Report forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>: Bug#278384; Package yardradius.
(full text, mbox, link).
Acknowledgement sent to Max Vozeler <max@hinterhof.net>:
New Bug report received and forwarded. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>.
(full text, mbox, link).
Package: yardradius
Version: 1.0.20-2
Severity: grave
Tags: woody security patch
Hi,
yardradius in stable is still vulnerable to an exploitable stack
overflow in process_menu() that is already fixed in testing/unstable
version 1.0.20-15.
Attaching the patch below that I sent to Francesco and the Security
Team.
Cheers,
Max
--
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC
diff -ru yardradius-1.0.20/debian/changelog yardradius-1.0.20-secupdate/debian/changelog
--- yardradius-1.0.20/debian/changelog Mon Sep 6 18:05:59 2004
+++ yardradius-1.0.20-secupdate/debian/changelog Thu Oct 14 13:14:58 2004
@@ -1,3 +1,12 @@
+yardradius (1.0.20-2.1) stable-security; urgency=high
+
+ * [SECURITY] This update fixes a stack overflow in process_menu()
+ that could be exploited without knowledge of the shared secret.
+ A similar vulnerability existed and was fixed in other radiusd
+ implementations as part of CAN-2001-0534.
+
+ -- Security Team <XXX> Thu, 14 Oct 2004 13:09:54 +0200
+
yardradius (1.0.20-2) unstable; urgency=low
* Added german, russian and italian templates for debconf.
diff -ru yardradius-1.0.20/src/menu.c yardradius-1.0.20-secupdate/src/menu.c
--- yardradius-1.0.20/src/menu.c Mon Dec 4 10:25:45 2000
+++ yardradius-1.0.20-secupdate/src/menu.c Thu Oct 14 13:06:57 2004
@@ -112,7 +112,8 @@
if((attr = get_attribute(authreq->request, PW_STATE)) !=
(VALUE_PAIR *)NULL && strncmp(attr->strvalue, "MENU=", 5) == 0){
- strcpy(menu_name, &attr->strvalue[5]);
+ strncpy(menu_name, &attr->strvalue[5], sizeof(menu_name)-1);
+ menu_name[sizeof(menu_name)-1] = '\0';
/* The menu input is in the Password Field */
attr = get_attribute(authreq->request, PW_PASSWORD);
Reply sent to Max Vozeler <max@hinterhof.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Max Vozeler <max@hinterhof.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.