Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 174292
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Pierre-Yves Rofes <py@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 174292 depends on: Show dependency tree
Bug 174292 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-04-12 15:46 0000 
A security issue has been reported in FreeRADIUS, which can be exploited by
malicious people to cause a DoS (Denial of Service).

The security issue is caused due to a memory leak (ca. 300bytes) within the
handling of certain malformed diameter format values inside an EAP-TTLS tunnel.
This can be exploited to exhaust all available memory by sending a large number
of malformed authentication requests to a vulnerable server.

The security issue is reported in versions prior to 1.1.6.

net-dialup, please advise.

------- Comment #1 From Pierre-Yves Rofes 2007-04-12 15:46:57 0000 ------- 
setting status.

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-04-12 16:32:42 0000 ------- 
http://www.freeradius.org/security.html

2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send
malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server
would reject the authentication request, but would leak one VALUE_PAIR data
structure, of approximately 300 bytes. If an attacker performed the attack many
times (e.g. thousands or more over a period of minutes to hours), the server
could leak megabytes of memory, potentially leading to an "out of memory"
condition, and early process exit. 
 We recommend that administrators using EAP-TTLS upgrade immediately. 
 This bug was found as part of the Coverity Scan project.

------- Comment #3 From Alin Năstac 2007-04-12 18:50:46 0000 ------- 
freeradius-1.1.6 has been committed.
Arches, please mark it as stable.

------- Comment #4 From Pierre-Yves Rofes 2007-04-12 18:58:33 0000 ------- 
mrness: is there a speficic issue for not including ppc and sparc?

------- Comment #5 From Peter Weller 2007-04-12 19:21:07 0000 ------- 
amd64 done

------- Comment #6 From Christian Faulhammer 2007-04-12 20:21:12 0000 ------- 
x86 stable

------- Comment #7 From Raphael Marichez 2007-04-12 20:32:48 0000 ------- 
i vote for a GLSA since a DoS on FreeRadius is in fact a DoS on the whole
system(s) that is under its control.

------- Comment #8 From Alin Năstac 2007-04-12 21:03:25 0000 ------- 
(In reply to comment #4)
> mrness: is there a speficic issue for not including ppc and sparc?

None of the freeradius versions have stable ppc or sparc keywords.
Arches add keywords, not maintainers.

------- Comment #9 From Sune Kloppenborg Jeppesen 2007-04-13 07:08:45 0000 ------- 
I vote YES lets have a GLSA on this one. Though we should note that only users
using EAP-TTLS seems to be affected.

------- Comment #10 From Raphael Marichez 2007-04-17 22:49:50 0000 ------- 
GLSA 200704-14, thanks p-y and everybody
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug