diff --git a/.gitignore b/.gitignore index 630332a..5b28946 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /freeradius-server-release_3_0_0_rc1.tar.gz /freeradius-server-3.0.0.tar.bz2 /freeradius-server-3.0.1.tar.bz2 +/freeradius-server-3.0.2.tar.bz2 diff --git a/freeradius-imacros.patch b/freeradius-imacros.patch deleted file mode 100644 index 0a4be7e..0000000 --- a/freeradius-imacros.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -r -u freeradius-server-3.0.1.bak/Make.inc.in freeradius-server-3.0.1/Make.inc.in ---- freeradius-server-3.0.1.bak/Make.inc.in 2014-01-17 11:20:48.599733053 -0500 -+++ freeradius-server-3.0.1/Make.inc.in 2014-01-17 14:37:33.739853796 -0500 -@@ -47,7 +47,7 @@ - - CC = @CC@ - RANLIB = @RANLIB@ --IMACROS = -imacros ${top_srcdir}/src/freeradius-devel/build.h -imacros ${top_srcdir}/src/freeradius-devel/autoconf.h -imacros ${top_srcdir}/src/freeradius-devel/features.h -+IMACROS = -include ${top_srcdir}/src/freeradius-devel/build.h -include ${top_srcdir}/src/freeradius-devel/autoconf.h -include ${top_srcdir}/src/freeradius-devel/features.h - INCLUDE = -I${top_srcdir} -I${top_srcdir}/src - CFLAGS = $(IMACROS) $(INCLUDE) -std=c99 -fno-strict-aliasing @CFLAGS@ - CPPFLAGS = @CPPFLAGS@ -Only in freeradius-server-3.0.1: Make.inc.in~ diff --git a/freeradius-ippool.patch b/freeradius-ippool.patch deleted file mode 100644 index 383982a..0000000 --- a/freeradius-ippool.patch +++ /dev/null @@ -1,109 +0,0 @@ -diff -r -u freeradius-server-3.0.1.bak/raddb/mods-available/ippool freeradius-server-3.0.1/raddb/mods-available/ippool ---- freeradius-server-3.0.1.bak/raddb/mods-available/ippool 2014-01-17 11:20:48.609733064 -0500 -+++ freeradius-server-3.0.1/raddb/mods-available/ippool 2014-01-17 12:33:11.884537885 -0500 -@@ -1,6 +1,6 @@ - # -*- text -*- - # --# $Id: d52dc9b385dec10e970ba9af070af612f25d596d $ -+# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $ - - # Do server side ip pool management. Should be added in - # post-auth and accounting sections. -@@ -22,54 +22,45 @@ - # DEFAULT Group == teachers, Pool-Name := "teachers" - # DEFAULT Group == other, Pool-Name := "DEFAULT" - # --# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST ********* --# ********* THEN ERASE THE DB FILES ********* -+# Note: If you change the range parameters you must then erase the -+# db files. - # - ippool main_pool { -+ # The main db file used to allocate addresses. -+ filename = ${db_dir}/db.ippool - -- # range-start,range-stop: -- # The start and end ip addresses for this pool. -+ # The start and end ip addresses for this pool. - range_start = 192.0.2.1 - range_stop = 192.0.2.254 - -- # netmask: -- # The network mask used for this pool. -+ # The network mask used for this pool. - netmask = 255.255.255.0 - -- # cache_size: -- # The gdbm cache size for the db files. Should -- # be equal to the number of ip's available in -- # the ip pool -+ # The gdbm cache size for the db files. Should -+ # be equal to the number of ip's available in -+ # the ip pool - cache_size = 800 - -- # session-db: -- # The main db file used to allocate addresses. -- session_db = ${db_dir}/db.ippool -- -- # ip-index: -- # Helper db index file used in multilink -+ # Helper db index file used in multilink - ip_index = ${db_dir}/db.ipindex - -- # override: -- # If set, the Framed-IP-Address already in the -- # reply (if any) will be discarded, and replaced -- # with a Framed-IP-Address assigned here. -+ # If set, the Framed-IP-Address already in the -+ # reply (if any) will be discarded, and replaced -+ # ith a Framed-IP-Address assigned here. - override = no - -- # maximum-timeout: -- # Specifies the maximum time in seconds that an -- # entry may be active. If set to zero, means -- # "no timeout". The default value is 0 -+ # Specifies the maximum time in seconds that an -+ # entry may be active. If set to zero, means -+ # "no timeout". The default value is 0 - maximum_timeout = 0 - -- # key: -- # The key to use for the session database (which -- # holds the allocated ip's) normally it should -- # just be the nas ip/port (which is the default). -+ # The key to use for the session database (which -+ # holds the allocated ip's) normally it should -+ # just be the nas ip/port (which is the default). - # -- # If your NAS sends the same value of NAS-Port -- # all requests, the key should be based on some -- # other attribute that is in ALL requests, AND -- # is unique to each machine needing an IP address. -- #key = "%{NAS-IP-Address} %{NAS-Port}" -+ # If your NAS sends the same value of NAS-Port -+ # all requests, the key should be based on some -+ # other attribute that is in ALL requests, AND -+ # is unique to each machine needing an IP address. -+# key = "%{NAS-IP-Address} %{NAS-Port}" - } -commit 82d3d851e03fdc403c6694d5470905c489acb1b5 -Author: Alan T. DeKok -Date: Sat Jan 18 15:58:28 2014 -0500 - - Set the default length for the attributes - -diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c -index d1d1fca..ac955ad 100644 ---- a/src/lib/valuepair.c -+++ b/src/lib/valuepair.c -@@ -109,6 +109,8 @@ VALUE_PAIR *pairalloc(TALLOC_CTX *ctx, DICT_ATTR const *da) - vp->op = T_OP_EQ; - vp->type = VT_NONE; - -+ vp->length = da->flags.length; -+ - talloc_set_destructor(vp, _pairfree); - - return vp; diff --git a/freeradius-mysql-schema.patch b/freeradius-mysql-schema.patch deleted file mode 100644 index a91aa69..0000000 --- a/freeradius-mysql-schema.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -r -u freeradius-server-3.0.1.orig/raddb/mods-config/sql/main/mysql/schema.sql freeradius-server-3.0.1/raddb/mods-config/sql/main/mysql/schema.sql ---- freeradius-server-3.0.1.orig/raddb/mods-config/sql/main/mysql/schema.sql 2014-01-13 20:13:56.000000000 -0500 -+++ freeradius-server-3.0.1/raddb/mods-config/sql/main/mysql/schema.sql 2014-01-21 12:37:29.349480066 -0500 -@@ -28,7 +28,7 @@ - acctupdatetime datetime NULL default NULL, - acctstoptime datetime NULL default NULL, - acctinterval int(12) default NULL, -- acctsessiontime unsigned int(12) default NULL, -+ acctsessiontime int(12) unsigned default NULL, - acctauthentic varchar(32) default NULL, - connectinfo_start varchar(50) default NULL, - connectinfo_stop varchar(50) default NULL, diff --git a/freeradius-perl.patch b/freeradius-perl.patch deleted file mode 100644 index bdac7fb..0000000 --- a/freeradius-perl.patch +++ /dev/null @@ -1,19 +0,0 @@ -commit 57d0db0e1dfa3fc25d0bfc146fec1c89a446a9ea -Author: Alan T. DeKok -Date: Wed Jan 22 15:11:33 2014 -0500 - - Use size out output buffer, not size of output pointer - -diff --git a/src/lib/print.c b/src/lib/print.c -index a6e5391..5bc5e02 100644 ---- a/src/lib/print.c -+++ b/src/lib/print.c -@@ -266,7 +266,7 @@ size_t vp_prints_value(char *out, size_t outlen, VALUE_PAIR const *vp, int8_t qu - return strlen(out); - } - -- return fr_print_string(vp->vp_strvalue, vp->length, out, sizeof(out)); -+ return fr_print_string(vp->vp_strvalue, vp->length, out, outlen); - - case PW_TYPE_INTEGER: - if (vp->da->flags.has_tag) { diff --git a/freeradius-rlm_pap-overflow.patch b/freeradius-rlm_pap-overflow.patch deleted file mode 100644 index a1ae93a..0000000 --- a/freeradius-rlm_pap-overflow.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ff5147c9e5088c7cf5c0b6ec6bfdd3a9d2042a28 Mon Sep 17 00:00:00 2001 -From: Arran Cudbard-Bell -Date: Thu, 13 Feb 2014 13:49:54 +0000 -Subject: [PATCH 1/1] Fix potential crash with SSHA and salts > 44bytes - ---- - src/modules/rlm_pap/rlm_pap.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c -index 689acf0..1bf6d4e 100644 ---- a/src/modules/rlm_pap/rlm_pap.c -+++ b/src/modules/rlm_pap/rlm_pap.c -@@ -123,7 +123,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) - static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) - { - -- uint8_t buffer[64]; -+ uint8_t buffer[256]; - - if (min_length >= sizeof(buffer)) return; /* paranoia */ - -@@ -132,9 +132,10 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) - */ - if (vp->length >= (2 * min_length)) { - size_t decoded; -- decoded = fr_hex2bin(buffer, vp->vp_strvalue, vp->length >> 1); -+ decoded = fr_hex2bin(buffer, vp->vp_strvalue, sizeof(buffer)); - if (decoded == (vp->length >> 1)) { -- RDEBUG2("Normalizing %s from hex encoding", vp->da->name); -+ RDEBUG2("Normalizing %s from hex encoding, %zu bytes -> %zu bytes", -+ vp->da->name, vp->length, decoded); - pairmemcpy(vp, buffer, decoded); - return; - } -@@ -150,7 +151,8 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) - sizeof(buffer)); - if (decoded < 0) return; - if (decoded >= (ssize_t) min_length) { -- RDEBUG2("Normalizing %s from base64 encoding", vp->da->name); -+ RDEBUG2("Normalizing %s from base64 encoding, %zu bytes -> %zu bytes", -+ vp->da->name, vp->length, decoded); - pairmemcpy(vp, buffer, decoded); - return; - } --- -1.8.5.3 - diff --git a/freeradius.spec b/freeradius.spec index 107956f..6ad9cf3 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius -Version: 3.0.1 -Release: 4%{?dist} +Version: 3.0.2 +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -23,11 +23,6 @@ Source104: freeradius-tmpfiles.conf Patch1: freeradius-redhat-config.patch Patch2: freeradius-postgres-sql.patch -Patch3: freeradius-ippool.patch -Patch4: freeradius-imacros.patch -Patch5: freeradius-mysql-schema.patch -Patch6: freeradius-perl.patch -Patch7: freeradius-rlm_pap-overflow.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -186,11 +181,6 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. # mistakenly includes the backup files, especially problematic for raddb config files. %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -255,6 +245,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle @@ -336,6 +327,8 @@ exit 0 %dir %attr(755,root,radiusd) /etc/raddb %defattr(-,root,radiusd) /etc/raddb/README.rst +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/panic.gdb + %attr(644,root,radiusd) %config(noreplace) /etc/raddb/dictionary %attr(640,root,radiusd) %config(noreplace) /etc/raddb/clients.conf @@ -465,6 +458,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey @@ -500,6 +494,7 @@ exit 0 %config(missingok) /etc/raddb/mods-enabled/soh %config(missingok) /etc/raddb/mods-enabled/sradutmp %config(missingok) /etc/raddb/mods-enabled/unix +%config(missingok) /etc/raddb/mods-enabled/unpack %config(missingok) /etc/raddb/mods-enabled/utf8 # policy @@ -585,6 +580,7 @@ exit 0 %{_libdir}/freeradius/rlm_sqlippool.so %{_libdir}/freeradius/rlm_sql_null.so %{_libdir}/freeradius/rlm_unix.so +%{_libdir}/freeradius/rlm_unpack.so %{_libdir}/freeradius/rlm_utf8.so %{_libdir}/freeradius/rlm_wimax.so %{_libdir}/freeradius/rlm_yubikey.so @@ -737,6 +733,7 @@ exit 0 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf @@ -752,6 +749,11 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc.so %changelog +* Wed May 7 2014 Nikolai Kondrashov - 3.0.2-1 +- Upgrade to upstream 3.0.2 release, configuration compatible with 3.0.1. + See upstream ChangeLog for details (in freeradius-doc subpackage) +- Fixes bugs 1058884 1061408 1070447 1079500 + * Mon Feb 24 2014 Nikolai Kondrashov - 3.0.1-4 - Fix CVE-2014-2015 "freeradius: stack-based buffer overflow flaw in rlm_pap module" diff --git a/sources b/sources index aa282c5..ebe2c62 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -40b7533582c3f870af117213e8905958 freeradius-server-3.0.1.tar.bz2 +c6b25a532e65ce6bfef4f422b7240d4d freeradius-server-3.0.2.tar.bz2