import freeradius-3.0.21-37.el9

2023-05-09 05:17:12 +00:00 · 2023-05-09 05:17:12 +00:00 · cc5f4fc99a
parent 359b914554
commit cc5f4fc99a
3 changed files with 181 additions and 1 deletions
--- a/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
+++ b/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
@ -0,0 +1,47 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix crash on invalid abinary data
+
+A malicious RADIUS client or home server can send a malformed abinary
+attribute which can cause the server to crash.
+
+Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151707
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/lib/filters.c b/src/lib/filters.c
+index 4868cd385d9f..3f3b63daeef3 100644
+--- a/src/lib/filters.c
+++ b/src/lib/filters.c
+@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ 			}
+ 		}
+ 	} else if (filter->type == RAD_FILTER_GENERIC) {
+-		int count;
+		size_t count, masklen;
+
+		masklen = ntohs(filter->u.generic.len);
+		if (masklen >= sizeof(filter->u.generic.mask)) {
+			*p = '\0';
+			return;
+		}
+ 
+ 		i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
+ 		p += i;
+ 
+ 		/* show the mask */
+-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+		for (count = 0; count < masklen; count++) {
+ 			i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
+ 			p += i;
+ 			outlen -= i;
+@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ 		outlen--;
+ 
+ 		/* show the value */
+-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+		for (count = 0; count < masklen; count++) {
+ 			i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
+ 			p += i;
+ 			outlen -= i;
--- a/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
+++ b/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
@ -0,0 +1,115 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix crash on unknown option in EAP-SIM
+
+When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
+look that option up in the internal dictionaries. This lookup will fail, but the
+SIM code will not check for that failure. Instead, it will dereference a NULL
+pointer, and cause the server to crash.
+
+Backport of:
+https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
+https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151705
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
+index cf1e8a7dd92..e438a844eab 100644
+--- a/src/modules/rlm_eap/libeap/eapsimlib.c
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
+@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
+ 	newvp->vp_length = 1;
+ 	fr_pair_add(&(r->vps), newvp);
+ 
+	/*
+	 *	EAP-SIM has a 1 octet of subtype, and 2 octets
+	 *	reserved.
+	 */
+ 	attr     += 3;
+ 	attrlen  -= 3;
+ 
+-	/* now, loop processing each attribute that we find */
+-	while(attrlen > 0) {
+	/*
+	 *	Loop over each attribute.  The format is:
+	 *
+	 *	1 octet of type
+	 *	1 octet of length (value 1..255)
+	 *	((4 * length) - 2) octets of data.
+	 */
+	while (attrlen > 0) {
+ 		uint8_t *p;
+ 
+-		if(attrlen < 2) {
+		if (attrlen < 2) {
+ 			fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
+ 			return 0;
+ 		}
+ 
+		if (!attr[1]) {
+			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
+					   es_attribute_count);
+			return 0;
+		}
+
+ 		eapsim_attribute = attr[0];
+ 		eapsim_len = attr[1] * 4;
+ 
+		/*
+		 *	The length includes the 2-byte header.
+		 */
+ 		if (eapsim_len > attrlen) {
+ 			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
+ 					   eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
+ 			return 0;
+ 		}
+ 
+-		if(eapsim_len > MAX_STRING_LEN) {
+-			eapsim_len = MAX_STRING_LEN;
+-		}
+-		if (eapsim_len < 2) {
+-			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
+-					   es_attribute_count);
+-			return 0;
+-		}
+		newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
+		if (!newvp) {
+			/*
+			 *	RFC 4186 Section 8.1 says 0..127 are
+			 *	"non-skippable".  If one such
+			 *	attribute is found and we don't
+			 *	understand it, the server has to send:
+			 *
+			 *	EAP-Request/SIM/Notification packet with an
+			 *	(AT_NOTIFICATION code, which implies general failure ("General
+			 *	failure after authentication" (0), or "General failure" (16384),
+			 *	depending on the phase of the exchange), which terminates the
+			 *	authentication exchange.
+			 */
+			if (eapsim_attribute <= 127) {
+				fr_strerror_printf("Unknown mandatory attribute %d, failing",
+						   eapsim_attribute);
+				return 0;
+			}
+ 
+-		newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
+-		newvp->vp_length = eapsim_len-2;
+-		newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+-		memcpy(p, &attr[2], eapsim_len-2);
+-		fr_pair_add(&(r->vps), newvp);
+-		newvp = NULL;
+		} else {
+			/*
+			 *	It's known, ccount for header, and
+			 *	copy the value over.
+			 */
+			newvp->vp_length = eapsim_len - 2;
+
+			newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+			memcpy(p, &attr[2], newvp->vp_length);
+			fr_pair_add(&(r->vps), newvp);
+		}
+ 
+ 		/* advance pointers, decrement length */
+ 		attr += eapsim_len;
--- a/SPECS/freeradius.spec
+++ b/SPECS/freeradius.spec
@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.21
-Release: 34%{?dist}
+Release: 37%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: http://www.freeradius.org/

@ -30,6 +30,8 @@ Patch6: freeradius-Fix-resource-hard-limit-error.patch
 Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
 Patch8: freeradius-Backport-OpenSSL3-fixes.patch
 Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
+Patch10: freeradius-fix-crash-unknown-eap-sim.patch
+Patch11: freeradius-fix-crash-on-invalid-abinary-data.patch

 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}

@ -218,6 +220,8 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1

 %build
 # Force compile/link options, extra security for network facing daemon
@ -858,6 +862,20 @@ EOF
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest

 %changelog
+* Wed Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-37
+- Fix defect found by covscan
+  Resolves: #2151705
+
+* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-36
+- Fix multiple CVEs
+  Resolves: #2151705
+  Resolves: #2151703
+  Resolves: #2151707
+
+* Fri Sep 16 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-35
+- Rebuild to add subpackages to CRB report
+  Resolves: #2126380
+
 * Wed Jun 29 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-34
 - Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107)
  Resolves: #2095403