Bug 1686980 (CVE-2015-9542) - CVE-2015-9542 pam_radius: buffer overflow in password field
Summary: CVE-2015-9542 pam_radius: buffer overflow in password field
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-9542
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1802060
Blocks: 1686981
TreeView+ depends on / blocked
 
Reported: 2019-03-08 19:30 UTC by Laura Pardo
Modified: 2021-02-16 22:17 UTC (History)
13 users (show)

Fixed In Version: pam_radius 2.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 13:38:39 UTC

Attachments (Terms of Use)

Description Laura Pardo 2019-03-08 19:30:07 UTC 
A vulnerability was found in pam_radius : the password length check was done incorrectly in the add_password() function, resulting in a stack based buffer overflow.

This could be used to crash (DoS) an application using the PAM stack for authentication.
Comment 1 Cedric Buissart 2020-02-12 09:11:41 UTC 
Upstream fixes :
https://github.com/FreeRADIUS/pam_radius/commit/01173ec
https://github.com/FreeRADIUS/pam_radius/commit/6bae92d
https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677
Comment 2 Cedric Buissart 2020-02-12 09:43:05 UTC 
Created pam_radius tracking bugs for this issue:

Affects: epel-6 [bug 1802060]
Comment 3 Alex Scheel 2020-02-12 13:28:47 UTC 
- Fixed in epel-8 since release,
- Fixed in Fedora since pam_radius-1.4.0-14 (in Fedora 28),
- Fixed in epel-7 since pam_radius-1.4.0-4.
Comment 4 Cedric Buissart 2020-02-12 13:41:54 UTC 
Statement:

As shipped in epel-6, the gcc compiler opts for __memcpy_chk() [with the correct buffer length] to ensure that there is a crash instead of an an overflow. Thus it is believed that only a Deianl of Service can be triggered using this flaw.
Note You need to log in before you can comment on or make changes to this bug.