From 297adfc54f04c86200dd297f6ef02765f623e166 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sat, 14 Jan 2023 08:18:32 +0000 Subject: [PATCH] import freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9 --- ...us-fix-crash-on-invalid-abinary-data.patch | 47 +++++++ ...freeradius-fix-crash-unknown-eap-sim.patch | 115 ++++++++++++++++++ .../freeradius-fix-info-leakage-eap-pwd.patch | 76 ++++++++++++ SPECS/freeradius.spec | 19 ++- 4 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch create mode 100644 SOURCES/freeradius-fix-crash-unknown-eap-sim.patch create mode 100644 SOURCES/freeradius-fix-info-leakage-eap-pwd.patch diff --git a/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch b/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch new file mode 100644 index 0000000..4269fc2 --- /dev/null +++ b/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch @@ -0,0 +1,47 @@ +From: Antonio Torres +Date: Fri, 09 Dec 2022 +Subject: Fix crash on invalid abinary data + +A malicious RADIUS client or home server can send a malformed abinary +attribute which can cause the server to crash. + +Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706 +Signed-off-by: Antonio Torres +--- +diff --git a/src/lib/filters.c b/src/lib/filters.c +index 4868cd385d9f..3f3b63daeef3 100644 +--- a/src/lib/filters.c ++++ b/src/lib/filters.c +@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in + } + } + } else if (filter->type == RAD_FILTER_GENERIC) { +- int count; ++ size_t count, masklen; ++ ++ masklen = ntohs(filter->u.generic.len); ++ if (masklen >= sizeof(filter->u.generic.mask)) { ++ *p = '\0'; ++ return; ++ } + + i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset)); + p += i; + + /* show the mask */ +- for (count = 0; count < ntohs(filter->u.generic.len); count++) { ++ for (count = 0; count < masklen; count++) { + i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]); + p += i; + outlen -= i; +@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in + outlen--; + + /* show the value */ +- for (count = 0; count < ntohs(filter->u.generic.len); count++) { ++ for (count = 0; count < masklen; count++) { + i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]); + p += i; + outlen -= i; diff --git a/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch b/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch new file mode 100644 index 0000000..4a2c2d1 --- /dev/null +++ b/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch @@ -0,0 +1,115 @@ +From: Antonio Torres +Date: Fri, 09 Dec 2022 +Subject: Fix crash on unknown option in EAP-SIM + +When an EAP-SIM supplicant sends an unknown SIM option, the server will try to +look that option up in the internal dictionaries. This lookup will fail, but the +SIM code will not check for that failure. Instead, it will dereference a NULL +pointer, and cause the server to crash. + +Backport of: +https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a +https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089 + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704 +Signed-off-by: Antonio Torres +--- +diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c +index cf1e8a7dd92..e438a844eab 100644 +--- a/src/modules/rlm_eap/libeap/eapsimlib.c ++++ b/src/modules/rlm_eap/libeap/eapsimlib.c +@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r, + newvp->vp_length = 1; + fr_pair_add(&(r->vps), newvp); + ++ /* ++ * EAP-SIM has a 1 octet of subtype, and 2 octets ++ * reserved. ++ */ + attr += 3; + attrlen -= 3; + +- /* now, loop processing each attribute that we find */ +- while(attrlen > 0) { ++ /* ++ * Loop over each attribute. The format is: ++ * ++ * 1 octet of type ++ * 1 octet of length (value 1..255) ++ * ((4 * length) - 2) octets of data. ++ */ ++ while (attrlen > 0) { + uint8_t *p; + +- if(attrlen < 2) { ++ if (attrlen < 2) { + fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen); + return 0; + } + ++ if (!attr[1]) { ++ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0], ++ es_attribute_count); ++ return 0; ++ } ++ + eapsim_attribute = attr[0]; + eapsim_len = attr[1] * 4; + ++ /* ++ * The length includes the 2-byte header. ++ */ + if (eapsim_len > attrlen) { + fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)", + eapsim_attribute, es_attribute_count, eapsim_len, attrlen); + return 0; + } + +- if(eapsim_len > MAX_STRING_LEN) { +- eapsim_len = MAX_STRING_LEN; +- } +- if (eapsim_len < 2) { +- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute, +- es_attribute_count); +- return 0; +- } ++ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0); ++ if (!newvp) { ++ /* ++ * RFC 4186 Section 8.1 says 0..127 are ++ * "non-skippable". If one such ++ * attribute is found and we don't ++ * understand it, the server has to send: ++ * ++ * EAP-Request/SIM/Notification packet with an ++ * (AT_NOTIFICATION code, which implies general failure ("General ++ * failure after authentication" (0), or "General failure" (16384), ++ * depending on the phase of the exchange), which terminates the ++ * authentication exchange. ++ */ ++ if (eapsim_attribute <= 127) { ++ fr_strerror_printf("Unknown mandatory attribute %d, failing", ++ eapsim_attribute); ++ return 0; ++ } + +- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0); +- newvp->vp_length = eapsim_len-2; +- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); +- memcpy(p, &attr[2], eapsim_len-2); +- fr_pair_add(&(r->vps), newvp); +- newvp = NULL; ++ } else { ++ /* ++ * It's known, ccount for header, and ++ * copy the value over. ++ */ ++ newvp->vp_length = eapsim_len - 2; ++ ++ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); ++ memcpy(p, &attr[2], newvp->vp_length); ++ fr_pair_add(&(r->vps), newvp); ++ } + + /* advance pointers, decrement length */ + attr += eapsim_len; diff --git a/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch b/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch new file mode 100644 index 0000000..b236705 --- /dev/null +++ b/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch @@ -0,0 +1,76 @@ +From: Antonio Torres +Date: Fri, 09 Dec 2022 +Subject: Fix information leakage in EAP-PWD + +The EAP-PWD function compute_password_element() leaks information about the +password which allows an attacker to substantially reduce the size of an +offline dictionary attack. + +Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702 +Signed-off-by: Antonio Torres +--- +diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +index d94851c3aa..9f86b62114 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c ++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ + #include + #include + ++static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 }; ++ + /* The random function H(x) = HMAC-SHA256(0^32, x) */ + static void H_Init(HMAC_CTX *ctx) + { +@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num, + uint32_t *token) + { + BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL; +- HMAC_CTX *ctx = NULL; ++ EVP_MD_CTX *hmac_ctx; ++ EVP_PKEY *hmac_pkey; + uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr; + int nid, is_odd, primebitlen, primebytelen, ret = 0; + +- ctx = HMAC_CTX_new(); +- if (ctx == NULL) { +- DEBUG("failed allocating HMAC context"); +- goto fail; +- } ++ MEM(hmac_ctx = EVP_MD_CTX_new()); ++ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero))); + + switch (grp_num) { /* from IANA registry for IKE D-H groups */ + case 19: +@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num, + * pwd-seed = H(token | peer-id | server-id | password | + * counter) + */ +- H_Init(ctx); +- H_Update(ctx, (uint8_t *)token, sizeof(*token)); +- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len); +- H_Update(ctx, (uint8_t const *)id_server, id_server_len); +- H_Update(ctx, (uint8_t const *)password, password_len); +- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr)); +- H_Final(ctx, pwe_digest); ++ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey); ++ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token)); ++ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len); ++ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len); ++ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len); ++ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr)); + + BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd); + if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking", +@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num, + BN_clear_free(x_candidate); + BN_clear_free(rnd); + talloc_free(prfbuf); +- HMAC_CTX_free(ctx); ++ EVP_MD_CTX_free(hmac_ctx); ++ EVP_PKEY_free(hmac_pkey); + + return ret; + } diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec index 154f7a0..a7b02fe 100644 --- a/SPECS/freeradius.spec +++ b/SPECS/freeradius.spec @@ -9,7 +9,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.20 -Release: 12%{?dist} +Release: 14%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -44,6 +44,9 @@ Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch Patch12: freeradius-bootstrap-run-only-once.patch Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch +Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch +Patch16: freeradius-fix-crash-unknown-eap-sim.patch +Patch17: freeradius-fix-info-leakage-eap-pwd.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -246,6 +249,9 @@ This plugin provides the REST support for the FreeRADIUS server project. %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 # Add fixed dhparam file to the source to ensure `make tests` can run. cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam @@ -896,6 +902,17 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Fri Dec 14 2022 Antonio Torres - 3.0.20-14 +- Fix defect found by Covscan + Resolves: #2151704 + +* Fri Dec 09 2022 Antonio Torres - 3.0.20-13 +- Fix multiple CVEs +- Add rpminspect configuration + Resolves: #2151702 + Resolves: #2151704 + Resolves: #2151706 + * Thu Dec 9 2021 Antonio Torres - 3.0.20-12 - Fix segfault when home_server is null Resolves: bz#2030173