Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id
<736c7150dc08501cc89945035c406eaf9688e144.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1119085,
regarding trixie-pu: package openvpn-auth-radius/2.1-9+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119085
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:openvpn-auth-radius
User: [email protected]
Usertags: pu
Hello,
I have uploaded openvpn-auth-radius 2.1-9+deb13u1 for inclusion in
trixie.
Samuel
[ Reason ]
As reported on #1118479, the version in trixie of openvpn-auth-radius
introduced a use-after-free, which in a hardened environment makes it
completely non-working, while it was working in debian 12.
[ Impact ]
I hadn't noticed the issue in my testing environment, but the reporter
of #1118479 ended up in a completely non-working situation.
[ Tests ]
This was tested manually by the reporter.
[ Risks ]
The code is very trivial, it just extends the liveness of the underlying
string.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
server->getSharedSecret().c_str() doesn't work because the string
returned by getSharedSecret can actually be thrown away before we use
the secret. Storing the string extends its liveness so the char*
returned by c_str() can be read safely.
diff -Nru openvpn-auth-radius-2.1/debian/changelog
openvpn-auth-radius-2.1/debian/changelog
--- openvpn-auth-radius-2.1/debian/changelog 2024-10-20 17:28:08.000000000
+0200
+++ openvpn-auth-radius-2.1/debian/changelog 2025-10-26 18:28:22.000000000
+0100
@@ -1,3 +1,10 @@
+openvpn-auth-radius (2.1-9+deb13u1) trixie; urgency=medium
+
+ * patches/0008-authenticate-fix: Fix packet authentication
+ (Closes: Bug#1118479)
+
+ -- Samuel Thibault <[email protected]> Sun, 26 Oct 2025 18:28:22 +0100
+
openvpn-auth-radius (2.1-9) unstable; urgency=medium
* QA upload.
diff -Nru openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix
openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix
--- openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix
1970-01-01 01:00:00.000000000 +0100
+++ openvpn-auth-radius-2.1/debian/patches/0008-authenticate-fix
2025-10-21 00:11:25.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Fix RADIUS Packet Authentication use-after-free
+ The BLASTRadius vulnerability mitigation introduced a use-after-free
+ in the RadiusPacket::authenticateReceivedPacket method.
+ This fix prevents use-after-free by assigning the string to a
+ variable before relying on the c_str result.
+Author: Martin Rampersad <[email protected]>
+Last-Update: 2025-10-20
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/RadiusClass/RadiusPacket.cpp
++++ b/RadiusClass/RadiusPacket.cpp
+@@ -706,7 +706,8 @@
+
+ int RadiusPacket::authenticateReceivedPacket(RadiusServer *server)
+ {
+- const char *secret = server->getSharedSecret().c_str();
++ string secretString = server->getSharedSecret();
++ const char *secret = secretString.c_str();
+ gcry_md_hd_t context;
+ int res;
+
diff -Nru openvpn-auth-radius-2.1/debian/patches/series
openvpn-auth-radius-2.1/debian/patches/series
--- openvpn-auth-radius-2.1/debian/patches/series 2024-10-20
17:27:15.000000000 +0200
+++ openvpn-auth-radius-2.1/debian/patches/series 2025-10-21
00:11:25.000000000 +0200
@@ -5,3 +5,4 @@
40_use_cppflags.diff
0006-Support-verify-client-cert-directive-in-openvpn-2.4.patch
0007-RadiusBLAST
+0008-authenticate-fix
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.2
Hi,
The updates referenced in each of these bugs were included in today's
13.2 trixie point release.
Regards,
Adam
--- End Message ---
