Bug 10642

Summary:	php-radius: Fix a security issue in radius_get_vendor_attr() (CVE-2013-2220)
Product:	Mageia	Reporter:	Oden Eriksson <oe>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, luigiwalser, sysadmin-bugs, tmb
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/557456/
Whiteboard:	MGA2TOO has_procedure mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-ok
Source RPM:	php-radius	CVE:
Status comment:

Description Oden Eriksson 2013-06-28 14:58:50 CEST

PECL radius 1.2.7 was released:

http://pecl.php.net/package-changelog.php?package=radius&release=1.2.7

"This release fixes a security issue in radius_get_vendor_attr(). It is strongly
recommended that users using vendor specific attributes upgrade immediately,
with other users encouraged to upgrade when practical.

- Fix a security issue in radius_get_vendor_attr() by enforcing checks of the
VSA length field against the buffer size. (Adam)"

https://github.com/LawnGnome/php-radius/commit/13c149b051f82b709e8d7cc32111e84b49d57234

" Fix a security issue in radius_get_vendor_attr().

The underlying rad_get_vendor_attr() function assumed that it would always be
given valid VSA data. Indeed, the buffer length wasn't even passed in; the
assumption was that the length field within the VSA structure would be valid.

This could result in denial of service by providing a length that would be
beyond the memory limit, or potential arbitrary memory access by providing a
length greater than the actual data given.

rad_get_vendor_attr() has been changed to require the raw data length be
provided, and this is then used to check that the VSA is valid.

Conflicts:
	radlib_vs.h"

Reproducible: 

Steps to Reproduce:

Comment 1 Oden Eriksson 2013-06-28 14:59:18 CEST

1.2.7 has been submitted to all.

Comment 2 Oden Eriksson 2013-06-28 15:02:09 CEST

CVE request: http://www.openwall.com/lists/oss-security/2013/06/28/2

Comment 3 David Walser 2013-06-28 15:05:42 CEST

php-radius-1.2.7-1.mga2
php-radius-1.2.7-1.mga3

Do you want to assign to QA now or wait for a CVE?

CC: (none) => luigiwalser
Version: 2 => 3
Whiteboard: (none) => MGA2TOO

Comment 4 Oden Eriksson 2013-06-28 20:14:45 CEST

Please assign to QA for now. We can always fill in the CVE later, no?

Comment 5 David Walser 2013-06-28 22:52:04 CEST

(In reply to Oden Eriksson from comment #4)
> Please assign to QA for now. We can always fill in the CVE later, no?

Yes indeed.  Advisory to come later, but most details are in Comment 0.

Packages are:
php-radius-1.2.7-1.mga2
php-radius-1.2.7-1.mga3

Assignee: bugsquad => qa-bugs

Comment 6 David Walser 2013-06-28 22:56:02 CEST

And it now has CVE-2013-2220:
http://openwall.com/lists/oss-security/2013/06/28/3

Summary: php-radius: Fix a security issue in radius_get_vendor_attr(). => php-radius: Fix a security issue in radius_get_vendor_attr() (CVE-2013-2220)

Comment 7 Dave Hodgins 2013-07-02 01:19:14 CEST

I'm working on testing this one. Setting up a freeradius/kerberos server,
for testing it with now.

CC: (none) => davidwhodgins

Comment 8 Oden Eriksson 2013-07-02 16:04:21 CEST

Hey, you have test cases in the source tar ball. It would be nice if "%check\nmake test" in the php-extension.spec worked...

urpmi php-devel php-radius

wget http://pecl.php.net/get/radius-1.2.7.tgz
tar -zxf radius-1.2.7.tgz
pushd radius-1.2.7
phpize
find tests -type f -name '*.phpt' > tests.txt
TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php \
-d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt
popd

Comment 9 Oden Eriksson 2013-07-02 16:21:34 CEST

http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:192/

Comment 10 David Walser 2013-07-02 16:27:05 CEST

Thanks Oden.

Advisory:
========================

Updated php-radius package fixes security vulnerability:

Fix a security issue in radius_get_vendor_attr() by enforcing checks
of the VSA length field against the buffer size (CVE-2013-2220).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2220
http://pecl.php.net/package-changelog.php?package=radius&release=1.2.7
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:192/
========================

Updated packages in core/updates_testing:
========================
php-radius-1.2.7-1.mga2
php-radius-1.2.7-1.mga3

from SRPMS:
php-radius-1.2.7-1.mga2.src.rpm
php-radius-1.2.7-1.mga3.src.rpm

David Walser 2013-07-03 21:53:44 CEST

URL: https://github.com/LawnGnome/php-radius/commit/13c149b051f82b709e8d7cc32111e84b49d57234 => http://lwn.net/Vulnerabilities/557456/

Comment 11 claire robinson 2013-07-04 14:55:44 CEST

Does this now run the tests at build time David? Did they all pass?

If so then we can limit our testing to ensuring it updates ok.

Comment 12 David Walser 2013-07-04 17:20:44 CEST

No, I think Oden was saying those test cases have to be run manually for now.

Comment 13 claire robinson 2013-07-08 09:43:30 CEST

Nice tests, thanks Oden.

# urpmi php-devel php-radius php-sockets php-pcntl

$ wget http://pecl.php.net/get/radius-1.2.7.tgz
$ tar -zxf radius-1.2.7.tgz
$ pushd radius-1.2.7
$ phpize
$ find tests -type f -name '*.phpt' > tests.txt
$ TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php \
-d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt
$ popd


All tests pass. The one affected by the CVE fails with previous version but passes with the update.
FAIL radius_get_vendor_attr() [tests/radius_get_vendor_attr.phpt]

Complete output..

$ TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php -d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt

=====================================================================
PHP         : /usr/bin/php 
PHP_SAPI    : cli
PHP_VERSION : 5.4.16
ZEND_VERSION: 2.4.0
PHP_OS      : Linux - Linux mega 3.8.13-desktop-1.mga3 #1 SMP Tue May 14 19:05:25 UTC 2013 x86_64
INI actual  : /etc/php.ini
More .INIs  : /etc/php.d/12_ctype.ini,/etc/php.d/18_dom.ini,/etc/php.d/21_openssl.ini,/etc/php.d/21_zlib.ini,/etc/php.d/22_ftp.ini,/etc/php.d/24_gettext.ini,/etc/php.d/29_mbstring.ini,/etc/php.d/30_mcrypt.ini,/etc/php.d/33_mysqlnd.ini,/etc/php.d/36_mysql.ini,/etc/php.d/37_mysqli.ini,/etc/php.d/40_pcntl.ini,/etc/php.d/43_posix.ini,/etc/php.d/47_session.ini,/etc/php.d/52_sockets.ini,/etc/php.d/54_hash.ini,/etc/php.d/57_sysvsem.ini,/etc/php.d/58_sysvshm.ini,/etc/php.d/60_tokenizer.ini,/etc/php.d/62_xml.ini,/etc/php.d/63_xmlreader.ini,/etc/php.d/64_xmlwriter.ini,/etc/php.d/70_pdo.ini,/etc/php.d/78_sqlite3.ini,/etc/php.d/81_filter.ini,/etc/php.d/82_json.ini,/etc/php.d/99_apc.ini,/etc/php.d/A13_radius.ini,/etc/php.d/A60_timezonedb.ini 
CWD         : /home/clairer/test/radius-1.2.7
Extra dirs  : 
VALGRIND    : Not used
=====================================================================
Running selected tests.
PASS radius_acct_open() [tests/radius_acct_open.phpt] 
PASS radius_auth_open() [tests/radius_auth_open.phpt] 
PASS radius_close() [tests/radius_close.phpt] 
PASS radius_cvt_addr() [tests/radius_cvt_addr.phpt] 
PASS radius_cvt_int() [tests/radius_cvt_int.phpt] 
PASS radius_cvt_string() [tests/radius_cvt_string.phpt] 
PASS radius_get_attr() [tests/radius_get_attr.phpt] 
PASS radius_get_vendor_attr() [tests/radius_get_vendor_attr.phpt] 
PASS radius_put_addr() [tests/radius_put_addr.phpt] 
PASS radius_put_attr() [tests/radius_put_attr.phpt] 
PASS radius_put_int() [tests/radius_put_int.phpt] 
PASS radius_put_string() [tests/radius_put_string.phpt] 
PASS radius_request_authenticator() [tests/radius_request_authenticator.phpt] 
PASS radius_server_secret(): load from radius_add_server() [tests/radius_server_secret.phpt] 
PASS radius_server_secret(): load from configuration file [tests/radius_server_secret_config.phpt] 
=====================================================================
Number of tests :   15                15
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    0 (  0.0%) (  0.0%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    :   15 (100.0%) (100.0%)
---------------------------------------------------------------------
Time taken      :    1 seconds
=====================================================================

Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok

claire robinson 2013-07-08 09:43:41 CEST

Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO has_procedure mga3-64-ok

Comment 14 claire robinson 2013-07-08 10:04:25 CEST

Testing complete mga3 32

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-64-ok mga3-32-ok

Comment 15 claire robinson 2013-07-08 10:23:00 CEST

Testing complete mga2 32 & 64

Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3-32-ok => MGA2TOO has_procedure mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-ok

Comment 16 claire robinson 2013-07-08 10:33:21 CEST

Validating. Advisory from comment 10 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Thomas Backlund 2013-07-09 20:35:20 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2013-0206.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED