Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:freeradius User: [email protected] Usertags: pu
[ Reason ] FreeRADIUS 3.2.7 in Trixie contains a bug that causes it to segfault when a certificate chain with two intermediate certificates are loaded, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927 https://github.com/FreeRADIUS/freeradius-server/issues/5515 It can be fixed by backporting a single commit from 3.2.8, therefor unstable is already fixed. The issue was found, the patch prepared and verified by OdyX [ Impact ] Segmentation fault when a new certificate chain is loaded [ Tests ] Fix verified by Didier 'OdyX' Radoud FreeRADIUS has some non-trivial autopkgtest, however that does not test EAP/TLS-related codepaths [ Risks ] Verified fix, direct backport of a commit released with a later upstream version [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - Backporting fix - Change salsa-ci to run in trixie [ Other info ] As CAs tend to change their intermediate structure and may introduce intermediates with certificate refreshs (as it has happened here for the original reporter) I consider this somewhat urgent. Therefor I would like to push this to proposed as soon as possible.
diff -Nru freeradius-3.2.7+dfsg/debian/changelog freeradius-3.2.7+dfsg/debian/changelog --- freeradius-3.2.7+dfsg/debian/changelog 2025-10-01 19:36:38.000000000 +0200 +++ freeradius-3.2.7+dfsg/debian/changelog 2025-11-18 21:51:33.000000000 +0100 @@ -1,3 +1,11 @@ +freeradius (3.2.7+dfsg-1+deb13u2) trixie; urgency=medium + + [ Didier Raboud ] + * Backport patch to fix segfaults on TLS connections with more than one + intermediate certificate (Closes: #1120927) + + -- Bernhard Schmidt <[email protected]> Tue, 18 Nov 2025 21:51:33 +0100 + freeradius (3.2.7+dfsg-1+deb13u1) trixie; urgency=medium * Non-maintainer upload. diff -Nru freeradius-3.2.7+dfsg/debian/patches/series freeradius-3.2.7+dfsg/debian/patches/series --- freeradius-3.2.7+dfsg/debian/patches/series 2025-10-01 19:31:39.000000000 +0200 +++ freeradius-3.2.7+dfsg/debian/patches/series 2025-11-18 21:51:33.000000000 +0100 @@ -6,3 +6,4 @@ dont-install-tests.diff snakeoil-certs.diff fips.patch +wrap-crl_dp-checks-in-if-certs--lookup-=.patch diff -Nru freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch --- freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch 1970-01-01 01:00:00.000000000 +0100 +++ freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch 2025-11-18 21:51:33.000000000 +0100 @@ -0,0 +1,63 @@ +From: Alan T. DeKok <[email protected]> +Date: Wed, 12 Feb 2025 07:03:13 -0500 +X-Dgit-Generated: 3.2.7+dfsg-1+deb13u1+OdyX0 05125f178649b7af17a1dc81642b91c937f4d93a +Subject: wrap crl_dp checks in if (certs && (lookup <= 1). Fixes #5515 + + +--- + +diff --git a/src/main/tls.c b/src/main/tls.c +index 2e97940..2821b93 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3077,30 +3077,33 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + /* + * Get the Certificate Distribution points + */ +- crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL); +- if (crl_dp) { +- DIST_POINT *dp; +- const char *url_ptr; ++ if (certs && (lookup <= 1)) { ++ crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL); + +- for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) { +- size_t len; +- char cdp[1024]; ++ if (crl_dp) { ++ DIST_POINT *dp; ++ const char *url_ptr; + +- dp = sk_DIST_POINT_value(crl_dp, i); +- if (!dp) continue; ++ for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) { ++ size_t len; ++ char cdp[1024]; + +- url_ptr = get_cdp_url(dp); +- if (!url_ptr) continue; ++ dp = sk_DIST_POINT_value(crl_dp, i); ++ if (!dp) continue; + +- len = strlen(url_ptr); +- if (len >= sizeof(cdp)) continue; ++ url_ptr = get_cdp_url(dp); ++ if (!url_ptr) continue; + +- memcpy(cdp, url_ptr, len + 1); ++ len = strlen(url_ptr); ++ if (len >= sizeof(cdp)) continue; + +- vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD); +- rdebug_pair(L_DBG_LVL_2, request, vp, NULL); ++ memcpy(cdp, url_ptr, len + 1); ++ ++ vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD); ++ rdebug_pair(L_DBG_LVL_2, request, vp, NULL); ++ } ++ sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free); + } +- sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free); + } + + /* diff -Nru freeradius-3.2.7+dfsg/debian/salsa-ci.yml freeradius-3.2.7+dfsg/debian/salsa-ci.yml --- freeradius-3.2.7+dfsg/debian/salsa-ci.yml 2025-02-10 22:50:22.000000000 +0100 +++ freeradius-3.2.7+dfsg/debian/salsa-ci.yml 2025-11-18 21:51:33.000000000 +0100 @@ -3,7 +3,7 @@ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: - RELEASE: 'unstable' + RELEASE: 'trixie' # mark currently failing tests as allowed to fail blhc:
