389b7e384b9c10e30ef3abe88407173ce2d21d9 freeradius-debuginfo-1.0.1-0.FC1.3.legacy.i386.rpm c4a1030bc98a403186d953100134366dec54601a freeradius-mysql-1.0.1-0.FC1.3.legacy.i386.rpm ca304b3a2597db69ce12e17a991708670f7371ee freeradius-postgresql-1.0.1-0.FC1.3.legacy.i386.rpm 20aaec76983e29caa33fd52e03dc5196c644ad2c freeradius-unixODBC-1.0.1-0.FC1.3.legacy.i386.rpm files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-1.0.1-0.FC1.3.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-1.0.1-0.FC1.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-debuginfo-1.0.1-0.FC1.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-mysql-1.0.1-0.FC1.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-postgresql-1.0.1-0.FC1.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-unixODBC-1.0.1-0.FC1.3.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBq7B4tU2XAt1OWnsRAsMbAJ4gCes/JzzadIOMaM+8O5XMYXZUDACglU4U /dqdrc8KE7SpL7ZCN295npY= =GVQP -----END PGP SIGNATURE----- ------- Additional Comments From keb@pa.net 2004-12-02 05:47:11 ---- Since perl is used for the install to enable some stuff in radiusd.conf, perl should probably be added to the BuildRequires section. ------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-02 06:01:02 ---- even though perl is already required in the minimum build environment? perl is sucked in as a dependency for rpm-build and redhat-rpm-config. ------- Additional Comments From keb@pa.net 2004-12-02 06:08:30 ---- Whoops. Sorry about that. I meant to say Requires, not BuildRequires. Just checked and net-snmp[-utils] pulls in perl as well, so the Requires entry shouldn't be necessary. I'll go back to testing... ------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-05 07:12:50 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated freeradius packages to QA. The fc2 rpms that rob used have a bug where radeapclient isn't being built properly. These packages include a patch that was added to the RHEL freeradius packages to correct the issue. Changelog: * Sun Dec 05 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.0.1-0.FC1.4.legacy - - Fixed install problem of radeapclient (RH #138069) * Mon Nov 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.3.legacy - - rebuild for FC1 - - fixes FL #2187 - - NB: pam file is renamed * Thu Oct 28 2004 Thomas Woerner <twoerner@redhat.com> 1.0.1-0.FC2 - - new version 1.0.1: fixes (#137424) CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961) - - applied radrelay CVS patch from Kevin Bonner 771e4cc6acf56be3ed0c8bf0ab48f379c8b74a2d freeradius-1.0.1-0.FC1.4.legacy.i386.rpm 32f2fef6d479d311a0fd8dce9fd660767fe4dc1e freeradius-1.0.1-0.FC1.4.legacy.src.rpm 11ba9f00eafe3dd803e253f9d92e221848b55f90 freeradius-mysql-1.0.1-0.FC1.4.legacy.i386.rpm aa6c428150064766170971ea09b566875ff902cf freeradius-postgresql-1.0.1-0.FC1.4.legacy.i386.rpm cd56134fda0568f8b2acbc1a5e3139b5987fc131 freeradius-unixODBC-1.0.1-0.FC1.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-1.0.1-0.FC1.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-1.0.1-0.FC1.4.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-mysql-1.0.1-0.FC1.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-postgresql-1.0.1-0.FC1.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-unixODBC-1.0.1-0.FC1.4.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBs0G7LMAs/0C4zNoRAvM+AJwKLzX6+YwsfBIeQvcVB18y59atRQCfUQ3K jLnX/Ahcy/kmIurzExf7TQQ= =CAvU -----END PGP SIGNATURE----- ------- Additional Comments From keb@pa.net 2004-12-05 12:45:57 ---- Changes to the spec file for Marc's SRPM 1. The dictionary in raddb holds user defined attributes which shouldn't be replaced. The real dictionaries moved to %{_datadir}/freeradius in version 0.9.0. Line 204 (config /etc/raddb/dictionary) should change to %config (noreplace) /etc/raddb/dictionary 2. References to etc should be changed to %{_sysconfdir} according to part 5 of the QA Testing steps. QA Step 11: pkg name doesn't match. Is the wiki severely out of date? I'll assume this is the case and just go along with the chosen package name. ------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-05 13:05:52 ---- In response to comment #11: The package name was selected to upgrades to FC2 and FC3 work properly. In this case, the naming conventions as suggested in the wiki would not have worked. I am building new packages with the other modifications now. ------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-05 13:48:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated freeradius packages to QA. Changes were made as per comment 11. Changelog: * Sun Dec 05 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.0.1-0.FC1.5.legacy - - Marked /etc/raddb/dictionary as a config file - - Changed path references to rpm macros * Sun Dec 05 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.0.1-0.FC1.4.legacy - - Fixed install problem of radeapclient (RH #138069) * Mon Nov 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.3.legacy - - rebuild for FC1 - - fixes FL #2187 - - NB: pam file is renamed * Thu Oct 28 2004 Thomas Woerner <twoerner@redhat.com> 1.0.1-0.FC2 - - new version 1.0.1: fixes (#137424) CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961) - - applied radrelay CVS patch from Kevin Bonner 95b91a8d586f4115d651f603e9a232ea0975e730 freeradius-1.0.1-0.FC1.5.legacy.i386.rpm 9008a294d70619b5e598211cb87523f9a1e417c8 freeradius-1.0.1-0.FC1.5.legacy.src.rpm 5ed1aa245c2f0e4fac80fba579b16858150f8c6c freeradius-mysql-1.0.1-0.FC1.5.legacy.i386.rpm f3cc5fd2f88f615eadc1a4257da6de0cd330775c freeradius-postgresql-1.0.1-0.FC1.5.legacy.i386.rpm e242501a5319c44070f2ee73e59d75f35f73d5ec freeradius-unixODBC-1.0.1-0.FC1.5.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-1.0.1-0.FC1.5.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-1.0.1-0.FC1.5.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-mysql-1.0.1-0.FC1.5.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-postgresql-1.0.1-0.FC1.5.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-unixODBC-1.0.1-0.FC1.5.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBs55jLMAs/0C4zNoRAp+eAJ9Znty5nCZ1WRglMTDLcdkZbiUkHgCgg6h4 L2yDkm3DBZcbTkvI1d35N5U= =BaBR -----END PGP SIGNATURE----- ------- Additional Comments From keb@pa.net 2004-12-08 04:39:07 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for the freeradius FC1 package: sha1sum: 9008a294d70619b5e598211cb87523f9a1e417c8 freeradius-1.0.1-0.FC1.5.legacy.src.rpm srpm files: ok srpm build: ok install: ok test run: ok test w/MySQL: ok PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBtxG7/9i/ml3OBYMRAr05AJ9Y5XD6crKSnpp2eWJWRQw1+7YJEACgiQ9E Pm7an3Qyur5Ra14ExhT/fwM= =MdA0 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-18 09:19:22 ---- Pushed to updates-testing ------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-20 09:07:13 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i did QA on the freeradius fc1 packages: c26c9fe20f721946bbcf7723b654ce72d1fd587f freeradius-1.0.1-0.FC1.5.legacy.src.rpm 83a5b013fac1aaa3caee75ea97dadb9ead68ca6c freeradius-1.0.1-0.FC1.5.legacy.i386.rpm 6b9dfc73490b32784112f0f6f0cde1d87f1812f7 freeradius-mysql-1.0.1-0.FC1.5.legacy.i386.rpm 58b1e0975443a435c982b394f775337a8eedde9a freeradius-postgresql-1.0.1-0.FC1.5.legacy.i386.rpm 94b816b7da430f359401dade849820c962b5ad98 freeradius-unixODBC-1.0.1-0.FC1.5.legacy.i386.rpm sha1sums match announcement gpg keys all ok source files ok patches ok spec file ok, and cleaned up ( nice marc :) ) builds ok cra's rpm-build-compare script looks good all files install ok since i don't know how to use freeradius, and i'm too lazy to learn, i can only report that service radiusd stop and start seem to function properly. hopefully someone who can use this software can +VERIFY. +PUBLISH/+VERIFY this file is available from: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2187-qa.txt.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBxyKQtU2XAt1OWnsRAvemAJ0UNRxAlyJ5ZJRIbgnd9mBFjA5+1ACfaJUz mTagGhvgzi0eESc1CEEH80g= =RJbw -----END PGP SIGNATURE----- ------- Additional Comments From keb@pa.net 2004-12-20 11:47:30 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for the freeradius FC1 packages: 83a5b013fac1aaa3caee75ea97dadb9ead68ca6c freeradius-1.0.1-0.FC1.5.legacy.i386.rpm c26c9fe20f721946bbcf7723b654ce72d1fd587f freeradius-1.0.1-0.FC1.5.legacy.src.rpm 6b9dfc73490b32784112f0f6f0cde1d87f1812f7 freeradius-mysql-1.0.1-0.FC1.5.legacy.i386.rpm 58b1e0975443a435c982b394f775337a8eedde9a freeradius-postgresql-1.0.1-0.FC1.5.legacy.i386.rpm 94b816b7da430f359401dade849820c962b5ad98 freeradius-unixODBC-1.0.1-0.FC1.5.legacy.i386.rpm sha1sums: match gpg sigs: ok patches: ok spec file: ok srpm build: ok rpm-build-compare: ok install: ok I use FR here, and these packages work fine for me on a test radius server w/MySQL and proxying enabled. VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBx0gv/9i/ml3OBYMRAs98AKCTXqyelclDagtka1fEV3HqcYdk6QCfWvdX TKq6dzzNynHJPU/xMS3Zyhw= =y1tN -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-01 18:24:37 ---- Packages were released as updates. ------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 ------- This bug previously known as bug 2187 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2187 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.