Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi libpam-radius-auth is affected by CVE-2015-9542 (cf. #951396) in buster as well. A while ago Utkarsh Gupta prepared a QA update for unstable. libpam-radius-pam should not be included in bullseye if there is not active maintainer, but for stable we can fix the CVE based on the upload in unstable (minus the packaging changes). Attached the debdiff. Can it be included in the next buster point release? Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
diff -Nru libpam-radius-auth-1.4.0/debian/changelog libpam-radius-auth-1.4.0/debian/changelog --- libpam-radius-auth-1.4.0/debian/changelog 2018-09-05 21:44:07.000000000 +0200 +++ libpam-radius-auth-1.4.0/debian/changelog 2020-07-11 21:24:48.000000000 +0200 @@ -1,3 +1,21 @@ +libpam-radius-auth (1.4.0-3~deb10u1) buster; urgency=medium + + * Rebuild for buster. + * Revert packaging changes: + - Lower Standards-Version to 4.2.0 + - Lower Debhelper compat level to 11 + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 11 Jul 2020 21:24:48 +0200 + +libpam-radius-auth (1.4.0-3) unstable; urgency=medium + + * QA upload + * Add patch to fix buffer overflow in password field. + (Fixes: CVE-2015-9542) (Closes: #951396) + * Bump Standards-Version to 4.5.0 and dh-compat to 12 + + -- Utkarsh Gupta <utka...@debian.org> Fri, 21 Feb 2020 15:47:11 +0530 + libpam-radius-auth (1.4.0-2) unstable; urgency=medium * QA upload. diff -Nru libpam-radius-auth-1.4.0/debian/control libpam-radius-auth-1.4.0/debian/control --- libpam-radius-auth-1.4.0/debian/control 2018-09-05 21:44:07.000000000 +0200 +++ libpam-radius-auth-1.4.0/debian/control 2020-02-21 11:17:11.000000000 +0100 @@ -2,8 +2,8 @@ Maintainer: Debian QA Group <packa...@qa.debian.org> Section: admin Priority: optional -Standards-Version: 4.2.0 -Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 11) +Standards-Version: 4.5.0 +Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 12) Rules-Requires-Root: no Homepage: https://www.freeradius.org/pam_radius_auth/ diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix --- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 1970-01-01 01:00:00.000000000 +0100 +++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 2020-02-21 10:52:32.000000000 +0100 @@ -0,0 +1,31 @@ +Description: This patch fixes CVE-2015-9542. +Author: Justin Standring <m...@justinstandring.com> +Author: Utkarsh Gupta <utka...@debian.org> +Bug-Debian: https://bugs.debian.org/951396 +Origin: https://github.com/FreeRADIUS/pam_radius/commit/01173ec +Origin: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d +Origin: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677 +Last-Update: 2020-02-21 + +--- a/src/pam_radius_auth.c ++++ b/src/pam_radius_auth.c +@@ -528,6 +528,9 @@ + length = MAXPASS; + } + ++ memcpy(hashed, password, length); ++ memset(hashed + length, 0, sizeof(hashed) - length); ++ + if (length == 0) { + length = AUTH_PASS_LEN; /* 0 maps to 16 */ + } if ((length & (AUTH_PASS_LEN - 1)) != 0) { +@@ -535,9 +538,6 @@ + length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ + } /* 16*N maps to itself */ + +- memset(hashed, 0, length); +- memcpy(hashed, password, strlen(password)); +- + attr = find_attribute(request, PW_PASSWORD); + + if (type == PW_PASSWORD) { diff -Nru libpam-radius-auth-1.4.0/debian/patches/series libpam-radius-auth-1.4.0/debian/patches/series --- libpam-radius-auth-1.4.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libpam-radius-auth-1.4.0/debian/patches/series 2020-02-21 11:13:05.000000000 +0100 @@ -0,0 +1 @@ +CVE-2015-9542.fix