Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 434802 (CVE-2012-3547) - <net-dialup/freeradius-2.2.0: buffer overflow vulnerability (CVE-2012-3547)
Summary: <net-dialup/freeradius-2.2.0: buffer overflow vulnerability (CVE-2012-3547)
Status: RESOLVED FIXED
Alias: CVE-2012-3547
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.pre-cert.de/advisories/PRE...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2011-2701
  Show dependency tree
 
Reported: 2012-09-12 07:41 UTC by Stefan Sakalik
Modified: 2013-11-13 11:58 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch to CVE-2012-3547 (freeradius-2.1.10-cve2012-3547.patch,591 bytes, patch)
2012-09-12 07:45 UTC, Stefan Sakalik 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Sakalik 2012-09-12 07:41:44 UTC 
A critical bug in freeradius-2.1.11-r1 (newest unmasked to date) allows to execute arbitrary code on the server.

Reproducible: Always
Comment 1 Stefan Sakalik 2012-09-12 07:45:25 UTC 
Created attachment 323580 [details, diff]
Patch to CVE-2012-3547

This patch is insipred by git fix in git://git.freeradius.org/freeradius-server.git , commit 684dce7da5fd078. Works with freeradius-2.1.11-r1.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-09-19 01:51:57 UTC 
CVE-2012-3547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3547):
  Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS
  2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote
  attackers to cause a denial of service (server crash) and possibly execute
  arbitrary code via a long "not after" timestamp in a client certificate.
Comment 3 Anton Bolshakov 2012-09-21 13:33:29 UTC 
Just in case if you want to bump freeradius-2.2.0 in the same time, you need to add the following:

< 	econf --disable-static --disable-ltdl-install --with-system-libtool \
---
> 	econf --disable-static --disable-ltdl-install --with-system-libtool --with-system-libltdl \

It won't compile without the "--with-system-libltdl" option.
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-09-30 04:13:09 UTC 
Okay I'm going to look into these and most likely fix them with 2.2.0.
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-09-30 07:10:18 UTC 
2.2.0 is in. You can probably proceed from here, can't be worse than the current stable...
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-30 21:56:32 UTC 
(In reply to comment #5)
> 2.2.0 is in. You can probably proceed from here, can't be worse than the
> current stable...

Thanks, Diego.

Arches, please test and mark stable: =net-dialup/freeradius-2.2.0
Comment 7 Andreas Schürch gentoo-dev 2012-10-02 09:58:45 UTC 
x86 done.
Comment 8 Agostino Sarubbo gentoo-dev 2012-10-03 10:29:53 UTC 
amd64 stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-03 11:11:39 UTC 
Thanks, everyone.

GLSA draft is ready for review.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-11-13 11:58:55 UTC 
This issue was resolved and addressed in
 GLSA 201311-09 at http://security.gentoo.org/glsa/glsa-201311-09.xml
by GLSA coordinator Sergey Popov (pinkbyte).