Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:openvpn-auth-radius User: [email protected] Usertags: pu
Hello, I have uploaded openvpn-auth-radius 2.1-9+deb13u1 for inclusion in trixie. Samuel [ Reason ] As reported on #1118479, the version in trixie of openvpn-auth-radius introduced a use-after-free, which in a hardened environment makes it completely non-working, while it was working in debian 12. [ Impact ] I hadn't noticed the issue in my testing environment, but the reporter of #1118479 ended up in a completely non-working situation. [ Tests ] This was tested manually by the reporter. [ Risks ] The code is very trivial, it just extends the liveness of the underlying string. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] server->getSharedSecret().c_str() doesn't work because the string returned by getSharedSecret can actually be thrown away before we use the secret. Storing the string extends its liveness so the char* returned by c_str() can be read safely.
diff -Nru openvpn-auth-radius-2.1/debian/changelog openvpn-auth-radius-2.1/debian/changelog --- openvpn-auth-radius-2.1/debian/changelog 2024-10-20 17:28:08.000000000 +0200 +++ openvpn-auth-radius-2.1/debian/changelog 2025-10-26 18:28:22.000000000 +0100 @@ -1,3 +1,10 @@ +openvpn-auth-radius (2.1-9+deb13u1) trixie; urgency=medium + + * patches/0008-authenticate-fix: Fix packet authentication + (Closes: Bug#1118479) + + -- Samuel Thibault <[email protected]> Sun, 26 Oct 2025 18:28:22 +0100 + openvpn-auth-radius (2.1-9) unstable; urgency=medium * QA upload. diff -Nru openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix --- openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix 1970-01-01 01:00:00.000000000 +0100 +++ openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix 2025-10-21 00:11:25.000000000 +0200 @@ -0,0 +1,21 @@ +Description: Fix RADIUS Packet Authentication use-after-free + The BLASTRadius vulnerability mitigation introduced a use-after-free + in the RadiusPacket::authenticateReceivedPacket method. + This fix prevents use-after-free by assigning the string to a + variable before relying on the c_str result. +Author: Martin Rampersad <[email protected]> +Last-Update: 2025-10-20 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/RadiusClass/RadiusPacket.cpp ++++ b/RadiusClass/RadiusPacket.cpp +@@ -706,7 +706,8 @@ + + int RadiusPacket::authenticateReceivedPacket(RadiusServer *server) + { +- const char *secret = server->getSharedSecret().c_str(); ++ string secretString = server->getSharedSecret(); ++ const char *secret = secretString.c_str(); + gcry_md_hd_t context; + int res; + diff -Nru openvpn-auth-radius-2.1/debian/patches/series openvpn-auth-radius-2.1/debian/patches/series --- openvpn-auth-radius-2.1/debian/patches/series 2024-10-20 17:27:15.000000000 +0200 +++ openvpn-auth-radius-2.1/debian/patches/series 2025-10-21 00:11:25.000000000 +0200 @@ -5,3 +5,4 @@ 40_use_cppflags.diff 0006-Support-verify-client-cert-directive-in-openvpn-2.4.patch 0007-RadiusBLAST +0008-authenticate-fix
