import freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9
This commit is contained in:
parent
8f703895f5
commit
84f5013871
47
SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
Normal file
47
SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri, 09 Dec 2022
|
||||||
|
Subject: Fix crash on invalid abinary data
|
||||||
|
|
||||||
|
A malicious RADIUS client or home server can send a malformed abinary
|
||||||
|
attribute which can cause the server to crash.
|
||||||
|
|
||||||
|
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
diff --git a/src/lib/filters.c b/src/lib/filters.c
|
||||||
|
index 4868cd385d9f..3f3b63daeef3 100644
|
||||||
|
--- a/src/lib/filters.c
|
||||||
|
+++ b/src/lib/filters.c
|
||||||
|
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (filter->type == RAD_FILTER_GENERIC) {
|
||||||
|
- int count;
|
||||||
|
+ size_t count, masklen;
|
||||||
|
+
|
||||||
|
+ masklen = ntohs(filter->u.generic.len);
|
||||||
|
+ if (masklen >= sizeof(filter->u.generic.mask)) {
|
||||||
|
+ *p = '\0';
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
|
||||||
|
p += i;
|
||||||
|
|
||||||
|
/* show the mask */
|
||||||
|
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||||
|
+ for (count = 0; count < masklen; count++) {
|
||||||
|
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
|
||||||
|
p += i;
|
||||||
|
outlen -= i;
|
||||||
|
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||||
|
outlen--;
|
||||||
|
|
||||||
|
/* show the value */
|
||||||
|
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||||
|
+ for (count = 0; count < masklen; count++) {
|
||||||
|
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
|
||||||
|
p += i;
|
||||||
|
outlen -= i;
|
115
SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
Normal file
115
SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
Normal file
@ -0,0 +1,115 @@
|
|||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri, 09 Dec 2022
|
||||||
|
Subject: Fix crash on unknown option in EAP-SIM
|
||||||
|
|
||||||
|
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
|
||||||
|
look that option up in the internal dictionaries. This lookup will fail, but the
|
||||||
|
SIM code will not check for that failure. Instead, it will dereference a NULL
|
||||||
|
pointer, and cause the server to crash.
|
||||||
|
|
||||||
|
Backport of:
|
||||||
|
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
|
||||||
|
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||||
|
index cf1e8a7dd92..e438a844eab 100644
|
||||||
|
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||||
|
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||||
|
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
|
||||||
|
newvp->vp_length = 1;
|
||||||
|
fr_pair_add(&(r->vps), newvp);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
|
||||||
|
+ * reserved.
|
||||||
|
+ */
|
||||||
|
attr += 3;
|
||||||
|
attrlen -= 3;
|
||||||
|
|
||||||
|
- /* now, loop processing each attribute that we find */
|
||||||
|
- while(attrlen > 0) {
|
||||||
|
+ /*
|
||||||
|
+ * Loop over each attribute. The format is:
|
||||||
|
+ *
|
||||||
|
+ * 1 octet of type
|
||||||
|
+ * 1 octet of length (value 1..255)
|
||||||
|
+ * ((4 * length) - 2) octets of data.
|
||||||
|
+ */
|
||||||
|
+ while (attrlen > 0) {
|
||||||
|
uint8_t *p;
|
||||||
|
|
||||||
|
- if(attrlen < 2) {
|
||||||
|
+ if (attrlen < 2) {
|
||||||
|
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!attr[1]) {
|
||||||
|
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
|
||||||
|
+ es_attribute_count);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
eapsim_attribute = attr[0];
|
||||||
|
eapsim_len = attr[1] * 4;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * The length includes the 2-byte header.
|
||||||
|
+ */
|
||||||
|
if (eapsim_len > attrlen) {
|
||||||
|
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
|
||||||
|
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(eapsim_len > MAX_STRING_LEN) {
|
||||||
|
- eapsim_len = MAX_STRING_LEN;
|
||||||
|
- }
|
||||||
|
- if (eapsim_len < 2) {
|
||||||
|
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
|
||||||
|
- es_attribute_count);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
|
||||||
|
+ if (!newvp) {
|
||||||
|
+ /*
|
||||||
|
+ * RFC 4186 Section 8.1 says 0..127 are
|
||||||
|
+ * "non-skippable". If one such
|
||||||
|
+ * attribute is found and we don't
|
||||||
|
+ * understand it, the server has to send:
|
||||||
|
+ *
|
||||||
|
+ * EAP-Request/SIM/Notification packet with an
|
||||||
|
+ * (AT_NOTIFICATION code, which implies general failure ("General
|
||||||
|
+ * failure after authentication" (0), or "General failure" (16384),
|
||||||
|
+ * depending on the phase of the exchange), which terminates the
|
||||||
|
+ * authentication exchange.
|
||||||
|
+ */
|
||||||
|
+ if (eapsim_attribute <= 127) {
|
||||||
|
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
|
||||||
|
+ eapsim_attribute);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
|
||||||
|
- newvp->vp_length = eapsim_len-2;
|
||||||
|
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||||
|
- memcpy(p, &attr[2], eapsim_len-2);
|
||||||
|
- fr_pair_add(&(r->vps), newvp);
|
||||||
|
- newvp = NULL;
|
||||||
|
+ } else {
|
||||||
|
+ /*
|
||||||
|
+ * It's known, ccount for header, and
|
||||||
|
+ * copy the value over.
|
||||||
|
+ */
|
||||||
|
+ newvp->vp_length = eapsim_len - 2;
|
||||||
|
+
|
||||||
|
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||||
|
+ memcpy(p, &attr[2], newvp->vp_length);
|
||||||
|
+ fr_pair_add(&(r->vps), newvp);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* advance pointers, decrement length */
|
||||||
|
attr += eapsim_len;
|
76
SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
Normal file
76
SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri, 09 Dec 2022
|
||||||
|
Subject: Fix information leakage in EAP-PWD
|
||||||
|
|
||||||
|
The EAP-PWD function compute_password_element() leaks information about the
|
||||||
|
password which allows an attacker to substantially reduce the size of an
|
||||||
|
offline dictionary attack.
|
||||||
|
|
||||||
|
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
index d94851c3aa..9f86b62114 100644
|
||||||
|
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
|
||||||
|
#include <freeradius-devel/radiusd.h>
|
||||||
|
#include <freeradius-devel/modules.h>
|
||||||
|
|
||||||
|
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
|
||||||
|
+
|
||||||
|
/* The random function H(x) = HMAC-SHA256(0^32, x) */
|
||||||
|
static void H_Init(HMAC_CTX *ctx)
|
||||||
|
{
|
||||||
|
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||||
|
uint32_t *token)
|
||||||
|
{
|
||||||
|
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||||
|
- HMAC_CTX *ctx = NULL;
|
||||||
|
+ EVP_MD_CTX *hmac_ctx;
|
||||||
|
+ EVP_PKEY *hmac_pkey;
|
||||||
|
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
|
||||||
|
int nid, is_odd, primebitlen, primebytelen, ret = 0;
|
||||||
|
|
||||||
|
- ctx = HMAC_CTX_new();
|
||||||
|
- if (ctx == NULL) {
|
||||||
|
- DEBUG("failed allocating HMAC context");
|
||||||
|
- goto fail;
|
||||||
|
- }
|
||||||
|
+ MEM(hmac_ctx = EVP_MD_CTX_new());
|
||||||
|
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
|
||||||
|
|
||||||
|
switch (grp_num) { /* from IANA registry for IKE D-H groups */
|
||||||
|
case 19:
|
||||||
|
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||||
|
* pwd-seed = H(token | peer-id | server-id | password |
|
||||||
|
* counter)
|
||||||
|
*/
|
||||||
|
- H_Init(ctx);
|
||||||
|
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
|
||||||
|
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||||
|
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
|
||||||
|
- H_Update(ctx, (uint8_t const *)password, password_len);
|
||||||
|
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||||
|
- H_Final(ctx, pwe_digest);
|
||||||
|
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||||
|
|
||||||
|
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
|
||||||
|
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
|
||||||
|
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||||
|
BN_clear_free(x_candidate);
|
||||||
|
BN_clear_free(rnd);
|
||||||
|
talloc_free(prfbuf);
|
||||||
|
- HMAC_CTX_free(ctx);
|
||||||
|
+ EVP_MD_CTX_free(hmac_ctx);
|
||||||
|
+ EVP_PKEY_free(hmac_pkey);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
@ -9,7 +9,7 @@
|
|||||||
Summary: High-performance and highly configurable free RADIUS server
|
Summary: High-performance and highly configurable free RADIUS server
|
||||||
Name: freeradius
|
Name: freeradius
|
||||||
Version: 3.0.20
|
Version: 3.0.20
|
||||||
Release: 12%{?dist}
|
Release: 14%{?dist}
|
||||||
License: GPLv2+ and LGPLv2+
|
License: GPLv2+ and LGPLv2+
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
URL: http://www.freeradius.org/
|
URL: http://www.freeradius.org/
|
||||||
@ -44,6 +44,9 @@ Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
|
|||||||
Patch12: freeradius-bootstrap-run-only-once.patch
|
Patch12: freeradius-bootstrap-run-only-once.patch
|
||||||
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
|
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
|
||||||
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
|
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
|
||||||
|
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
|
||||||
|
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
|
||||||
|
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
|
||||||
|
|
||||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||||
|
|
||||||
@ -246,6 +249,9 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
|||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p1
|
%patch13 -p1
|
||||||
%patch14 -p1
|
%patch14 -p1
|
||||||
|
%patch15 -p1
|
||||||
|
%patch16 -p1
|
||||||
|
%patch17 -p1
|
||||||
|
|
||||||
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
||||||
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
||||||
@ -896,6 +902,17 @@ exit 0
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
|
||||||
|
- Fix defect found by Covscan
|
||||||
|
Resolves: #2151704
|
||||||
|
|
||||||
|
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
|
||||||
|
- Fix multiple CVEs
|
||||||
|
- Add rpminspect configuration
|
||||||
|
Resolves: #2151702
|
||||||
|
Resolves: #2151704
|
||||||
|
Resolves: #2151706
|
||||||
|
|
||||||
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
|
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
|
||||||
- Fix segfault when home_server is null
|
- Fix segfault when home_server is null
|
||||||
Resolves: bz#2030173
|
Resolves: bz#2030173
|
||||||
|
Loading…
Reference in New Issue
Block a user