Bug#687175: marked as done (freeradius: CVE-2012-3547 stack-based buffer overflow in EAP-TLS handling)

Wed, 12 Sep 2012 11:51:21 -0700 

Your message dated Wed, 12 Sep 2012 18:47:06 +0000
with message-id <e1tbrxq-0007g6...@franck.debian.org>
and subject line Bug#687175: fixed in freeradius 2.1.10+dfsg-2+squeeze1
has caused the Debian Bug report #687175,
regarding freeradius: CVE-2012-3547 stack-based buffer overflow in EAP-TLS 
handling
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
687175: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: freeradius
Severity: grave
Tags: security

Hi,
the following vulnerability was published for freeradius.

CVE-2012-3547[0]:
| PRE-CERT Security Advisory
| ==========================
| 
| * Advisory: PRE-SA-2012-06
| * Released on: 10 September 2012
| * Affected product: FreeRADIUS 2.1.10 - 2.1.12
| * Impact: remote code execution
| * Origin: specially crafted client certificates
| * CVSS Base Score: 10
|     Impact Subscore: 10
|     Exploitability Subscore: 10
|   CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| * Credit: Timo Warns (PRESENSE Technologies GmbH)
| * CVE Identifier: CVE-2012-3547
| 
| 
| Summary
| - -------
| 
| A stack overflow vulnerability has been identified in FreeRADIUS that allows 
to
| remotely execute arbitrary code via specially crafted client certificates
| (before authentication). The vulnerability affects setups using TLS-based EAP
| methods (including EAP-TLS, EAP-TTLS, and PEAP).
| 
| FreeRADIUS defines a callback function cbtls_verify() for certificate
| verification. The function has a local buf array with a size of 64
| bytes. It copies the validity timestamp "not after" of a client
| certificate to the buf array:
| 
|     asn_time = X509_get_notAfter(client_cert);
|     if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
|         memcpy(buf, (char*) asn_time->data, asn_time->length);
|         buf[asn_time->length] = '\0';
| 
| The MAX_STRING_LEN constant is defined to be 254. If asn_time->length is
| greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy.
| 
| Depending on the stack layout chosen by the compiler, the vulnerability allows
| to overflow the return address on the stack, which can be exploited for code
| execution.
| 
| 
| Solution
| - --------
| 
| The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as
| soon as possible.
| 
| 
| References
| - ----------
| 
| When further information becomes available, this advisory will be
| updated. The most recent version of this advisory is available at:
| 
| http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
    http://security-tracker.debian.org/tracker/CVE-2012-3547

Cheers
Nico

Attachment: pgpC6KQC70dRG.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: freeradius
Source-Version: 2.1.10+dfsg-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 687...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated freeradius package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 11 Sep 2012 17:03:29 +0000
Source: freeradius
Binary: freeradius freeradius-common freeradius-utils libfreeradius2 
libfreeradius-dev freeradius-krb5 freeradius-ldap freeradius-postgresql 
freeradius-mysql freeradius-iodbc freeradius-dialupadmin freeradius-dbg
Architecture: source amd64 all
Version: 2.1.10+dfsg-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Josip Rodin <joy-packa...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 freeradius - a high-performance and highly configurable RADIUS server
 freeradius-common - FreeRADIUS common files
 freeradius-dbg - debug symbols for the FreeRADIUS packages
 freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS 
server
 freeradius-iodbc - iODBC module for FreeRADIUS server
 freeradius-krb5 - kerberos module for FreeRADIUS server
 freeradius-ldap - LDAP module for FreeRADIUS server
 freeradius-mysql - MySQL module for FreeRADIUS server
 freeradius-postgresql - PostgreSQL module for FreeRADIUS server
 freeradius-utils - FreeRADIUS client utilities
 libfreeradius-dev - FreeRADIUS shared library development files
 libfreeradius2 - FreeRADIUS shared library
Closes: 687175
Changes: 
 freeradius (2.1.10+dfsg-2+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix pre-authentication buffer overflow in EAP TLS handling
     (CVE-2012-3547; Closes: #687175).
Checksums-Sha1: 
 d02e98e9b560f2bc26df9084dceb2c05ee008208 1632 
freeradius_2.1.10+dfsg-2+squeeze1.dsc
 0cb6e0627365ba609a9c20a84f203b4379c0607e 3319467 
freeradius_2.1.10+dfsg.orig.tar.gz
 e8d5651de8bb2dc3b161527d7eed3ed0d841a5f3 7548 
freeradius_2.1.10+dfsg-2+squeeze1.diff.gz
 620dbf576cec09fb91a891067fa805a15e988fd0 650010 
freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb
 a1f02482af7cc99b1f3afab7bb3d7f440a1d5808 99402 
freeradius-utils_2.1.10+dfsg-2+squeeze1_amd64.deb
 a84039d7b51e3204f25ba189ccf6a7d6a31058ee 114712 
libfreeradius2_2.1.10+dfsg-2+squeeze1_amd64.deb
 d979d779cc350fd424048a87506ae18b89be045e 155550 
libfreeradius-dev_2.1.10+dfsg-2+squeeze1_amd64.deb
 c1310423d0203407c4c51833279a5c3d229dc2ac 35278 
freeradius-krb5_2.1.10+dfsg-2+squeeze1_amd64.deb
 31f67a9b490adadd654c6c7cefac5c535ce49c85 53484 
freeradius-ldap_2.1.10+dfsg-2+squeeze1_amd64.deb
 d5f09b298631b9a380a1aa45e0fd363755e5f3fb 54938 
freeradius-postgresql_2.1.10+dfsg-2+squeeze1_amd64.deb
 796a3e045e44a06edfb8130a1e8f5437b28bf256 42920 
freeradius-mysql_2.1.10+dfsg-2+squeeze1_amd64.deb
 09f7e0ac6fffd348d455e22cf00303e40831a75f 34442 
freeradius-iodbc_2.1.10+dfsg-2+squeeze1_amd64.deb
 24c4267e2294d1e2385196d17349b5d6b2f0d3a9 1141358 
freeradius-dbg_2.1.10+dfsg-2+squeeze1_amd64.deb
 8cbb9beb71f1c4e0cd974cfb112f11fa77da0491 236200 
freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb
 b3da205b61217dcffdbf545a06bfbaaca0145139 133664 
freeradius-dialupadmin_2.1.10+dfsg-2+squeeze1_all.deb
Checksums-Sha256: 
 6a4c60024910f4f2933f050b70972d76b3e8515739c5501cca1ba95b62479087 1632 
freeradius_2.1.10+dfsg-2+squeeze1.dsc
 e5ccdab660ed2d5d7c8709363ca288ad2e1229321aa8684539ac45ddae274885 3319467 
freeradius_2.1.10+dfsg.orig.tar.gz
 978a06f9032dc37acc7d25f6e117de074bb62e518c47d8ce13e9ec0b9bdb0ce4 7548 
freeradius_2.1.10+dfsg-2+squeeze1.diff.gz
 3960a2f678260e8659416457814219a41536fa84b3c632de33c37647576bc8c2 650010 
freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb
 c3907c0ac2460dce327be027e15ce49306672885b7e9fe014ccc9995d9bb457c 99402 
freeradius-utils_2.1.10+dfsg-2+squeeze1_amd64.deb
 6a50538cfbb5adbe74e5db2d1b3b0c1fe7edff7b4d8d77d5fa415b09a4ea47ec 114712 
libfreeradius2_2.1.10+dfsg-2+squeeze1_amd64.deb
 566ad2b2765e87f2fdd83bc988ee23bb85aad0d6b809c46522843ed1b2c736e6 155550 
libfreeradius-dev_2.1.10+dfsg-2+squeeze1_amd64.deb
 72fd12ade3cc53d1dbb836a42bace30fddbd832e78676452a0035c88ff946837 35278 
freeradius-krb5_2.1.10+dfsg-2+squeeze1_amd64.deb
 6335f28c042994ac9a303b149def8c5460ebe6b660abc39037b89aa27a4b8919 53484 
freeradius-ldap_2.1.10+dfsg-2+squeeze1_amd64.deb
 424ccf21cdf77275cc873d12ad093a58daae031d3953a36a0fcf877b2fcd2a36 54938 
freeradius-postgresql_2.1.10+dfsg-2+squeeze1_amd64.deb
 7162e5651eedd5bc53ae15a7860725c63a343e3eb9ba93b4abe24bf4237a0b7f 42920 
freeradius-mysql_2.1.10+dfsg-2+squeeze1_amd64.deb
 c133d654e7aad020a8e4877c36e7eeea0b8254bc1e3b2bcf7c604f16828a8809 34442 
freeradius-iodbc_2.1.10+dfsg-2+squeeze1_amd64.deb
 d9037e4279b2518d61fe75898986ef606c05d2ee356ec332788b30a505a1916d 1141358 
freeradius-dbg_2.1.10+dfsg-2+squeeze1_amd64.deb
 05af3a293e5abc6c23a126a0742bc508f6c4aea8b218af7ca9d2e1ed82efd7fb 236200 
freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb
 15fa4daf8356a373047cd097688e45e87b6e46d45de9ef7fbcbe5bfbbe439ea0 133664 
freeradius-dialupadmin_2.1.10+dfsg-2+squeeze1_all.deb
Files: 
 8e666db7080b82208cc7fa373327ecc7 1632 net optional 
freeradius_2.1.10+dfsg-2+squeeze1.dsc
 50baed20b9d603463f8c30915538c6ae 3319467 net optional 
freeradius_2.1.10+dfsg.orig.tar.gz
 4b8e786fe73f159b602ccdfa4facae58 7548 net optional 
freeradius_2.1.10+dfsg-2+squeeze1.diff.gz
 763b7374253a26b2cba5b296ecbdff40 650010 net optional 
freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb
 cc1646491ea85a4019a4401a42906208 99402 net optional 
freeradius-utils_2.1.10+dfsg-2+squeeze1_amd64.deb
 f1973db887f7b33f24f560dde5fac945 114712 net optional 
libfreeradius2_2.1.10+dfsg-2+squeeze1_amd64.deb
 8c00840e340443d2777737f5fb06bf08 155550 libdevel optional 
libfreeradius-dev_2.1.10+dfsg-2+squeeze1_amd64.deb
 625e68f24cd5282521a88fe2a7f3951d 35278 net optional 
freeradius-krb5_2.1.10+dfsg-2+squeeze1_amd64.deb
 0914a74b3a1058150175c2eed30f83d5 53484 net optional 
freeradius-ldap_2.1.10+dfsg-2+squeeze1_amd64.deb
 efe9ab4ed76a941dda6ba5a4ca491f0e 54938 net optional 
freeradius-postgresql_2.1.10+dfsg-2+squeeze1_amd64.deb
 90469a2716c3c9b25b812492d64a57f6 42920 net optional 
freeradius-mysql_2.1.10+dfsg-2+squeeze1_amd64.deb
 bd4e9d09d3466af07a8a19cb1519c107 34442 net optional 
freeradius-iodbc_2.1.10+dfsg-2+squeeze1_amd64.deb
 e835dd62266afd7ecd35567ca5d50233 1141358 debug extra 
freeradius-dbg_2.1.10+dfsg-2+squeeze1_amd64.deb
 8271a63dea98474a5ed866f520900799 236200 net optional 
freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb
 65cb919839669b206c08e9ccec677926 133664 net optional 
freeradius-dialupadmin_2.1.10+dfsg-2+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBPcNwACgkQHYflSXNkfP9fBwCdFydLBlpMg6hR+EGvCmrekUmb
/CEAnA8vOjMxdqoentxXTRGptxxIC5KI
=7AQp
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to