Package: freeradius
Version: 2.1.10+dfsg-2
FreeRADIUS 2.1.10 through 2.1.12 are affected.
Quoting the advisory:
"A stack overflow vulnerability has been identified in FreeRADIUS that
allows to remotely execute arbitrary code via specially crafted client
certificates (before authentication). The vulnerability affects setups
using TLS-based EAP methods (including EAP-TLS, EAP-TTLS, and PEAP).
FreeRADIUS defines a callback function cbtls_verify() for certificate
verification. The function has a local buf array with a size of 64
bytes. It copies the validity timestamp "not after" of a client
certificate to the buf array:
asn_time = X509_get_notAfter(client_cert);
if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
memcpy(buf, (char*) asn_time->data, asn_time->length);
buf[asn_time->length] = '\0';
The MAX_STRING_LEN constant is defined to be 254. If asn_time->length
is greater than 64 bytes, but less than 254 bytes, buf overflows via
the memcpy.
Depending on the stack layout chosen by the compiler, the
vulnerability allows to overflow the return address on the stack,
which can be exploited for code execution.
See http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt for the full text
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
