Nathaniel McCallum reported that pyrad was creating serialized RADIUS packet IDs in the CreateID() function in packet.py. This is not suitable for RADIUS as the RFC specifies that the ID must not be predictable. As a result, the ID of the next packet sent can be spoofed.
This has been corrected in upstream's forthcoming version 2.1 via:
Created python-pyrad tracking bugs for this issue
Affects: fedora-all [bug 894488]
Affects: epel-all [bug 911687]
*** This bug has been marked as a duplicate of bug 911682 ***
The above patch does not apply to this issue as this issue is NOT a duplicate of bug 911682.
Why is that?
If I look at the patch, I see the change to CreateID() on line 226/229 from using random.randrange() to random_generator.randrange(). Is that not the fix for this issue?
That is the only upstream patch applied in the last year and a half.
There are two CreateID() codepaths. One generates a random ID and the other generates a sequential ID. Neither checks for uniqueness.
To be fair, this predictability is only exploitable in the presence of another security problem. So the issue is minor and it would require a major upstream API rework. I don't know if upstream will accept any patch to fix this or even consider this a bug. Bug 911682 is far more serious.
I'm not sure how the CVE for this bug should be handled.
Ok, I see it now. Your initial report wasn't clear enough (pointing to actual code snippets instead of function names (when there are two identical) would have helped.
This is a bit messy now. We did have two CVEs assigned, and MITRE rejected one based on their assumption (and my own) of that patch correcting both flaws. I'll have to see if we can use the old one or if we need a new one again.
I've requested it on oss-sec now: http://www.openwall.com/lists/oss-security/2013/02/21/27
CVE-2013-0342 was assigned to this issue:
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.