Bug 10642 - php-radius: Fix a security issue in radius_get_vendor_attr() (CVE-2013-2220)
: php-radius: Fix a security issue in radius_get_vendor_attr() (CVE-2013-2220)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/557456/
: MGA2TOO has_procedure mga3-64-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-28 14:58 CEST by Oden Eriksson
Modified: 2013-07-09 20:35 CEST (History)
4 users (show)

See Also:
Source RPM: php-radius
CVE:


Attachments

Description Oden Eriksson 2013-06-28 14:58:50 CEST
PECL radius 1.2.7 was released:

http://pecl.php.net/package-changelog.php?package=radius&release=1.2.7

"This release fixes a security issue in radius_get_vendor_attr(). It is strongly
recommended that users using vendor specific attributes upgrade immediately,
with other users encouraged to upgrade when practical.

- Fix a security issue in radius_get_vendor_attr() by enforcing checks of the
VSA length field against the buffer size. (Adam)"

https://github.com/LawnGnome/php-radius/commit/13c149b051f82b709e8d7cc32111e84b49d57234

" Fix a security issue in radius_get_vendor_attr().

The underlying rad_get_vendor_attr() function assumed that it would always be
given valid VSA data. Indeed, the buffer length wasn't even passed in; the
assumption was that the length field within the VSA structure would be valid.

This could result in denial of service by providing a length that would be
beyond the memory limit, or potential arbitrary memory access by providing a
length greater than the actual data given.

rad_get_vendor_attr() has been changed to require the raw data length be
provided, and this is then used to check that the VSA is valid.

Conflicts:
	radlib_vs.h"

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-28 14:59:18 CEST
1.2.7 has been submitted to all.
Comment 2 Oden Eriksson 2013-06-28 15:02:09 CEST
CVE request: http://www.openwall.com/lists/oss-security/2013/06/28/2
Comment 3 David Walser 2013-06-28 15:05:42 CEST
php-radius-1.2.7-1.mga2
php-radius-1.2.7-1.mga3

Do you want to assign to QA now or wait for a CVE?
Comment 4 Oden Eriksson 2013-06-28 20:14:45 CEST
Please assign to QA for now. We can always fill in the CVE later, no?
Comment 5 David Walser 2013-06-28 22:52:04 CEST
(In reply to Oden Eriksson from comment #4)
> Please assign to QA for now. We can always fill in the CVE later, no?

Yes indeed.  Advisory to come later, but most details are in Comment 0.

Packages are:
php-radius-1.2.7-1.mga2
php-radius-1.2.7-1.mga3
Comment 6 David Walser 2013-06-28 22:56:02 CEST
And it now has CVE-2013-2220:
http://openwall.com/lists/oss-security/2013/06/28/3
Comment 7 Dave Hodgins 2013-07-02 01:19:14 CEST
I'm working on testing this one. Setting up a freeradius/kerberos server,
for testing it with now.
Comment 8 Oden Eriksson 2013-07-02 16:04:21 CEST
Hey, you have test cases in the source tar ball. It would be nice if "%check\nmake test" in the php-extension.spec worked...

urpmi php-devel php-radius

wget http://pecl.php.net/get/radius-1.2.7.tgz
tar -zxf radius-1.2.7.tgz
pushd radius-1.2.7
phpize
find tests -type f -name '*.phpt' > tests.txt
TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php \
-d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt
popd
Comment 10 David Walser 2013-07-02 16:27:05 CEST
Thanks Oden.

Advisory:
========================

Updated php-radius package fixes security vulnerability:

Fix a security issue in radius_get_vendor_attr() by enforcing checks
of the VSA length field against the buffer size (CVE-2013-2220).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2220
http://pecl.php.net/package-changelog.php?package=radius&release=1.2.7
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:192/
========================

Updated packages in core/updates_testing:
========================
php-radius-1.2.7-1.mga2
php-radius-1.2.7-1.mga3

from SRPMS:
php-radius-1.2.7-1.mga2.src.rpm
php-radius-1.2.7-1.mga3.src.rpm
Comment 11 claire robinson 2013-07-04 14:55:44 CEST
Does this now run the tests at build time David? Did they all pass?

If so then we can limit our testing to ensuring it updates ok.
Comment 12 David Walser 2013-07-04 17:20:44 CEST
No, I think Oden was saying those test cases have to be run manually for now.
Comment 13 claire robinson 2013-07-08 09:43:30 CEST
Nice tests, thanks Oden.

# urpmi php-devel php-radius php-sockets php-pcntl

$ wget http://pecl.php.net/get/radius-1.2.7.tgz
$ tar -zxf radius-1.2.7.tgz
$ pushd radius-1.2.7
$ phpize
$ find tests -type f -name '*.phpt' > tests.txt
$ TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php \
-d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt
$ popd


All tests pass. The one affected by the CVE fails with previous version but passes with the update.
FAIL radius_get_vendor_attr() [tests/radius_get_vendor_attr.phpt]

Complete output..

$ TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php -d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt

=====================================================================
PHP         : /usr/bin/php 
PHP_SAPI    : cli
PHP_VERSION : 5.4.16
ZEND_VERSION: 2.4.0
PHP_OS      : Linux - Linux mega 3.8.13-desktop-1.mga3 #1 SMP Tue May 14 19:05:25 UTC 2013 x86_64
INI actual  : /etc/php.ini
More .INIs  : /etc/php.d/12_ctype.ini,/etc/php.d/18_dom.ini,/etc/php.d/21_openssl.ini,/etc/php.d/21_zlib.ini,/etc/php.d/22_ftp.ini,/etc/php.d/24_gettext.ini,/etc/php.d/29_mbstring.ini,/etc/php.d/30_mcrypt.ini,/etc/php.d/33_mysqlnd.ini,/etc/php.d/36_mysql.ini,/etc/php.d/37_mysqli.ini,/etc/php.d/40_pcntl.ini,/etc/php.d/43_posix.ini,/etc/php.d/47_session.ini,/etc/php.d/52_sockets.ini,/etc/php.d/54_hash.ini,/etc/php.d/57_sysvsem.ini,/etc/php.d/58_sysvshm.ini,/etc/php.d/60_tokenizer.ini,/etc/php.d/62_xml.ini,/etc/php.d/63_xmlreader.ini,/etc/php.d/64_xmlwriter.ini,/etc/php.d/70_pdo.ini,/etc/php.d/78_sqlite3.ini,/etc/php.d/81_filter.ini,/etc/php.d/82_json.ini,/etc/php.d/99_apc.ini,/etc/php.d/A13_radius.ini,/etc/php.d/A60_timezonedb.ini 
CWD         : /home/clairer/test/radius-1.2.7
Extra dirs  : 
VALGRIND    : Not used
=====================================================================
Running selected tests.
PASS radius_acct_open() [tests/radius_acct_open.phpt] 
PASS radius_auth_open() [tests/radius_auth_open.phpt] 
PASS radius_close() [tests/radius_close.phpt] 
PASS radius_cvt_addr() [tests/radius_cvt_addr.phpt] 
PASS radius_cvt_int() [tests/radius_cvt_int.phpt] 
PASS radius_cvt_string() [tests/radius_cvt_string.phpt] 
PASS radius_get_attr() [tests/radius_get_attr.phpt] 
PASS radius_get_vendor_attr() [tests/radius_get_vendor_attr.phpt] 
PASS radius_put_addr() [tests/radius_put_addr.phpt] 
PASS radius_put_attr() [tests/radius_put_attr.phpt] 
PASS radius_put_int() [tests/radius_put_int.phpt] 
PASS radius_put_string() [tests/radius_put_string.phpt] 
PASS radius_request_authenticator() [tests/radius_request_authenticator.phpt] 
PASS radius_server_secret(): load from radius_add_server() [tests/radius_server_secret.phpt] 
PASS radius_server_secret(): load from configuration file [tests/radius_server_secret_config.phpt] 
=====================================================================
Number of tests :   15                15
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    0 (  0.0%) (  0.0%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    :   15 (100.0%) (100.0%)
---------------------------------------------------------------------
Time taken      :    1 seconds
=====================================================================
Comment 14 claire robinson 2013-07-08 10:04:25 CEST
Testing complete mga3 32
Comment 15 claire robinson 2013-07-08 10:23:00 CEST
Testing complete mga2 32 & 64
Comment 16 claire robinson 2013-07-08 10:33:21 CEST
Validating. Advisory from comment 10 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!
Comment 17 Thomas Backlund 2013-07-09 20:35:20 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0206.html

Note You need to log in before you can comment on or make changes to this bug.