Upgrade to upstream 3.0.2 release

This commit is contained in:
Nikolai Kondrashov 2014-05-07 16:31:09 +03:00
parent e49b2b8b75
commit 40fe27cec8
8 changed files with 16 additions and 214 deletions

1
.gitignore vendored
View File

@ -7,3 +7,4 @@
/freeradius-server-release_3_0_0_rc1.tar.gz
/freeradius-server-3.0.0.tar.bz2
/freeradius-server-3.0.1.tar.bz2
/freeradius-server-3.0.2.tar.bz2

View File

@ -1,13 +0,0 @@
diff -r -u freeradius-server-3.0.1.bak/Make.inc.in freeradius-server-3.0.1/Make.inc.in
--- freeradius-server-3.0.1.bak/Make.inc.in 2014-01-17 11:20:48.599733053 -0500
+++ freeradius-server-3.0.1/Make.inc.in 2014-01-17 14:37:33.739853796 -0500
@@ -47,7 +47,7 @@
CC = @CC@
RANLIB = @RANLIB@
-IMACROS = -imacros ${top_srcdir}/src/freeradius-devel/build.h -imacros ${top_srcdir}/src/freeradius-devel/autoconf.h -imacros ${top_srcdir}/src/freeradius-devel/features.h
+IMACROS = -include ${top_srcdir}/src/freeradius-devel/build.h -include ${top_srcdir}/src/freeradius-devel/autoconf.h -include ${top_srcdir}/src/freeradius-devel/features.h
INCLUDE = -I${top_srcdir} -I${top_srcdir}/src
CFLAGS = $(IMACROS) $(INCLUDE) -std=c99 -fno-strict-aliasing @CFLAGS@
CPPFLAGS = @CPPFLAGS@
Only in freeradius-server-3.0.1: Make.inc.in~

View File

@ -1,109 +0,0 @@
diff -r -u freeradius-server-3.0.1.bak/raddb/mods-available/ippool freeradius-server-3.0.1/raddb/mods-available/ippool
--- freeradius-server-3.0.1.bak/raddb/mods-available/ippool 2014-01-17 11:20:48.609733064 -0500
+++ freeradius-server-3.0.1/raddb/mods-available/ippool 2014-01-17 12:33:11.884537885 -0500
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: d52dc9b385dec10e970ba9af070af612f25d596d $
+# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
@@ -22,54 +22,45 @@
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
-# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
-# ********* THEN ERASE THE DB FILES *********
+# Note: If you change the range parameters you must then erase the
+# db files.
#
ippool main_pool {
+ # The main db file used to allocate addresses.
+ filename = ${db_dir}/db.ippool
- # range-start,range-stop:
- # The start and end ip addresses for this pool.
+ # The start and end ip addresses for this pool.
range_start = 192.0.2.1
range_stop = 192.0.2.254
- # netmask:
- # The network mask used for this pool.
+ # The network mask used for this pool.
netmask = 255.255.255.0
- # cache_size:
- # The gdbm cache size for the db files. Should
- # be equal to the number of ip's available in
- # the ip pool
+ # The gdbm cache size for the db files. Should
+ # be equal to the number of ip's available in
+ # the ip pool
cache_size = 800
- # session-db:
- # The main db file used to allocate addresses.
- session_db = ${db_dir}/db.ippool
-
- # ip-index:
- # Helper db index file used in multilink
+ # Helper db index file used in multilink
ip_index = ${db_dir}/db.ipindex
- # override:
- # If set, the Framed-IP-Address already in the
- # reply (if any) will be discarded, and replaced
- # with a Framed-IP-Address assigned here.
+ # If set, the Framed-IP-Address already in the
+ # reply (if any) will be discarded, and replaced
+ # ith a Framed-IP-Address assigned here.
override = no
- # maximum-timeout:
- # Specifies the maximum time in seconds that an
- # entry may be active. If set to zero, means
- # "no timeout". The default value is 0
+ # Specifies the maximum time in seconds that an
+ # entry may be active. If set to zero, means
+ # "no timeout". The default value is 0
maximum_timeout = 0
- # key:
- # The key to use for the session database (which
- # holds the allocated ip's) normally it should
- # just be the nas ip/port (which is the default).
+ # The key to use for the session database (which
+ # holds the allocated ip's) normally it should
+ # just be the nas ip/port (which is the default).
#
- # If your NAS sends the same value of NAS-Port
- # all requests, the key should be based on some
- # other attribute that is in ALL requests, AND
- # is unique to each machine needing an IP address.
- #key = "%{NAS-IP-Address} %{NAS-Port}"
+ # If your NAS sends the same value of NAS-Port
+ # all requests, the key should be based on some
+ # other attribute that is in ALL requests, AND
+ # is unique to each machine needing an IP address.
+# key = "%{NAS-IP-Address} %{NAS-Port}"
}
commit 82d3d851e03fdc403c6694d5470905c489acb1b5
Author: Alan T. DeKok <aland@freeradius.org>
Date: Sat Jan 18 15:58:28 2014 -0500
Set the default length for the attributes
diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c
index d1d1fca..ac955ad 100644
--- a/src/lib/valuepair.c
+++ b/src/lib/valuepair.c
@@ -109,6 +109,8 @@ VALUE_PAIR *pairalloc(TALLOC_CTX *ctx, DICT_ATTR const *da)
vp->op = T_OP_EQ;
vp->type = VT_NONE;
+ vp->length = da->flags.length;
+
talloc_set_destructor(vp, _pairfree);
return vp;

View File

@ -1,12 +0,0 @@
diff -r -u freeradius-server-3.0.1.orig/raddb/mods-config/sql/main/mysql/schema.sql freeradius-server-3.0.1/raddb/mods-config/sql/main/mysql/schema.sql
--- freeradius-server-3.0.1.orig/raddb/mods-config/sql/main/mysql/schema.sql 2014-01-13 20:13:56.000000000 -0500
+++ freeradius-server-3.0.1/raddb/mods-config/sql/main/mysql/schema.sql 2014-01-21 12:37:29.349480066 -0500
@@ -28,7 +28,7 @@
acctupdatetime datetime NULL default NULL,
acctstoptime datetime NULL default NULL,
acctinterval int(12) default NULL,
- acctsessiontime unsigned int(12) default NULL,
+ acctsessiontime int(12) unsigned default NULL,
acctauthentic varchar(32) default NULL,
connectinfo_start varchar(50) default NULL,
connectinfo_stop varchar(50) default NULL,

View File

@ -1,19 +0,0 @@
commit 57d0db0e1dfa3fc25d0bfc146fec1c89a446a9ea
Author: Alan T. DeKok <aland@freeradius.org>
Date: Wed Jan 22 15:11:33 2014 -0500
Use size out output buffer, not size of output pointer
diff --git a/src/lib/print.c b/src/lib/print.c
index a6e5391..5bc5e02 100644
--- a/src/lib/print.c
+++ b/src/lib/print.c
@@ -266,7 +266,7 @@ size_t vp_prints_value(char *out, size_t outlen, VALUE_PAIR const *vp, int8_t qu
return strlen(out);
}
- return fr_print_string(vp->vp_strvalue, vp->length, out, sizeof(out));
+ return fr_print_string(vp->vp_strvalue, vp->length, out, outlen);
case PW_TYPE_INTEGER:
if (vp->da->flags.has_tag) {

View File

@ -1,48 +0,0 @@
From ff5147c9e5088c7cf5c0b6ec6bfdd3a9d2042a28 Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 13 Feb 2014 13:49:54 +0000
Subject: [PATCH 1/1] Fix potential crash with SSHA and salts > 44bytes
---
src/modules/rlm_pap/rlm_pap.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
index 689acf0..1bf6d4e 100644
--- a/src/modules/rlm_pap/rlm_pap.c
+++ b/src/modules/rlm_pap/rlm_pap.c
@@ -123,7 +123,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance)
static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
{
- uint8_t buffer[64];
+ uint8_t buffer[256];
if (min_length >= sizeof(buffer)) return; /* paranoia */
@@ -132,9 +132,10 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
*/
if (vp->length >= (2 * min_length)) {
size_t decoded;
- decoded = fr_hex2bin(buffer, vp->vp_strvalue, vp->length >> 1);
+ decoded = fr_hex2bin(buffer, vp->vp_strvalue, sizeof(buffer));
if (decoded == (vp->length >> 1)) {
- RDEBUG2("Normalizing %s from hex encoding", vp->da->name);
+ RDEBUG2("Normalizing %s from hex encoding, %zu bytes -> %zu bytes",
+ vp->da->name, vp->length, decoded);
pairmemcpy(vp, buffer, decoded);
return;
}
@@ -150,7 +151,8 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
sizeof(buffer));
if (decoded < 0) return;
if (decoded >= (ssize_t) min_length) {
- RDEBUG2("Normalizing %s from base64 encoding", vp->da->name);
+ RDEBUG2("Normalizing %s from base64 encoding, %zu bytes -> %zu bytes",
+ vp->da->name, vp->length, decoded);
pairmemcpy(vp, buffer, decoded);
return;
}
--
1.8.5.3

View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.1
Release: 4%{?dist}
Version: 3.0.2
Release: 1%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@ -23,11 +23,6 @@ Source104: freeradius-tmpfiles.conf
Patch1: freeradius-redhat-config.patch
Patch2: freeradius-postgres-sql.patch
Patch3: freeradius-ippool.patch
Patch4: freeradius-imacros.patch
Patch5: freeradius-mysql-schema.patch
Patch6: freeradius-perl.patch
Patch7: freeradius-rlm_pap-overflow.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -186,11 +181,6 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
# mistakenly includes the backup files, especially problematic for raddb config files.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build
# Force compile/link options, extra security for network facing daemon
@ -255,6 +245,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
@ -336,6 +327,8 @@ exit 0
%dir %attr(755,root,radiusd) /etc/raddb
%defattr(-,root,radiusd)
/etc/raddb/README.rst
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/panic.gdb
%attr(644,root,radiusd) %config(noreplace) /etc/raddb/dictionary
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/clients.conf
@ -465,6 +458,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey
@ -500,6 +494,7 @@ exit 0
%config(missingok) /etc/raddb/mods-enabled/soh
%config(missingok) /etc/raddb/mods-enabled/sradutmp
%config(missingok) /etc/raddb/mods-enabled/unix
%config(missingok) /etc/raddb/mods-enabled/unpack
%config(missingok) /etc/raddb/mods-enabled/utf8
# policy
@ -585,6 +580,7 @@ exit 0
%{_libdir}/freeradius/rlm_sqlippool.so
%{_libdir}/freeradius/rlm_sql_null.so
%{_libdir}/freeradius/rlm_unix.so
%{_libdir}/freeradius/rlm_unpack.so
%{_libdir}/freeradius/rlm_utf8.so
%{_libdir}/freeradius/rlm_wimax.so
%{_libdir}/freeradius/rlm_yubikey.so
@ -737,6 +733,7 @@ exit 0
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf
@ -752,6 +749,11 @@ exit 0
%{_libdir}/freeradius/rlm_sql_unixodbc.so
%changelog
* Wed May 7 2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.2-1
- Upgrade to upstream 3.0.2 release, configuration compatible with 3.0.1.
See upstream ChangeLog for details (in freeradius-doc subpackage)
- Fixes bugs 1058884 1061408 1070447 1079500
* Mon Feb 24 2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.1-4
- Fix CVE-2014-2015 "freeradius: stack-based buffer overflow flaw in rlm_pap
module"

View File

@ -1 +1 @@
40b7533582c3f870af117213e8905958 freeradius-server-3.0.1.tar.bz2
c6b25a532e65ce6bfef4f422b7240d4d freeradius-server-3.0.2.tar.bz2