diff -u freeradius-1.1.0/debian/patches/00list freeradius-1.1.0/debian/patches/00list --- freeradius-1.1.0/debian/patches/00list +++ freeradius-1.1.0/debian/patches/00list @@ -6,0 +7,2 @@ +20_CVE-2006-1354.dpatch +21_CVE-2007-2028.dpatch diff -u freeradius-1.1.0/debian/changelog freeradius-1.1.0/debian/changelog --- freeradius-1.1.0/debian/changelog +++ freeradius-1.1.0/debian/changelog @@ -1,3 +1,18 @@ +freeradius (1.1.0-1ubuntu2.1) dapper-security; urgency=low + + * SECURITY UPDATE: possible EAP-MSCHAPv2 authentication bypass (LP: + #164000) and denial of service in EAP-TTLS module (LP: #106006). + * debian/patches/20_CVE-2006-1354.dpatch: Properly validate input, to ensure + that bad authentication requests are rejected. Patch from upstream CVS. + * debian/patches/21_CVE-2007-2028.dpatch: Properly free VALUE_PAIR + structures on rejected authentication, to avoid memory leaks. Patch from + Red Hat Bugzilla. + * References + CVE-2006-1354 + CVE-2007-2028 + + -- William Grant Tue, 20 Nov 2007 19:26:16 +1100 + freeradius (1.1.0-1ubuntu2) dapper; urgency=low * Init script makes sure /var/run/freeradius exists and is owned by the only in patch2: unchanged: --- freeradius-1.1.0.orig/debian/patches/21_CVE-2007-2028.dpatch +++ freeradius-1.1.0/debian/patches/21_CVE-2007-2028.dpatch @@ -0,0 +1,42 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 21_CVE-2007-2028.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix CVE-2007-2028, patch from RHEL Bugzilla. + +@DPATCH@ +diff -urNad freeradius-1.1.0~/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +--- freeradius-1.1.0~/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2005-06-04 03:13:58.000000000 +1000 ++++ freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2007-11-20 19:19:39.000000000 +1100 +@@ -255,6 +255,7 @@ + DEBUG2(" rlm_eap_ttls: Invalid length attribute %d", + attr); + pairfree(&first); ++ pairfree(&vp); + return NULL; + } + memcpy(&vp->lvalue, data, vp->length); +@@ -270,6 +271,7 @@ + DEBUG2(" rlm_eap_ttls: Invalid length attribute %d", + attr); + pairfree(&first); ++ pairfree(&vp); + return NULL; + } + memcpy(&vp->lvalue, data, vp->length); +@@ -340,6 +342,7 @@ + (vp->length > 16)) { + DEBUG2(" TTLS: Tunneled challenge has invalid length"); + pairfree(&first); ++ pairfree(&vp); + return NULL; + + } else { +@@ -353,6 +356,7 @@ + if (challenge[i] != vp->strvalue[i]) { + DEBUG2(" TTLS: Tunneled challenge is incorrect"); + pairfree(&first); ++ pairfree(&vp); + return NULL; + } + } only in patch2: unchanged: --- freeradius-1.1.0.orig/debian/patches/20_CVE-2006-1354.dpatch +++ freeradius-1.1.0/debian/patches/20_CVE-2006-1354.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_CVE-2006-1354.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix CVE-2006-1354, patch from upstream CVS. + +@DPATCH@ +diff -urNad freeradius-1.1.0~/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +--- freeradius-1.1.0~/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c 2004-04-20 06:15:30.000000000 +1000 ++++ freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c 2007-11-20 18:36:03.000000000 +1100 +@@ -449,6 +449,11 @@ + break; + + case PW_EAP_MSCHAPV2_SUCCESS: ++ if (data->code != PW_EAP_MSCHAPV2_SUCCESS) { ++ radlog(L_ERR, "rlm_eap_mschapv2: Unexpected success received"); ++ return 0; ++ } ++ + /* + * It's a success. Don't proxy it. + */