Hi, On Sat, Jul 11, 2020 at 09:35:32PM +0200, Salvatore Bonaccorso wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian....@packages.debian.org > Usertags: pu > > Hi > > libpam-radius-auth is affected by CVE-2015-9542 (cf. #951396) in > buster as well. A while ago Utkarsh Gupta prepared a QA update for > unstable. > > libpam-radius-pam should not be included in bullseye if there is not > active maintainer, but for stable we can fix the CVE based on the > upload in unstable (minus the packaging changes). > > Attached the debdiff.
The correct debdiff attached now (with the packaging changes reverted). Regards, Salvatore
diff -Nru libpam-radius-auth-1.4.0/debian/changelog libpam-radius-auth-1.4.0/debian/changelog --- libpam-radius-auth-1.4.0/debian/changelog 2018-09-05 21:44:07.000000000 +0200 +++ libpam-radius-auth-1.4.0/debian/changelog 2020-07-11 21:24:48.000000000 +0200 @@ -1,3 +1,21 @@ +libpam-radius-auth (1.4.0-3~deb10u1) buster; urgency=medium + + * Rebuild for buster. + * Revert packaging changes: + - Lower Standards-Version to 4.2.0 + - Lower Debhelper compat level to 11 + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 11 Jul 2020 21:24:48 +0200 + +libpam-radius-auth (1.4.0-3) unstable; urgency=medium + + * QA upload + * Add patch to fix buffer overflow in password field. + (Fixes: CVE-2015-9542) (Closes: #951396) + * Bump Standards-Version to 4.5.0 and dh-compat to 12 + + -- Utkarsh Gupta <utka...@debian.org> Fri, 21 Feb 2020 15:47:11 +0530 + libpam-radius-auth (1.4.0-2) unstable; urgency=medium * QA upload. diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix --- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 1970-01-01 01:00:00.000000000 +0100 +++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 2020-02-21 10:52:32.000000000 +0100 @@ -0,0 +1,31 @@ +Description: This patch fixes CVE-2015-9542. +Author: Justin Standring <m...@justinstandring.com> +Author: Utkarsh Gupta <utka...@debian.org> +Bug-Debian: https://bugs.debian.org/951396 +Origin: https://github.com/FreeRADIUS/pam_radius/commit/01173ec +Origin: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d +Origin: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677 +Last-Update: 2020-02-21 + +--- a/src/pam_radius_auth.c ++++ b/src/pam_radius_auth.c +@@ -528,6 +528,9 @@ + length = MAXPASS; + } + ++ memcpy(hashed, password, length); ++ memset(hashed + length, 0, sizeof(hashed) - length); ++ + if (length == 0) { + length = AUTH_PASS_LEN; /* 0 maps to 16 */ + } if ((length & (AUTH_PASS_LEN - 1)) != 0) { +@@ -535,9 +538,6 @@ + length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ + } /* 16*N maps to itself */ + +- memset(hashed, 0, length); +- memcpy(hashed, password, strlen(password)); +- + attr = find_attribute(request, PW_PASSWORD); + + if (type == PW_PASSWORD) { diff -Nru libpam-radius-auth-1.4.0/debian/patches/series libpam-radius-auth-1.4.0/debian/patches/series --- libpam-radius-auth-1.4.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libpam-radius-auth-1.4.0/debian/patches/series 2020-02-21 11:13:05.000000000 +0100 @@ -0,0 +1 @@ +CVE-2015-9542.fix