Bug#964898: marked as done (buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1)

Debian Bug Tracking System Sat, 01 Aug 2020 05:07:18 -0700

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id 
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #964898,
regarding buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
964898: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964898
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu

Hi

libpam-radius-auth is affected by CVE-2015-9542 (cf. #951396) in
buster as well. A while ago Utkarsh Gupta prepared a QA update for
unstable.

libpam-radius-pam should not be included in bullseye if there is not
active maintainer, but for stable we can fix the CVE based on the
upload in unstable (minus the packaging changes).

Attached the debdiff.

Can it be included in the next buster point release?

Regards,
Salvatore

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru libpam-radius-auth-1.4.0/debian/changelog 
libpam-radius-auth-1.4.0/debian/changelog
--- libpam-radius-auth-1.4.0/debian/changelog   2018-09-05 21:44:07.000000000 
+0200
+++ libpam-radius-auth-1.4.0/debian/changelog   2020-07-11 21:24:48.000000000 
+0200
@@ -1,3 +1,21 @@
+libpam-radius-auth (1.4.0-3~deb10u1) buster; urgency=medium
+
+  * Rebuild for buster.
+  * Revert packaging changes:
+    - Lower Standards-Version to 4.2.0
+    - Lower Debhelper compat level to 11   
+
+ -- Salvatore Bonaccorso <[email protected]>  Sat, 11 Jul 2020 21:24:48 +0200
+
+libpam-radius-auth (1.4.0-3) unstable; urgency=medium
+
+  * QA upload
+  * Add patch to fix buffer overflow in password field.
+    (Fixes: CVE-2015-9542) (Closes: #951396)
+  * Bump Standards-Version to 4.5.0 and dh-compat to 12
+
+ -- Utkarsh Gupta <[email protected]>  Fri, 21 Feb 2020 15:47:11 +0530
+
 libpam-radius-auth (1.4.0-2) unstable; urgency=medium
 
   * QA upload.
diff -Nru libpam-radius-auth-1.4.0/debian/control 
libpam-radius-auth-1.4.0/debian/control
--- libpam-radius-auth-1.4.0/debian/control     2018-09-05 21:44:07.000000000 
+0200
+++ libpam-radius-auth-1.4.0/debian/control     2020-02-21 11:17:11.000000000 
+0100
@@ -2,8 +2,8 @@
 Maintainer: Debian QA Group <[email protected]>
 Section: admin
 Priority: optional
-Standards-Version: 4.2.0
-Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 11)
+Standards-Version: 4.5.0
+Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 12)
 Rules-Requires-Root: no
 Homepage: https://www.freeradius.org/pam_radius_auth/
 
diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 
libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix
--- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix   1970-01-01 
01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix   2020-02-21 
10:52:32.000000000 +0100
@@ -0,0 +1,31 @@
+Description: This patch fixes CVE-2015-9542.
+Author: Justin Standring <[email protected]>
+Author: Utkarsh Gupta <[email protected]>
+Bug-Debian: https://bugs.debian.org/951396
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/01173ec
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d
+Origin: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677
+Last-Update: 2020-02-21
+
+--- a/src/pam_radius_auth.c
++++ b/src/pam_radius_auth.c
+@@ -528,6 +528,9 @@
+               length = MAXPASS;
+       }
+ 
++      memcpy(hashed, password, length);
++      memset(hashed + length, 0, sizeof(hashed) - length);
++
+       if (length == 0) {
+               length = AUTH_PASS_LEN;                 /* 0 maps to 16 */
+       } if ((length & (AUTH_PASS_LEN - 1)) != 0) {
+@@ -535,9 +538,6 @@
+               length &= ~(AUTH_PASS_LEN - 1);         /* chop it off */
+       }                                               /* 16*N maps to itself 
*/
+ 
+-      memset(hashed, 0, length);
+-      memcpy(hashed, password, strlen(password));
+-
+       attr = find_attribute(request, PW_PASSWORD);
+ 
+       if (type == PW_PASSWORD) {
diff -Nru libpam-radius-auth-1.4.0/debian/patches/series 
libpam-radius-auth-1.4.0/debian/patches/series
--- libpam-radius-auth-1.4.0/debian/patches/series      1970-01-01 
01:00:00.000000000 +0100
+++ libpam-radius-auth-1.4.0/debian/patches/series      2020-02-21 
11:13:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-9542.fix

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Bug#964898: marked as done (buster-pu: package libpam-radius-auth/1.4.0-3~deb10u1)

Reply via email to