Debian Bug report logs - #278384
yardradius: security vulnerability still present in stable

version graph

Package: yardradius; Maintainer for yardradius is Francesco Paolo Lovergine <frankie@debian.org>; Source for yardradius is src:yardradius.

Reported by: Max Vozeler <max@hinterhof.net>

Date: Tue, 26 Oct 2004 14:48:05 UTC

Severity: grave

Tags: patch, security, woody

Found in version 1.0.20-2

Done: Max Vozeler <max@hinterhof.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#278384; Package yardradius. Full text and rfc822 format available.

Acknowledgement sent to Max Vozeler <max@hinterhof.net>:
New Bug report received and forwarded. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Max Vozeler <max@hinterhof.net>
To: submit@bugs.debian.org
Subject: yardradius: security vulnerability still present in stable
Date: Tue, 26 Oct 2004 16:35:25 +0200
[Message part 1 (text/plain, inline)]
Package: yardradius
Version: 1.0.20-2
Severity: grave
Tags: woody security patch

Hi,

yardradius in stable is still vulnerable to an exploitable stack
overflow in process_menu() that is already fixed in testing/unstable
version 1.0.20-15.

Attaching the patch below that I sent to Francesco and the Security
Team.

Cheers,
Max

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC
[yardradius-secupdate.diff (text/plain, inline)]
diff -ru yardradius-1.0.20/debian/changelog yardradius-1.0.20-secupdate/debian/changelog
--- yardradius-1.0.20/debian/changelog	Mon Sep  6 18:05:59 2004
+++ yardradius-1.0.20-secupdate/debian/changelog	Thu Oct 14 13:14:58 2004
@@ -1,3 +1,12 @@
+yardradius (1.0.20-2.1) stable-security; urgency=high
+
+  * [SECURITY] This update fixes a stack overflow in process_menu()
+    that could be exploited without knowledge of the shared secret.
+    A similar vulnerability existed and was fixed in other radiusd
+    implementations as part of CAN-2001-0534.
+ 
+ -- Security Team <XXX>  Thu, 14 Oct 2004 13:09:54 +0200
+
 yardradius (1.0.20-2) unstable; urgency=low
 
   * Added german, russian and italian templates for debconf.
diff -ru yardradius-1.0.20/src/menu.c yardradius-1.0.20-secupdate/src/menu.c
--- yardradius-1.0.20/src/menu.c	Mon Dec  4 10:25:45 2000
+++ yardradius-1.0.20-secupdate/src/menu.c	Thu Oct 14 13:06:57 2004
@@ -112,7 +112,8 @@
 	if((attr = get_attribute(authreq->request, PW_STATE)) !=
 		(VALUE_PAIR *)NULL && strncmp(attr->strvalue, "MENU=", 5) == 0){
 
-		strcpy(menu_name, &attr->strvalue[5]);
+		strncpy(menu_name, &attr->strvalue[5], sizeof(menu_name)-1);
+		menu_name[sizeof(menu_name)-1] = '\0';
 
 		/* The menu input is in the Password Field */
 		attr = get_attribute(authreq->request, PW_PASSWORD);

Reply sent to Max Vozeler <max@hinterhof.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Max Vozeler <max@hinterhof.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 278384-done@bugs.debian.org (full text, mbox):

From: Max Vozeler <max@hinterhof.net>
To: 278384-done@bugs.debian.org
Subject: Re: Bug#278384: vulnerability fixed
Date: Fri, 3 Dec 2004 17:22:04 +0100
Just to confirm, this bug is fixed with the recent security update for
stable (DSA-598-1).

Cheers,
Max

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 08:06:28 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.