Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package radsecproxy Version 1.8.2-4 fixes a minor CVE in some of the provided example helper scripts. There is no change to any other active code in radsecproxy itself. A full debdiff is attached. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock radsecproxy/1.8.2-4
diff -Nru radsecproxy-1.8.2/debian/changelog radsecproxy-1.8.2/debian/changelog --- radsecproxy-1.8.2/debian/changelog 2020-11-23 12:09:13.000000000 +0100 +++ radsecproxy-1.8.2/debian/changelog 2021-05-27 07:58:57.000000000 +0200 @@ -1,3 +1,9 @@ +radsecproxy (1.8.2-4) unstable; urgency=high + + * Fix CVE-2021-32642 + + -- Sven Hartge <s...@svenhartge.de> Thu, 27 May 2021 07:58:57 +0200 + radsecproxy (1.8.2-3) unstable; urgency=medium * Remove override for no longer existing lintian tag. diff -Nru radsecproxy-1.8.2/debian/gbp.conf radsecproxy-1.8.2/debian/gbp.conf --- radsecproxy-1.8.2/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ radsecproxy-1.8.2/debian/gbp.conf 2021-05-27 07:58:57.000000000 +0200 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = bullseye + diff -Nru radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 --- radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 1970-01-01 01:00:00.000000000 +0100 +++ radsecproxy-1.8.2/debian/patches/fix-cve-2021-32642 2021-05-27 07:58:57.000000000 +0200 @@ -0,0 +1,124 @@ +Author: Fabian Mauchle <fabian.mauc...@switch.ch> +Last-Update: 2021-05-04 +Description: add result validation to dyndisc example scripts + +Original Commit ab7a2ea42a75d5ad3421e4365f63cbdcb08fb7af Mon Sep 17 00:00:00 2001 +reported by Philipp Jeitner and Haya Shulman, Fraunhofer SIT + +--- + tools/naptr-eduroam.sh | 40 ++++++++++++++++++++++++++-------------- + tools/radsec-dynsrv.sh | 20 ++++++++++++++++---- + 2 files changed, 42 insertions(+), 18 deletions(-) + +diff --git a/tools/naptr-eduroam.sh b/tools/naptr-eduroam.sh +index e310812..5402d18 100755 +--- a/tools/naptr-eduroam.sh ++++ b/tools/naptr-eduroam.sh +@@ -19,41 +19,53 @@ DIGCMD=$(command -v dig) + HOSTCMD=$(command -v host) + PRINTCMD=$(command -v printf) + ++validate_host() { ++ echo ${@} | tr -d '\n\t\r' | grep -E '^[_0-9a-zA-Z][-._0-9a-zA-Z]*$' ++} ++ ++validate_port() { ++ echo ${@} | tr -d '\n\t\r' | grep -E '^[0-9]+$' ++} ++ + dig_it_srv() { + ${DIGCMD} +short srv $SRV_HOST | sort -n -k1 | + while read line; do +- set $line ; PORT=$3 ; HOST=$4 +- $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++ set $line ; PORT=$(validate_port $3) ; HOST=$(validate_host $4) ++ if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then ++ $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++ fi + done + } + + dig_it_naptr() { + ${DIGCMD} +short naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k1 | + while read line; do +- set $line ; TYPE=$3 ; HOST=$6 +- if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then +- SRV_HOST=${HOST%.} +- dig_it_srv +- fi ++ set $line ; TYPE=$3 ; HOST=$(validate_host $6) ++ if ( [ "$TYPE" = "\"s\"" ] || [ "$TYPE" = "\"S\"" ] ) && [ -n "${HOST}" ]; then ++ SRV_HOST=${HOST%.} ++ dig_it_srv ++ fi + done + } + + host_it_srv() { + ${HOSTCMD} -t srv $SRV_HOST | sort -n -k5 | + while read line; do +- set $line ; PORT=$7 ; HOST=$8 +- $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++ set $line ; PORT=$(validate_port $7) ; HOST=$(validate_host $8) ++ if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then ++ $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++ fi + done + } + + host_it_naptr() { + ${HOSTCMD} -t naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k5 | + while read line; do +- set $line ; TYPE=$7 ; HOST=${10} +- if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then +- SRV_HOST=${HOST%.} +- host_it_srv +- fi ++ set $line ; TYPE=$7 ; HOST=$(validate_host ${10}) ++ if ( [ "$TYPE" = "\"s\"" ] || [ "$TYPE" = "\"S\"" ] ) && [ -n "${HOST}" ]; then ++ SRV_HOST=${HOST%.} ++ host_it_srv ++ fi + done + } + +diff --git a/tools/radsec-dynsrv.sh b/tools/radsec-dynsrv.sh +index 2eff080..68bb5ba 100755 +--- a/tools/radsec-dynsrv.sh ++++ b/tools/radsec-dynsrv.sh +@@ -19,19 +19,31 @@ DIGCMD=$(command -v digaaa) + HOSTCMD=$(command -v host) + PRINTCMD=$(command -v printf) + ++validate_host() { ++ echo ${@} | tr -d '\n\t\r' | grep -E '^[_0-9a-zA-Z][-._0-9a-zA-Z]*$' ++} ++ ++validate_port() { ++ echo ${@} | tr -d '\n\t\r' | grep -E '^[0-9]+$' ++} ++ + dig_it() { + ${DIGCMD} +short srv _radsec._tcp.${REALM} | sort -n -k1 | + while read line ; do +- set $line ; PORT=$3 ; HOST=$4 +- $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++ set $line ; PORT=$(validate_port $3) ; HOST=$(validate_host $4) ++ if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then ++ $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++ fi + done + } + + host_it() { + ${HOSTCMD} -t srv _radsec._tcp.${REALM} | sort -n -k5 | + while read line ; do +- set $line ; PORT=$7 ; HOST=$8 +- $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++ set $line ; PORT=$(validate_port $7) ; HOST=$(validate_host $8) ++ if [ -n "${HOST}" ] && [ -n "${PORT}" ]; then ++ $PRINTCMD "\thost ${HOST%.}:${PORT}\n" ++ fi + done + } + diff -Nru radsecproxy-1.8.2/debian/patches/series radsecproxy-1.8.2/debian/patches/series --- radsecproxy-1.8.2/debian/patches/series 2020-11-23 12:09:13.000000000 +0100 +++ radsecproxy-1.8.2/debian/patches/series 2021-05-27 07:58:57.000000000 +0200 @@ -1,2 +1,3 @@ fix-spelling-errors move-manpages-to-8 +fix-cve-2021-32642 diff -Nru radsecproxy-1.8.2/debian/salsa-ci.yml radsecproxy-1.8.2/debian/salsa-ci.yml --- radsecproxy-1.8.2/debian/salsa-ci.yml 2020-11-23 12:09:13.000000000 +0100 +++ radsecproxy-1.8.2/debian/salsa-ci.yml 2021-05-27 07:58:57.000000000 +0200 @@ -4,5 +4,5 @@ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: - RELEASE: 'unstable' + RELEASE: 'bullseye' SALSA_CI_DISABLE_AUTOPKGTEST: 1