Bug 152820 - CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961)
CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-200...
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://bugzilla.redhat.com/bugzilla/...
1, LEGACY
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-21 14:19 EDT by Marc Deslauriers
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:28:36 EST
From the freeradius ChangeLog:
FreeRADIUS 1.0.1 ; $Date: 2004/09/02 10:52:03 $, urgency=high
	Denial-of-Service Security Fix
	* Fix two remote crashes and a memory leak in RADIUS packet
	  decoding.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135825
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=freeradius
http://www.kb.cert.org/vuls/id/541574
http://secunia.com/advisories/12570/

Red Hat updated Freeradius in RHEL3 to 1.0.1...maybe we should too...



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-10-29 02:46:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                                                             
Here are updated freeradius packages to QA for fc1:
                                                                               
                                                                             
these CAN's should all be fixed:
CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Freeradius < 1.0.1 DoS and remote crash
                                                                               
                                                                             
sasl libraries and pam.d files were kept the same as
freeradius-0.9.1-1.
                                                                               
                                                                             
changelog:
* Thu Oct 28 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.2.legacy
- - disable sasl2 patch
- - rebuild
                                                                               
                                                                             
* Thu Oct 28 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.1.legacy
- - revert /etc/pam.d/radiusd back to /etc/pam.d/radius
- - change release version
- - rebuild
                                                                               
                                                                             
* Thu Oct 28 2004 Thomas Woerner <twoerner@redhat.com> 1.0.1-0.FC2
- - new version 1.0.1: fixes (#137424)
  CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960,
  CAN-2004-0961)
- - applied radrelay CVS patch from Kevin Bonner
                                                                               
                                                                             
sha1sums:
353534de706801c7cd876db1217f3ba29c145ecb  freeradius-1.0.1-0.FC1.2.legacy.i386.rpm
b9383233e7e6a8e532ac4ffda487ace1299c64a4  freeradius-1.0.1-0.FC1.2.legacy.src.rpm
5bb2d470dea0f2073c1eac9c17f257c9d3ff8156 
freeradius-debuginfo-1.0.1-0.FC1.2.legacy.i386.rpm
3ce406824d37975367b7f5827e20e6c40219a0ee 
freeradius-mysql-1.0.1-0.FC1.2.legacy.i386.rpm
8136b6dfd8236602066544da38313e87e551ae03 
freeradius-postgresql-1.0.1-0.FC1.2.legacy.i386.rpm
260d5e6aa7c5374fdecd04e94f728afe0ed0a762 
freeradius-unixODBC-1.0.1-0.FC1.2.legacy.i386.rpm
                                                                               
                                                                             
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-1.0.1-0.FC1.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-1.0.1-0.FC1.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-debuginfo-1.0.1-0.FC1.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-mysql-1.0.1-0.FC1.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-postgresql-1.0.1-0.FC1.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-unixODBC-1.0.1-0.FC1.2.legacy.i386.rpm
                                                                               
                                                                             
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
                                                                               
                                                                             
iD8DBQFBgjmHtU2XAt1OWnsRAodfAKDYYiqlXluA3+T7odVQDiMvvMfYuwCfbFX2
mltITd88Y5Oc9eB2AipjV8c=
=ACgy
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-11-15 14:18:09 ----

Red Hat advisory: https://rhn.redhat.com/errata/RHSA-2004-609.html



------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-26 18:06:35 ----

It seems to me that if you change the name of the pam config file, you need to
change it in the source also. At least in src/modules/rlm_pam/rlm_pam.c and
maybe in others as well.

Besides, naming the file "radius" was a bug in the original FC1 package anyway.
The default .conf file specified it as "radiusd" as does the one in your package.

I don't understand why you disabled the sasl2 patch either...in fc1, openldap is
linked against sasl2, so the sasl2 patch was added to freeradius to get rid of a
segfault. IMHO, it needs to go back in.

See:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130613
http://bugs.freeradius.org/show_bug.cgi?id=73
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126507



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-29 06:58:51 ----

i was attempting to make the new freeradius packages as backwards compatible as
possible- warts and all.

as far as the pam files go, is it better to say "this changed" in the advisory
or to go in and change the source as appropriate?  (i vote we just reversion and
respin the FC2 rpm and say "this changed" in the advisory)

segfaults are bad- lets link against sasl2.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-29 11:29:59 ----

Yeah, I agree with you...we should just document the pam module name change in
the release notes.



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-29 13:29:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated freeradius packages to QA for fc1:
  
these CAN's should all be fixed:
CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Freeradius < 1.0.1 DoS and remote crash
  
seems like it is a better idea to just respin the FC2 rpm.
 
used freeradius-postgresql-1.0.1-0.FC1.3.legacy as the version so
that i could cleanly upgrade from my other bad versions.
 
changelog:
* Mon Nov 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.3.legacy
- - rebuild for FC1
- - fixes FL #2187
- - NB: pam file is renamed
 
* Thu Oct 28 2004 Thomas Woerner <twoerner@redhat.com> 1.0.1-0.FC2
- - new version 1.0.1: fixes (#137424)
  CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960,
  CAN-2004-0961)
- - applied radrelay CVS patch from Kevin Bonner
 
sha1sums:
1c4bbdb7c64f3ba51b50fed94a988b69728219a9  freeradius-1.0.1-0.FC1.3.legacy.i386.rpm
96776c52ad7453bd3565c351b3d2ac850b450a73  freeradius-1.0.1-0.FC1.3.legacy.src.rpm
0389b7e384b9c10e30ef3abe88407173ce2d21d9 
freeradius-debuginfo-1.0.1-0.FC1.3.legacy.i386.rpm
c4a1030bc98a403186d953100134366dec54601a 
freeradius-mysql-1.0.1-0.FC1.3.legacy.i386.rpm
ca304b3a2597db69ce12e17a991708670f7371ee 
freeradius-postgresql-1.0.1-0.FC1.3.legacy.i386.rpm
20aaec76983e29caa33fd52e03dc5196c644ad2c 
freeradius-unixODBC-1.0.1-0.FC1.3.legacy.i386.rpm
  
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-1.0.1-0.FC1.3.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-1.0.1-0.FC1.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-debuginfo-1.0.1-0.FC1.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-mysql-1.0.1-0.FC1.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-postgresql-1.0.1-0.FC1.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/freeradius-unixODBC-1.0.1-0.FC1.3.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBq7B4tU2XAt1OWnsRAsMbAJ4gCes/JzzadIOMaM+8O5XMYXZUDACglU4U
/dqdrc8KE7SpL7ZCN295npY=
=GVQP
-----END PGP SIGNATURE-----




------- Additional Comments From keb@pa.net 2004-12-02 05:47:11 ----

Since perl is used for the install to enable some stuff in radiusd.conf, perl
should probably be added to the BuildRequires section.



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-02 06:01:02 ----

even though perl is already required in the minimum build environment?  

perl is sucked in as a dependency for rpm-build and redhat-rpm-config.



------- Additional Comments From keb@pa.net 2004-12-02 06:08:30 ----

Whoops.  Sorry about that.  I meant to say Requires, not BuildRequires.  Just
checked and net-snmp[-utils] pulls in perl as well, so the Requires entry
shouldn't be necessary.  I'll go back to testing...



------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-05 07:12:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated freeradius packages to QA.

The fc2 rpms that rob used have a bug where radeapclient isn't being
built properly.

These packages include a patch that was added to the RHEL freeradius
packages to correct the issue.

Changelog:
* Sun Dec 05 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
1.0.1-0.FC1.4.legacy
- - Fixed install problem of radeapclient (RH #138069)

* Mon Nov 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.3.legacy
- - rebuild for FC1
- - fixes FL #2187
- - NB: pam file is renamed

* Thu Oct 28 2004 Thomas Woerner <twoerner@redhat.com> 1.0.1-0.FC2
- - new version 1.0.1: fixes (#137424)
  CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960,
  CAN-2004-0961)
- - applied radrelay CVS patch from Kevin Bonner

771e4cc6acf56be3ed0c8bf0ab48f379c8b74a2d  freeradius-1.0.1-0.FC1.4.legacy.i386.rpm
32f2fef6d479d311a0fd8dce9fd660767fe4dc1e  freeradius-1.0.1-0.FC1.4.legacy.src.rpm
11ba9f00eafe3dd803e253f9d92e221848b55f90 
freeradius-mysql-1.0.1-0.FC1.4.legacy.i386.rpm
aa6c428150064766170971ea09b566875ff902cf 
freeradius-postgresql-1.0.1-0.FC1.4.legacy.i386.rpm
cd56134fda0568f8b2acbc1a5e3139b5987fc131 
freeradius-unixODBC-1.0.1-0.FC1.4.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-1.0.1-0.FC1.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-1.0.1-0.FC1.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-mysql-1.0.1-0.FC1.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-postgresql-1.0.1-0.FC1.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-unixODBC-1.0.1-0.FC1.4.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBs0G7LMAs/0C4zNoRAvM+AJwKLzX6+YwsfBIeQvcVB18y59atRQCfUQ3K
jLnX/Ahcy/kmIurzExf7TQQ=
=CAvU
-----END PGP SIGNATURE-----




------- Additional Comments From keb@pa.net 2004-12-05 12:45:57 ----

Changes to the spec file for Marc's SRPM
  1. The dictionary in raddb holds user defined attributes which shouldn't be
replaced.  The real dictionaries moved to %{_datadir}/freeradius in version
0.9.0.  Line 204 (config /etc/raddb/dictionary) should change to
     %config (noreplace) /etc/raddb/dictionary

  2. References to etc should be changed to %{_sysconfdir} according to part 5
of the QA Testing steps.

QA Step 11: pkg name doesn't match.  Is the wiki severely out of date?  I'll
assume this is the case and just go along with the chosen package name.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-05 13:05:52 ----

In response to comment #11:
The package name was selected to upgrades to FC2 and FC3 work properly. In this
case, the naming conventions as suggested in the wiki would not have worked.

I am building new packages with the other modifications now.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-05 13:48:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated freeradius packages to QA.

Changes were made as per comment 11.

Changelog:
* Sun Dec 05 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
1.0.1-0.FC1.5.legacy
- - Marked /etc/raddb/dictionary as a config file
- - Changed path references to rpm macros

* Sun Dec 05 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
1.0.1-0.FC1.4.legacy
- - Fixed install problem of radeapclient (RH #138069)

* Mon Nov 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.1-0.FC1.3.legacy
- - rebuild for FC1
- - fixes FL #2187
- - NB: pam file is renamed

* Thu Oct 28 2004 Thomas Woerner <twoerner@redhat.com> 1.0.1-0.FC2
- - new version 1.0.1: fixes (#137424)
  CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960,
  CAN-2004-0961)
- - applied radrelay CVS patch from Kevin Bonner

95b91a8d586f4115d651f603e9a232ea0975e730  freeradius-1.0.1-0.FC1.5.legacy.i386.rpm
9008a294d70619b5e598211cb87523f9a1e417c8  freeradius-1.0.1-0.FC1.5.legacy.src.rpm
5ed1aa245c2f0e4fac80fba579b16858150f8c6c 
freeradius-mysql-1.0.1-0.FC1.5.legacy.i386.rpm
f3cc5fd2f88f615eadc1a4257da6de0cd330775c 
freeradius-postgresql-1.0.1-0.FC1.5.legacy.i386.rpm
e242501a5319c44070f2ee73e59d75f35f73d5ec 
freeradius-unixODBC-1.0.1-0.FC1.5.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-1.0.1-0.FC1.5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-1.0.1-0.FC1.5.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-mysql-1.0.1-0.FC1.5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-postgresql-1.0.1-0.FC1.5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/freeradius-unixODBC-1.0.1-0.FC1.5.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBs55jLMAs/0C4zNoRAp+eAJ9Znty5nCZ1WRglMTDLcdkZbiUkHgCgg6h4
L2yDkm3DBZcbTkvI1d35N5U=
=BaBR
-----END PGP SIGNATURE-----




------- Additional Comments From keb@pa.net 2004-12-08 04:39:07 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for the freeradius FC1 package:

sha1sum:
9008a294d70619b5e598211cb87523f9a1e417c8  freeradius-1.0.1-0.FC1.5.legacy.src.rpm

srpm files: ok
srpm build: ok
install: ok
test run: ok
test w/MySQL: ok

PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBtxG7/9i/ml3OBYMRAr05AJ9Y5XD6crKSnpp2eWJWRQw1+7YJEACgiQ9E
Pm7an3Qyur5Ra14ExhT/fwM=
=MdA0
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-18 09:19:22 ----

Pushed to updates-testing



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-20 09:07:13 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on the freeradius fc1 packages:
 
c26c9fe20f721946bbcf7723b654ce72d1fd587f  freeradius-1.0.1-0.FC1.5.legacy.src.rpm
83a5b013fac1aaa3caee75ea97dadb9ead68ca6c  freeradius-1.0.1-0.FC1.5.legacy.i386.rpm
6b9dfc73490b32784112f0f6f0cde1d87f1812f7 
freeradius-mysql-1.0.1-0.FC1.5.legacy.i386.rpm
58b1e0975443a435c982b394f775337a8eedde9a 
freeradius-postgresql-1.0.1-0.FC1.5.legacy.i386.rpm
94b816b7da430f359401dade849820c962b5ad98 
freeradius-unixODBC-1.0.1-0.FC1.5.legacy.i386.rpm
 
sha1sums match announcement
gpg keys all ok
source files ok
patches ok
spec file ok, and cleaned up ( nice marc :) )
builds ok
cra's rpm-build-compare script looks good
all files install ok
 
since i don't know how to use freeradius, and i'm too lazy to learn, i can
only report that service radiusd stop and start seem to function properly.
 
hopefully someone who can use this software can +VERIFY.
 
+PUBLISH/+VERIFY
  
this file is available from:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2187-qa.txt.asc
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBxyKQtU2XAt1OWnsRAvemAJ0UNRxAlyJ5ZJRIbgnd9mBFjA5+1ACfaJUz
mTagGhvgzi0eESc1CEEH80g=
=RJbw
-----END PGP SIGNATURE-----




------- Additional Comments From keb@pa.net 2004-12-20 11:47:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for the freeradius FC1 packages:

83a5b013fac1aaa3caee75ea97dadb9ead68ca6c  freeradius-1.0.1-0.FC1.5.legacy.i386.rpm
c26c9fe20f721946bbcf7723b654ce72d1fd587f  freeradius-1.0.1-0.FC1.5.legacy.src.rpm
6b9dfc73490b32784112f0f6f0cde1d87f1812f7 
freeradius-mysql-1.0.1-0.FC1.5.legacy.i386.rpm
58b1e0975443a435c982b394f775337a8eedde9a 
freeradius-postgresql-1.0.1-0.FC1.5.legacy.i386.rpm
94b816b7da430f359401dade849820c962b5ad98 
freeradius-unixODBC-1.0.1-0.FC1.5.legacy.i386.rpm

sha1sums: match
gpg sigs: ok
patches: ok
spec file: ok
srpm build: ok
rpm-build-compare: ok
install: ok

I use FR here, and these packages work fine for me on a test radius server 
w/MySQL and proxying enabled.

VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBx0gv/9i/ml3OBYMRAs98AKCTXqyelclDagtka1fEV3HqcYdk6QCfWvdX
TKq6dzzNynHJPU/xMS3Zyhw=
=y1tN
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-01 18:24:37 ----

Packages were released as updates.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2187 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2187
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.