Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <[email protected]>
and subject line Released with 13.3
has caused the Debian Bug report #1120965,
regarding trixie-pu: package freeradius/3.2.7+dfsg-1+deb13u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120965
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:freeradius
User: [email protected]
Usertags: pu
[ Reason ]
FreeRADIUS 3.2.7 in Trixie contains a bug that causes it to segfault
when a certificate chain with two intermediate certificates are loaded, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927
https://github.com/FreeRADIUS/freeradius-server/issues/5515
It can be fixed by backporting a single commit from 3.2.8, therefor
unstable is already fixed.
The issue was found, the patch prepared and verified by OdyX
[ Impact ]
Segmentation fault when a new certificate chain is loaded
[ Tests ]
Fix verified by Didier 'OdyX' Radoud
FreeRADIUS has some non-trivial autopkgtest, however that does not test
EAP/TLS-related codepaths
[ Risks ]
Verified fix, direct backport of a commit released with a later upstream
version
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- Backporting fix
- Change salsa-ci to run in trixie
[ Other info ]
As CAs tend to change their intermediate structure and may introduce
intermediates with certificate refreshs (as it has happened here for the
original reporter) I consider this somewhat urgent. Therefor I would
like to push this to proposed as soon as possible.
diff -Nru freeradius-3.2.7+dfsg/debian/changelog
freeradius-3.2.7+dfsg/debian/changelog
--- freeradius-3.2.7+dfsg/debian/changelog 2025-10-01 19:36:38.000000000
+0200
+++ freeradius-3.2.7+dfsg/debian/changelog 2025-11-18 21:51:33.000000000
+0100
@@ -1,3 +1,11 @@
+freeradius (3.2.7+dfsg-1+deb13u2) trixie; urgency=medium
+
+ [ Didier Raboud ]
+ * Backport patch to fix segfaults on TLS connections with more than one
+ intermediate certificate (Closes: #1120927)
+
+ -- Bernhard Schmidt <[email protected]> Tue, 18 Nov 2025 21:51:33 +0100
+
freeradius (3.2.7+dfsg-1+deb13u1) trixie; urgency=medium
* Non-maintainer upload.
diff -Nru freeradius-3.2.7+dfsg/debian/patches/series
freeradius-3.2.7+dfsg/debian/patches/series
--- freeradius-3.2.7+dfsg/debian/patches/series 2025-10-01 19:31:39.000000000
+0200
+++ freeradius-3.2.7+dfsg/debian/patches/series 2025-11-18 21:51:33.000000000
+0100
@@ -6,3 +6,4 @@
dont-install-tests.diff
snakeoil-certs.diff
fips.patch
+wrap-crl_dp-checks-in-if-certs--lookup-=.patch
diff -Nru
freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch
freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch
---
freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch
1970-01-01 01:00:00.000000000 +0100
+++
freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch
2025-11-18 21:51:33.000000000 +0100
@@ -0,0 +1,63 @@
+From: Alan T. DeKok <[email protected]>
+Date: Wed, 12 Feb 2025 07:03:13 -0500
+X-Dgit-Generated: 3.2.7+dfsg-1+deb13u1+OdyX0
05125f178649b7af17a1dc81642b91c937f4d93a
+Subject: wrap crl_dp checks in if (certs && (lookup <= 1). Fixes #5515
+
+
+---
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 2e97940..2821b93 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3077,30 +3077,33 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ /*
+ * Get the Certificate Distribution points
+ */
+- crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points,
NULL, NULL);
+- if (crl_dp) {
+- DIST_POINT *dp;
+- const char *url_ptr;
++ if (certs && (lookup <= 1)) {
++ crl_dp = X509_get_ext_d2i(client_cert,
NID_crl_distribution_points, NULL, NULL);
+
+- for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
+- size_t len;
+- char cdp[1024];
++ if (crl_dp) {
++ DIST_POINT *dp;
++ const char *url_ptr;
+
+- dp = sk_DIST_POINT_value(crl_dp, i);
+- if (!dp) continue;
++ for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
++ size_t len;
++ char cdp[1024];
+
+- url_ptr = get_cdp_url(dp);
+- if (!url_ptr) continue;
++ dp = sk_DIST_POINT_value(crl_dp, i);
++ if (!dp) continue;
+
+- len = strlen(url_ptr);
+- if (len >= sizeof(cdp)) continue;
++ url_ptr = get_cdp_url(dp);
++ if (!url_ptr) continue;
+
+- memcpy(cdp, url_ptr, len + 1);
++ len = strlen(url_ptr);
++ if (len >= sizeof(cdp)) continue;
+
+- vp = fr_pair_make(talloc_ctx, certs,
cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
+- rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++ memcpy(cdp, url_ptr, len + 1);
++
++ vp = fr_pair_make(talloc_ctx, certs,
cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
++ rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++ }
++ sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ }
+- sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ }
+
+ /*
diff -Nru freeradius-3.2.7+dfsg/debian/salsa-ci.yml
freeradius-3.2.7+dfsg/debian/salsa-ci.yml
--- freeradius-3.2.7+dfsg/debian/salsa-ci.yml 2025-02-10 22:50:22.000000000
+0100
+++ freeradius-3.2.7+dfsg/debian/salsa-ci.yml 2025-11-18 21:51:33.000000000
+0100
@@ -3,7 +3,7 @@
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
variables:
- RELEASE: 'unstable'
+ RELEASE: 'trixie'
# mark currently failing tests as allowed to fail
blhc:
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as
part of Debian 13.3.
--- End Message ---
