Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 34424 - FreeRADIUS <= 0.9.3 rlm_smb module stack overflow vulnerability
Summary: FreeRADIUS <= 0.9.3 rlm_smb module stack overflow vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-11-26 09:59 UTC by Carsten Lohrke (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
koon: Assigned_To? (koon)

Attachments
Fix for the rlm_smb vulnerability (smblib.c.diff,690 bytes, patch)
2004-04-03 03:12 UTC, Thierry Carrez (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2003-11-26 09:59:56 UTC 
http://www.s-quadra.com/advisories/Adv-20031126.txt

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-04-01 08:26:38 UTC 
Fix is in freeradius CVS, I am trying to get it for inclusion in our 0.9.3 ebuild.
-K
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-04-03 03:12:24 UTC 
Created attachment 28611 [details, diff]
Fix for the rlm_smb vulnerability

This is the (trivial) fix extracted from FreeRadius CVS.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-04-03 03:20:08 UTC 
Can someone from the net-dialup herd include this fix in a freeradius-0.9.3-r1 ebuild ?

Thanks in advance,
-K
Comment 4 Heinrich Wendel (RETIRED) gentoo-dev 2004-04-03 05:20:58 UTC 
added in freeradius-0.9.3-r1 and marked stable
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-04-03 09:44:16 UTC 
Thanks Heinrich for the quick fix.

Vulnerability is an old one and appears in an experimental module, compiled only if you USE=frxp. Also given the unfortunate delay in resolution, a GLSA is probably not needed for this one.

Closing without GLSA.
-K