Bug 12809 - freeradius new security issue CVE-2014-2015
: freeradius new security issue CVE-2014-2015
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/588047/
: MGA3TOO has_procedure MGA3-32-OK MGA3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-18 16:32 CET by David Walser
Modified: 2014-02-24 23:02 CET (History)
6 users (show)

See Also:
Source RPM: freeradius-2.2.0-4.mga3.src.rpm
CVE:


Attachments

Description David Walser 2014-02-18 16:32:08 CET
A CVE has been assigned for a remote DoS issue in freeradius:
http://openwall.com/lists/oss-security/2014/02/18/3

I'm guessing Oden fixed this with upgrading to 2.2.3 in Cauldron, but Mageia 3 and Mageia 4 may need a fix for this.  Upstream patches are linked in the above URL.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2014-02-20 11:32:05 CET
https://bugzilla.redhat.com/show_bug.cgi?id=1066761
Comment 2 David Walser 2014-02-20 15:57:37 CET
Thanks Oden.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated freeradius packages fix security vulnerability:

SSHA processing in freeradius before 2.2.3 runs into a stack-based buffer
overflow in the freeradius rlm_pap module if the password source uses an
unusually long hashed password (CVE-2014-2015).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2015
http://lists.freebsd.org/pipermail/freebsd-bugbusters/2014-February/000610.html
http://openwall.com/lists/oss-security/2014/02/18/3
https://bugzilla.redhat.com/show_bug.cgi?id=1066761
========================

Updated packages in core/updates_testing:
========================
freeradius-2.2.0-4.1.mga3
freeradius-krb5-2.2.0-4.1.mga3
freeradius-ldap-2.2.0-4.1.mga3
freeradius-postgresql-2.2.0-4.1.mga3
freeradius-mysql-2.2.0-4.1.mga3
freeradius-unixODBC-2.2.0-4.1.mga3
freeradius-sqlite-2.2.0-4.1.mga3
freeradius-yubikey-2.2.0-4.1.mga3
libfreeradius1-2.2.0-4.1.mga3
libfreeradius-devel-2.2.0-4.1.mga3
freeradius-web-2.2.0-4.1.mga3
freeradius-2.2.0-5.1.mga4
freeradius-krb5-2.2.0-5.1.mga4
freeradius-ldap-2.2.0-5.1.mga4
freeradius-postgresql-2.2.0-5.1.mga4
freeradius-mysql-2.2.0-5.1.mga4
freeradius-unixODBC-2.2.0-5.1.mga4
freeradius-sqlite-2.2.0-5.1.mga4
freeradius-yubikey-2.2.0-5.1.mga4
libfreeradius1-2.2.0-5.1.mga4
libfreeradius-devel-2.2.0-5.1.mga4
freeradius-web-2.2.0-5.1.mga4

from SRPMS:
freeradius-2.2.0-4.1.mga3.src.rpm
freeradius-2.2.0-5.1.mga4.src.rpm
Comment 3 claire robinson 2014-02-21 13:05:30 CET
No simple PoC. See bug 8726 for test procedure.
Comment 4 William Kenney 2014-02-21 17:04:48 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
freeradius

default updated install of freeradius

[root@localhost wilcal]# urpmi freeradius
Package freeradius-2.2.0-4.mga3.i586 is already installed

ran simple tests as described in:
http://freeradius.org/doc/
[root@localhost wilcal]# radiusd -X
freeradius seems to be responding.
Added testing Cleartext-Password := "password" to /etc/raddb/users
[root@localhost wilcal]# radtest testing password 127.0.0.1 0 testing123
freeradius seems to be responding.

install freeradius from updates_testing

[root@localhost wilcal]# urpmi freeradius
Package freeradius-2.2.0-4.1.mga3.i586 is already installed

ran simple tests as described in:
http://freeradius.org/doc/
[root@localhost wilcal]# radiusd -X
freeradius seems to be responding.
Added testing Cleartext-Password := "password" to /etc/raddb/users
[root@localhost wilcal]# radtest testing password 127.0.0.1 0 testing123
freeradius seems to be responding.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 5 William Kenney 2014-02-21 17:20:07 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
freeradius

default updated install of freeradius

[root@localhost wilcal]# urpmi freeradius
Package freeradius-2.2.0-4.mga3.x86_64 is already installed

ran simple tests as described in:
http://freeradius.org/doc/
[root@localhost wilcal]# radiusd -X
freeradius seems to be responding.
Added  to /etc/raddb/users
[root@localhost wilcal]# radtest testing password 127.0.0.1 0 testing123
freeradius seems to be responding.

install freeradius from updates_testing

[root@localhost wilcal]# urpmi freeradius
Package freeradius-2.2.0-4.1.mga3.x86_64 is already installed

ran simple tests as described in:
http://freeradius.org/doc/
[root@localhost wilcal]# radiusd -X
freeradius seems to be responding.
Added testing Cleartext-Password := "password" to /etc/raddb/users
[root@localhost wilcal]# radtest testing password 127.0.0.1 0 testing123
freeradius seems to be responding.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 6 William Kenney 2014-02-21 17:32:27 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
freeradius

default updated install of freeradius

[root@localhost wilcal]# urpmi freeradius
Package freeradius-2.2.0-5.mga4.i586 is already installed

ran simple tests as described in:
http://freeradius.org/doc/
[root@localhost wilcal]# radiusd -X
freeradius seems to be responding.
Added testing Cleartext-Password := "password" to /etc/raddb/users
[root@localhost wilcal]# radtest testing password 127.0.0.1 0 testing123
freeradius seems to be responding.

install freeradius from updates_testing

[root@localhost wilcal]# urpmi freeradius
Package freeradius-2.2.0-5.1.mga4.i586 is already installed

ran simple tests as described in:
http://freeradius.org/doc/
[root@localhost wilcal]# radiusd -X
freeradius seems to be responding.
Added testing Cleartext-Password := "password" to /etc/raddb/users
[root@localhost wilcal]# radtest testing password 127.0.0.1 0 testing123
freeradius seems to be responding.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 7 William Kenney 2014-02-21 17:44:33 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
freeradius

default updated install of freeradius

[root@localhost wilcal]# urpmi freeradius
Package freeradius-2.2.0-5.mga4.x86_64 is already installed

ran simple tests as described in:
http://freeradius.org/doc/
[root@localhost wilcal]# radiusd -X
freeradius seems to be responding.
Added testing Cleartext-Password := "password" to /etc/raddb/users
[root@localhost wilcal]# radtest testing password 127.0.0.1 0 testing123
freeradius seems to be responding.

install freeradius from updates_testing

[root@localhost wilcal]# urpmi freeradius
Package freeradius-2.2.0-5.1.mga4.x86_64 is already installed

ran simple tests as described in:
http://freeradius.org/doc/
[root@localhost wilcal]# radiusd -X
freeradius seems to be responding.
Added testing Cleartext-Password := "password" to /etc/raddb/users
[root@localhost wilcal]# radtest testing password 127.0.0.1 0 testing123
freeradius seems to be responding.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 8 William Kenney 2014-02-21 17:44:46 CET
For me this update works fine as best I can test it.
I think someone can make a career out of understanding this
Go ahead and push it.
Comment 9 Rémi Verschelde 2014-02-21 18:36:16 CET
Validating update, advisory has been uploaded. Please push to 3 & 4 core/updates.
Comment 10 Thomas Backlund 2014-02-21 19:27:09 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0088.html

Note You need to log in before you can comment on or make changes to this bug.