rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVEs 2022-41860, 2022-41859, 2022-41861

Browse Source 
Backport multiple changes to fix the mentioned CVEs.

Resolves: #2151705
Resolves: #2151703
Resolves: #2151707
Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
Antonio Torres 2022-12-09 14:45:07 +01:00
parent 17ab6cb88f
commit b29a675c94
No known key found for this signature in database
GPG Key ID: 359FAF777296F653
3 changed files with 171 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
freeradius-fix-crash-on-invalid-abinary-data.patch Normal file
View File

@ -0,0 +1,47 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix crash on invalid abinary data
A malicious RADIUS client or home server can send a malformed abinary
attribute which can cause the server to crash.
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151707
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/lib/filters.c b/src/lib/filters.c
index 4868cd385d9f..3f3b63daeef3 100644
--- a/src/lib/filters.c
+++ b/src/lib/filters.c
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
}
}
} else if (filter->type == RAD_FILTER_GENERIC) {
- int count;
+ size_t count, masklen;
+
+ masklen = ntohs(filter->u.generic.len);
+ if (masklen >= sizeof(filter->u.generic.mask)) {
+ *p = '\0';
+ return;
+ }
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
p += i;
/* show the mask */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
p += i;
outlen -= i;
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
outlen--;
/* show the value */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
p += i;
outlen -= i;

113
freeradius-fix-crash-unknown-eap-sim.patch Normal file
View File

@ -0,0 +1,113 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix crash on unknown option in EAP-SIM
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
look that option up in the internal dictionaries. This lookup will fail, but the
SIM code will not check for that failure. Instead, it will dereference a NULL
pointer, and cause the server to crash.
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151705
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
index cf1e8a7dd92..e438a844eab 100644
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
newvp->vp_length = 1;
fr_pair_add(&(r->vps), newvp);
+ /*
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
+ * reserved.
+ */
attr += 3;
attrlen -= 3;
- /* now, loop processing each attribute that we find */
- while(attrlen > 0) {
+ /*
+ * Loop over each attribute. The format is:
+ *
+ * 1 octet of type
+ * 1 octet of length (value 1..255)
+ * ((4 * length) - 2) octets of data.
+ */
+ while (attrlen > 0) {
uint8_t *p;
- if(attrlen < 2) {
+ if (attrlen < 2) {
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
return 0;
}
+ if (!attr[1]) {
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute,
+ es_attribute_count);
+ return 0;
+ }
+
eapsim_attribute = attr[0];
eapsim_len = attr[1] * 4;
+ /*
+ * The length includes the 2-byte header.
+ */
if (eapsim_len > attrlen) {
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
return 0;
}
- if(eapsim_len > MAX_STRING_LEN) {
- eapsim_len = MAX_STRING_LEN;
- }
- if (eapsim_len < 2) {
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
- es_attribute_count);
- return 0;
- }
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
+ if (!newvp) {
+ /*
+ * RFC 4186 Section 8.1 says 0..127 are
+ * "non-skippable". If one such
+ * attribute is found and we don't
+ * understand it, the server has to send:
+ *
+ * EAP-Request/SIM/Notification packet with an
+ * (AT_NOTIFICATION code, which implies general failure ("General
+ * failure after authentication" (0), or "General failure" (16384),
+ * depending on the phase of the exchange), which terminates the
+ * authentication exchange.
+ */
+ if (eapsim_attribute <= 127) {
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
+ eapsim_attribute);
+ return 0;
+ }
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
- newvp->vp_length = eapsim_len-2;
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
- memcpy(p, &attr[2], eapsim_len-2);
- fr_pair_add(&(r->vps), newvp);
- newvp = NULL;
+ } else {
+ /*
+ * It's known, ccount for header, and
+ * copy the value over.
+ */
+ newvp->vp_length = eapsim_len - 2;
+
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+ memcpy(p, &attr[2], newvp->vp_length);
+ fr_pair_add(&(r->vps), newvp);
+ }
/* advance pointers, decrement length */
attr += eapsim_len;

12
freeradius.spec
View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.21 Version: 3.0.21
Release: 35%{?dist} Release: 36%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -30,6 +30,8 @@ Patch6: freeradius-Fix-resource-hard-limit-error.patch
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
Patch8: freeradius-Backport-OpenSSL3-fixes.patch Patch8: freeradius-Backport-OpenSSL3-fixes.patch
Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
Patch10: freeradius-fix-crash-unknown-eap-sim.patch
Patch11: freeradius-fix-crash-on-invalid-abinary-data.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -218,6 +220,8 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1
%patch11 -p1
%build %build
# Force compile/link options, extra security for network facing daemon # Force compile/link options, extra security for network facing daemon
@ -858,6 +862,12 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog %changelog
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-36
- Fix multiple CVEs
Resolves: #2151705
Resolves: #2151703
Resolves: #2151707
* Fri Sep 16 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-35 * Fri Sep 16 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-35
- Rebuild to add subpackages to CRB report - Rebuild to add subpackages to CRB report
Resolves: #2126380 Resolves: #2126380