Debian Bug report logs - #714362
php-radius: CVE-2013-2220: security issue in radius_get_vendor_attr()

version graph

Package: php-radius; Maintainer for php-radius is Roberto Lumbreras <rover@debian.org>;

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Fri, 28 Jun 2013 13:21:02 UTC

Severity: serious

Tags: patch, security

Fixed in versions php-radius/1.2.5-2.4, php-radius/1.2.5-2.3+deb7u1, php-radius/1.2.5-2+squeeze1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roberto Lumbreras <rover@debian.org>:
Bug#714362; Package php-radius. (Fri, 28 Jun 2013 13:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roberto Lumbreras <rover@debian.org>. (Fri, 28 Jun 2013 13:21:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: security issue in radius_get_vendor_attr()
Date: Fri, 28 Jun 2013 15:17:59 +0200
Package: php-radius
Severity: serious
Tags: security patch

Hi,

A new upstream release of php-radius is available which fixes a security
issue. http://pecl.php.net/package-info.php?package=radius&version=1.2.7

The relevant patch is
https://github.com/LawnGnome/php-radius/commit/13c149b051f82b709e8d7cc32111e84b49d57234

A CVE id has been requested and will follow.

Can you please fix this issue for unstable, and see if you can prepare
updates for (old)stable?


thanks,
Thijs

-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



Information forwarded to debian-bugs-dist@lists.debian.org, Roberto Lumbreras <rover@debian.org>:
Bug#714362; Package php-radius. (Fri, 28 Jun 2013 21:06:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roberto Lumbreras <rover@debian.org>. (Fri, 28 Jun 2013 21:06:16 GMT) Full text and rfc822 format available.

Message #10 received at 714362@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 714362@bugs.debian.org
Subject: Re: Bug#714362: security issue in radius_get_vendor_attr()
Date: Fri, 28 Jun 2013 23:05:46 +0200
Control: retitle -1 php-radius: CVE-2013-2220: security issue in radius_get_vendor_attr()

On Fri, Jun 28, 2013 at 03:17:59PM +0200, Thijs Kinkhorst wrote:
> A CVE id has been requested and will follow.

Was assigned now, it is CVE-2013-2220 (retitling bugreport
accordingly).

Regards,
Salvatore



Changed Bug title to 'php-radius: CVE-2013-2220: security issue in radius_get_vendor_attr()' from 'security issue in radius_get_vendor_attr()' Request was from Salvatore Bonaccorso <carnil@debian.org> to 714362-submit@bugs.debian.org. (Fri, 28 Jun 2013 21:06:16 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Thu, 25 Jul 2013 13:51:09 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Thu, 25 Jul 2013 13:51:09 GMT) Full text and rfc822 format available.

Message #17 received at 714362-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 714362-close@bugs.debian.org
Subject: Bug#714362: fixed in php-radius 1.2.5-2.4
Date: Thu, 25 Jul 2013 13:48:09 +0000
Source: php-radius
Source-Version: 1.2.5-2.4

We believe that the bug you reported is fixed in the latest version of
php-radius, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714362@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated php-radius package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 25 Jul 2013 14:28:53 +0200
Source: php-radius
Binary: php5-radius php-radius-legacy
Architecture: source all amd64
Version: 1.2.5-2.4
Distribution: unstable
Urgency: high
Maintainer: Roberto Lumbreras <rover@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 php-radius-legacy - Radius protocol implementation in PHP
 php5-radius - PECL radius module for PHP 5
Closes: 714362
Changes: 
 php-radius (1.2.5-2.4) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix security issue in radius_get_vendor_attr()
     (CVE-2013-2220, closes: #714362)
Checksums-Sha1: 
 3f3fa41bc996d0e888c4abc408dc2352e2dcf1d2 1409 php-radius_1.2.5-2.4.dsc
 adbf99a63f246a8e748f26512af20b01884bc3ee 11394 php-radius_1.2.5-2.4.diff.gz
 9dee4876025c6028a6fd527fbed014d8a49c716f 8726 php-radius-legacy_1.2.5-2.4_all.deb
 17c88d04b64966a9a77f330672ec9814f75a4b8e 33162 php5-radius_1.2.5-2.4_amd64.deb
Checksums-Sha256: 
 51161451c233e6c40b715b0156bee749786414507e9715d95a1c195886307347 1409 php-radius_1.2.5-2.4.dsc
 0a6e75097ed281ae42d6ff07283bbe5584d758f51d01c9c1ddd3e2fc7799285b 11394 php-radius_1.2.5-2.4.diff.gz
 dcdc50a992c30d3ccf91246904d56aaea3c941bc2c7388012acd832d30cef8df 8726 php-radius-legacy_1.2.5-2.4_all.deb
 1b205b69da132a115d5843b0ddbb43ed2e21a5b1ca5c685998079440564924a1 33162 php5-radius_1.2.5-2.4_amd64.deb
Files: 
 d142244c2c97a11aea324b612f79ffb0 1409 web optional php-radius_1.2.5-2.4.dsc
 ad6dfa3e53c667affaea49e4624437cf 11394 web optional php-radius_1.2.5-2.4.diff.gz
 1745856a9a5b687eea99d30aec293310 8726 web optional php-radius-legacy_1.2.5-2.4_all.deb
 c9b11dfc2e7f067bea68fd8bcf0d7440 33162 web optional php5-radius_1.2.5-2.4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJR8St4AAoJEFb2GnlAHawEjFQH/3uxIc/MspvXzXpudU1ACpqI
CHdSr9A61+LHEMBA7sViRcRR1az+SI1EHqrP+EgY+OczOMF18iDXH3HCoo2b2mQf
woQ7FmW/eUdmFrugShpx8QA6YX2kKJxX5pLW0B++GiSdV9rpmDDvL0xTi91Ooajd
9FlFNKVuuGbeVUEAR2Hp5Z75BI0n6qlNBG+Ga4Et3REOA8ejNuybKHQksgDAh3ue
19AFPdRCIv6OdrlDanRgBcyBzNDK5hEQ0Q7yIdB5zEONBS1tDvUeFUph7BQNb6JP
dcXm2tRjUXYw4oHJALoV1OmLUMLfdUvytej4GUf+e8WHyvAT8D7CVJ5STqP3xEA=
=pdah
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Roberto Lumbreras <rover@debian.org>:
Bug#714362; Package php-radius. (Thu, 25 Jul 2013 13:57:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Roberto Lumbreras <rover@debian.org>. (Thu, 25 Jul 2013 13:57:12 GMT) Full text and rfc822 format available.

Message #22 received at 714362@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 714362@bugs.debian.org
Subject: diff for 1.2.5-2.4 NMU
Date: Thu, 25 Jul 2013 15:55:54 +0200
[Message part 1 (text/plain, inline)]
Hi Roberto,

Here's the diff I used in the 1.2.5-2.4 NMU.


Cheers,
Thijs
[pra_2.3_2.4.diff (text/x-patch, attachment)]

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Thu, 01 Aug 2013 19:21:04 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Thu, 01 Aug 2013 19:21:04 GMT) Full text and rfc822 format available.

Message #27 received at 714362-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 714362-close@bugs.debian.org
Subject: Bug#714362: fixed in php-radius 1.2.5-2.3+deb7u1
Date: Thu, 01 Aug 2013 19:17:32 +0000
Source: php-radius
Source-Version: 1.2.5-2.3+deb7u1

We believe that the bug you reported is fixed in the latest version of
php-radius, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714362@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated php-radius package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 25 Jul 2013 14:28:53 +0200
Source: php-radius
Binary: php5-radius php-radius-legacy
Architecture: source all amd64
Version: 1.2.5-2.3+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Roberto Lumbreras <rover@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 php-radius-legacy - Radius protocol implementation in PHP
 php5-radius - PECL radius module for PHP 5
Closes: 714362
Changes: 
 php-radius (1.2.5-2.3+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix security issue in radius_get_vendor_attr()
     (CVE-2013-2220, closes: #714362)
Checksums-Sha1: 
 d35d60b0f6a0324d6a2548ac4557061a1f199b05 1437 php-radius_1.2.5-2.3+deb7u1.dsc
 6a7226341c2db3e9f2114fa9d160d86b38b76b9d 29750 php-radius_1.2.5.orig.tar.gz
 a5e2c139a2eca514165303cb37d4f75bbf03465e 11405 php-radius_1.2.5-2.3+deb7u1.diff.gz
 0de631413da7430fec7715367e2fe0aa4ad37c6e 8728 php-radius-legacy_1.2.5-2.3+deb7u1_all.deb
 ee238916cea4d5f46d4c9ff1274fd5cd84e19c74 32862 php5-radius_1.2.5-2.3+deb7u1_amd64.deb
Checksums-Sha256: 
 91c65a99c50d07287a834be4ff2279928745f3124c0bd4aa888a2c5ab366f1ad 1437 php-radius_1.2.5-2.3+deb7u1.dsc
 277fb9ba1dbef9c051b1db435cfd1f4421ebc612de3e6fd5eb9d2ed94639d23f 29750 php-radius_1.2.5.orig.tar.gz
 c0570aedbc5e05e9889b0776b700ed417c6a77583cbf5b7c4d06fd7c0e82516f 11405 php-radius_1.2.5-2.3+deb7u1.diff.gz
 065725a66df0b9d0c02e3ef7ff4c4ac5426883d4d696fe16c3a172be0a4ea1e4 8728 php-radius-legacy_1.2.5-2.3+deb7u1_all.deb
 fbc5a594e256a124562fb4c4b724fe78db31ee6af1026fc6b9c42db037a23c9d 32862 php5-radius_1.2.5-2.3+deb7u1_amd64.deb
Files: 
 674401d00686a35aefdb77c5a316a5ab 1437 web optional php-radius_1.2.5-2.3+deb7u1.dsc
 25d867dab8def71ab1b3e2410491ff4d 29750 web optional php-radius_1.2.5.orig.tar.gz
 c5526dd56d3f55f32b54a6f489633c05 11405 web optional php-radius_1.2.5-2.3+deb7u1.diff.gz
 e0dbc683c37202eb950791524b0f75e7 8728 web optional php-radius-legacy_1.2.5-2.3+deb7u1_all.deb
 064102dcc58e4ae8acdd22a1439edee7 32862 web optional php5-radius_1.2.5-2.3+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJR8St3AAoJEFb2GnlAHawEV0cIAJU741ZgkdJdqoT6qML6efIB
3FukWpkHFXKTNyU7cy9sytGXBqgD2t2YOjAph9UIO0kj1GZowo63WDNZK0hzQNRz
H/eYQ5w43nDDqix0nCx8cTn39XtoMqr6wYjFMgJcmggNKppXVk1676YrOFr4N/Ki
aiOOEKshhV8f8JyHvhWMAeTL454GNwfVi8mvdhKvKvIgx+3ph9CV98R3KhQs3Qsw
imsgL3N+bVZ6HPz05ZIunmSBsUKlqyelBpf/w10JJHwwQAe/HBh4cBueKTOhROUM
/a8OZgw60oofbOtbEErElsNKpo/wEYX4nJncOd7QQTQhQkP2E1OPqm/istykErI=
=BBSU
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 10 Aug 2013 15:51:13 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Sat, 10 Aug 2013 15:51:13 GMT) Full text and rfc822 format available.

Message #32 received at 714362-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 714362-close@bugs.debian.org
Subject: Bug#714362: fixed in php-radius 1.2.5-2+squeeze1
Date: Sat, 10 Aug 2013 15:47:29 +0000
Source: php-radius
Source-Version: 1.2.5-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
php-radius, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714362@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated php-radius package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 25 Jul 2013 14:28:53 +0200
Source: php-radius
Binary: php5-radius php-radius-legacy
Architecture: source all amd64
Version: 1.2.5-2+squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Roberto Lumbreras <rover@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 php-radius-legacy - Radius protocol implementation in PHP
 php5-radius - PECL radius module for PHP 5
Closes: 714362
Changes: 
 php-radius (1.2.5-2+squeeze1) squeeze-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix security issue in radius_get_vendor_attr()
     (CVE-2013-2220, closes: #714362)
Checksums-Sha1: 
 165466678c811caf48b75bfb6e8638240fd9f0f1 1434 php-radius_1.2.5-2+squeeze1.dsc
 b95e150665ba9adb3c0150a752cc8fec2200d1b5 10422 php-radius_1.2.5-2+squeeze1.diff.gz
 3f971a0400fc64558200cb242bedc36ce0e0a838 8364 php-radius-legacy_1.2.5-2+squeeze1_all.deb
 51985563d6231c9d0c6eefdf936fe66b73f43d5d 31640 php5-radius_1.2.5-2+squeeze1_amd64.deb
Checksums-Sha256: 
 5af99fe18536a125b5bccb636b8c73636da93671f55bc53f30c7c20d4f1f046a 1434 php-radius_1.2.5-2+squeeze1.dsc
 ddbcf569d226609c99a16cbf9b90639fee695af722cfe0f8a36cc408f70d6c9f 10422 php-radius_1.2.5-2+squeeze1.diff.gz
 c46b6134962646e342a3165eb6938d74169ed98a2a5717dc965c563d3e4ae2a4 8364 php-radius-legacy_1.2.5-2+squeeze1_all.deb
 ea0bcd7dd76240db2f1134cc1b1f7a522cb7ac1b1ff9740e04568616ded92457 31640 php5-radius_1.2.5-2+squeeze1_amd64.deb
Files: 
 70987d3c459a6e62667df128f1f5199f 1434 web optional php-radius_1.2.5-2+squeeze1.dsc
 dce2ca876c588d4ddfd6fd64ad075261 10422 web optional php-radius_1.2.5-2+squeeze1.diff.gz
 0ca8aeef996b4181cf9601ff67c798b8 8364 web optional php-radius-legacy_1.2.5-2+squeeze1_all.deb
 7a5909e513a4d5f3d4b278316e862cdb 31640 web optional php5-radius_1.2.5-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJR8TJDAAoJEFb2GnlAHawE3KgH/R+XYwDFlbRjdfjInUi2ggW6
ZsXEH3O2s6rgbPmvDe5jOI9ArOpQUBZ3oNCOfW/fRT1AwUB2am6JDKxCP+PTyS8B
PpNpV96ZxIjQyVBM0vpBPp8fPmtY0EkeBdwlaltH9tPXOLEbf11YzevDwTtvTcsC
FR6JQdQWIabvwSGRs+d5H4TJcy/FZzG5nCMuGf3WQIbIYos6vVuOXAg6/gev8bQc
Xj2VSGkQlS/TjCxToM2lP7FzDpIgxH33j0W6ABW2+gOhXzQFV9/deGLXDDeA4fK1
SY3xwVsdGsixiMedB/HKJ4T+/LCzt0qQeRytP/jNDZ7XJFndqbAxrcUkhGu2Z8M=
=qEfn
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 Oct 2013 07:33:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:39:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.