PECL radius 1.2.7 was released: http://pecl.php.net/package-changelog.php?package=radius&release=1.2.7 "This release fixes a security issue in radius_get_vendor_attr(). It is strongly recommended that users using vendor specific attributes upgrade immediately, with other users encouraged to upgrade when practical. - Fix a security issue in radius_get_vendor_attr() by enforcing checks of the VSA length field against the buffer size. (Adam)" https://github.com/LawnGnome/php-radius/commit/13c149b051f82b709e8d7cc32111e84b49d57234 " Fix a security issue in radius_get_vendor_attr(). The underlying rad_get_vendor_attr() function assumed that it would always be given valid VSA data. Indeed, the buffer length wasn't even passed in; the assumption was that the length field within the VSA structure would be valid. This could result in denial of service by providing a length that would be beyond the memory limit, or potential arbitrary memory access by providing a length greater than the actual data given. rad_get_vendor_attr() has been changed to require the raw data length be provided, and this is then used to check that the VSA is valid. Conflicts: radlib_vs.h" Reproducible: Steps to Reproduce:
1.2.7 has been submitted to all.
CVE request: http://www.openwall.com/lists/oss-security/2013/06/28/2
php-radius-1.2.7-1.mga2 php-radius-1.2.7-1.mga3 Do you want to assign to QA now or wait for a CVE?
CC: (none) => luigiwalserVersion: 2 => 3Whiteboard: (none) => MGA2TOO
Please assign to QA for now. We can always fill in the CVE later, no?
(In reply to Oden Eriksson from comment #4) > Please assign to QA for now. We can always fill in the CVE later, no? Yes indeed. Advisory to come later, but most details are in Comment 0. Packages are: php-radius-1.2.7-1.mga2 php-radius-1.2.7-1.mga3
Assignee: bugsquad => qa-bugs
And it now has CVE-2013-2220: http://openwall.com/lists/oss-security/2013/06/28/3
Summary: php-radius: Fix a security issue in radius_get_vendor_attr(). => php-radius: Fix a security issue in radius_get_vendor_attr() (CVE-2013-2220)
I'm working on testing this one. Setting up a freeradius/kerberos server, for testing it with now.
CC: (none) => davidwhodgins
Hey, you have test cases in the source tar ball. It would be nice if "%check\nmake test" in the php-extension.spec worked... urpmi php-devel php-radius wget http://pecl.php.net/get/radius-1.2.7.tgz tar -zxf radius-1.2.7.tgz pushd radius-1.2.7 phpize find tests -type f -name '*.phpt' > tests.txt TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php \ -d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt popd
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:192/
Thanks Oden. Advisory: ======================== Updated php-radius package fixes security vulnerability: Fix a security issue in radius_get_vendor_attr() by enforcing checks of the VSA length field against the buffer size (CVE-2013-2220). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2220 http://pecl.php.net/package-changelog.php?package=radius&release=1.2.7 http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:192/ ======================== Updated packages in core/updates_testing: ======================== php-radius-1.2.7-1.mga2 php-radius-1.2.7-1.mga3 from SRPMS: php-radius-1.2.7-1.mga2.src.rpm php-radius-1.2.7-1.mga3.src.rpm
URL: https://github.com/LawnGnome/php-radius/commit/13c149b051f82b709e8d7cc32111e84b49d57234 => http://lwn.net/Vulnerabilities/557456/
Does this now run the tests at build time David? Did they all pass? If so then we can limit our testing to ensuring it updates ok.
No, I think Oden was saying those test cases have to be run manually for now.
Nice tests, thanks Oden. # urpmi php-devel php-radius php-sockets php-pcntl $ wget http://pecl.php.net/get/radius-1.2.7.tgz $ tar -zxf radius-1.2.7.tgz $ pushd radius-1.2.7 $ phpize $ find tests -type f -name '*.phpt' > tests.txt $ TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php \ -d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt $ popd All tests pass. The one affected by the CVE fails with previous version but passes with the update. FAIL radius_get_vendor_attr() [tests/radius_get_vendor_attr.phpt] Complete output.. $ TEST_PHP_EXECUTABLE='/usr/bin/php' /usr/bin/php run-tests.php -d session.save_path="." -d soap.wsdl_cache_dir="." -l tests.txt ===================================================================== PHP : /usr/bin/php PHP_SAPI : cli PHP_VERSION : 5.4.16 ZEND_VERSION: 2.4.0 PHP_OS : Linux - Linux mega 3.8.13-desktop-1.mga3 #1 SMP Tue May 14 19:05:25 UTC 2013 x86_64 INI actual : /etc/php.ini More .INIs : /etc/php.d/12_ctype.ini,/etc/php.d/18_dom.ini,/etc/php.d/21_openssl.ini,/etc/php.d/21_zlib.ini,/etc/php.d/22_ftp.ini,/etc/php.d/24_gettext.ini,/etc/php.d/29_mbstring.ini,/etc/php.d/30_mcrypt.ini,/etc/php.d/33_mysqlnd.ini,/etc/php.d/36_mysql.ini,/etc/php.d/37_mysqli.ini,/etc/php.d/40_pcntl.ini,/etc/php.d/43_posix.ini,/etc/php.d/47_session.ini,/etc/php.d/52_sockets.ini,/etc/php.d/54_hash.ini,/etc/php.d/57_sysvsem.ini,/etc/php.d/58_sysvshm.ini,/etc/php.d/60_tokenizer.ini,/etc/php.d/62_xml.ini,/etc/php.d/63_xmlreader.ini,/etc/php.d/64_xmlwriter.ini,/etc/php.d/70_pdo.ini,/etc/php.d/78_sqlite3.ini,/etc/php.d/81_filter.ini,/etc/php.d/82_json.ini,/etc/php.d/99_apc.ini,/etc/php.d/A13_radius.ini,/etc/php.d/A60_timezonedb.ini CWD : /home/clairer/test/radius-1.2.7 Extra dirs : VALGRIND : Not used ===================================================================== Running selected tests. PASS radius_acct_open() [tests/radius_acct_open.phpt] PASS radius_auth_open() [tests/radius_auth_open.phpt] PASS radius_close() [tests/radius_close.phpt] PASS radius_cvt_addr() [tests/radius_cvt_addr.phpt] PASS radius_cvt_int() [tests/radius_cvt_int.phpt] PASS radius_cvt_string() [tests/radius_cvt_string.phpt] PASS radius_get_attr() [tests/radius_get_attr.phpt] PASS radius_get_vendor_attr() [tests/radius_get_vendor_attr.phpt] PASS radius_put_addr() [tests/radius_put_addr.phpt] PASS radius_put_attr() [tests/radius_put_attr.phpt] PASS radius_put_int() [tests/radius_put_int.phpt] PASS radius_put_string() [tests/radius_put_string.phpt] PASS radius_request_authenticator() [tests/radius_request_authenticator.phpt] PASS radius_server_secret(): load from radius_add_server() [tests/radius_server_secret.phpt] PASS radius_server_secret(): load from configuration file [tests/radius_server_secret_config.phpt] ===================================================================== Number of tests : 15 15 Tests skipped : 0 ( 0.0%) -------- Tests warned : 0 ( 0.0%) ( 0.0%) Tests failed : 0 ( 0.0%) ( 0.0%) Expected fail : 0 ( 0.0%) ( 0.0%) Tests passed : 15 (100.0%) (100.0%) --------------------------------------------------------------------- Time taken : 1 seconds =====================================================================
Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok
Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO has_procedure mga3-64-ok
Testing complete mga3 32
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-64-ok mga3-32-ok
Testing complete mga2 32 & 64
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga3-32-ok => MGA2TOO has_procedure mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-ok
Validating. Advisory from comment 10 uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0206.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED