Bug 31291

Summary: freeradius new security issues CVE-2022-41859 and CVE-2022-4186[01]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: freeradius-3.0.22-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-12-16 16:04:53 CET 
Fedora has issued an advisory today (December 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GZM4O5MGLKNOE2SSXAXQNL5DSII556QA/

The issues are apparently fixed upstream in 3.0.26.

Mageia 8 is also affected.
David Walser 2022-12-16 16:05:06 CET

Status comment: (none) => Fixed upstream in 3.0.26
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-12-16 20:07:46 CET 
No particular packager visible for this SRPM, so assigning the bug glabally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-12-27 16:49:26 CET 
openSUSE has issued an advisory for this today (December 27):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YGQKLVAIGSOB2CSLQ2ASBK2MJAHL4LCI/
Comment 3 Nicolas Salguero 2022-12-28 10:18:46 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Information leakage in EAP-PWD. (CVE-2022-41859)

Crash on unknown option in EAP-SIM. (CVE-2022-41860)

Crash on invalid abinary data. (CVE-2022-41861)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41861
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GZM4O5MGLKNOE2SSXAXQNL5DSII556QA/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YGQKLVAIGSOB2CSLQ2ASBK2MJAHL4LCI/
========================

Updated packages in core/updates_testing:
========================
freeradius-3.0.22-1.1.mga8
freeradius-krb5-3.0.22-1.1.mga8
freeradius-ldap-3.0.22-1.1.mga8
freeradius-mysql-3.0.22-1.1.mga8
freeradius-postgresql-3.0.22-1.1.mga8
freeradius-sqlite-3.0.22-1.1.mga8
freeradius-unixODBC-3.0.22-1.1.mga8
freeradius-yubikey-3.0.22-1.1.mga8
lib(64)freeradius1-3.0.22-1.1.mga8
lib(64)freeradius-devel-3.0.22-1.1.mga8

from SRPM:
freeradius-3.0.22-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Source RPM: freeradius-3.0.25-4.mga9.src.rpm => freeradius-3.0.22-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 3.0.26 => (none)

Comment 4 Herman Viaene 2022-12-29 12:02:55 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 29059 Comment 6 for testing
# systemctl start radiusd
# systemctl -l status radiusd
● radiusd.service - FreeRADIUS high performance RADIUS server.
     Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-12-29 11:55:13 CET; 14s ago
    Process: 6760 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
    Process: 6818 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
   Main PID: 6844 (radiusd)
      Tasks: 6 (limit: 4364)
     Memory: 78.0M
        CPU: 730ms
     CGroup: /system.slice/radiusd.service
             └─6844 /usr/sbin/radiusd -d /etc/raddb

Dec 29 11:55:12 mach7.hviaene.thuis systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Dec 29 11:55:13 mach7.hviaene.thuis systemd[1]: Started FreeRADIUS high performance RADIUS server..

# echo 'testing Cleartext-Password := "password"' >> /etc/raddb/users
# systemctl restart radiusd
# systemctl -l status radiusd
● radiusd.service - FreeRADIUS high performance RADIUS server.
     Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-12-29 11:57:16 CET; 6s ago
    Process: 8480 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
    Process: 8482 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
   Main PID: 8484 (radiusd)
      Tasks: 6 (limit: 4364)
     Memory: 77.5M
        CPU: 728ms
     CGroup: /system.slice/radiusd.service
             └─8484 /usr/sbin/radiusd -d /etc/raddb

Dec 29 11:57:16 mach7.hviaene.thuis systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Dec 29 11:57:16 mach7.hviaene.thuis systemd[1]: Started FreeRADIUS high performance RADIUS server..

# radtest testing password 127.0.0.1 0 testing123
Sent Access-Request Id 13 from 0.0.0.0:59162 to 127.0.0.1:1812 length 77
	User-Name = "testing"
	User-Password = "password"
	NAS-IP-Address = 192.168.2.7
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "password"
Received Access-Accept Id 13 from 127.0.0.1:1812 to 127.0.0.1:59162 length 20

Looks all OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-12-29 21:34:01 CET 
Validating. Advisory in comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-12-30 21:40:11 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-12-30 23:40:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0482.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED