Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 625410 (CVE-2017-10978, CVE-2017-10979, CVE-2017-10980, CVE-2017-10981, CVE-2017-10982, CVE-2017-10983, CVE-2017-10984, CVE-2017-10985, CVE-2017-10986, CVE-2017-10987, CVE-2017-10988)

Summary: <net-dialup/freeradius-3.0.15: multiple DoS vulnerabilities
Product: Gentoo Security Reporter: Christopher Díaz Riveros (RETIRED) <chrisadr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-needed
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://freeradius.org/security/fuzzer-2017.html
See Also: https://github.com/gentoo/gentoo/pull/6206
https://github.com/gentoo/gentoo/pull/7028
Whiteboard: B3 [noglsa cve]
Package list:
net-dialup/freeradius-3.0.15
Runtime testing required: ---

Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-17 14:00:30 UTC
From $URL:

"FreeRADIUS is the most widely deployed RADIUS server in the world. It
is the basis for multiple commercial offerings. It supplies the AAA
needs of many Fortune-500 companies and Tier 1 ISPs. "
(http://freeradius.org)

FreeRADIUS asked me to fuzz their DHCP and RADIUS packet parsers in
version 3.0.x (stable branch) and version 2.2.x (EOL, but receives
security updates). 11 distinct issues that can be triggered remotely
were found.

The following is excerpted from
freeradius.org/security/fuzzer-2017.html which I advise you to consult
for more detailed descriptions of the issues at hand.

"There are about as many issues disclosed in this page as in the
previous ten years combined."

v2, v3: CVE-2017-10978. No remote code execution is possible. A denial
of service is possible.
v2: CVE-2017-10979. Remote code execution is possible. A denial of
service is possible.
v2: CVE-2017-10980. No remote code execution is possible. A denial of
service is possible.
v2: CVE-2017-10981. No remote code execution is possible. A denial of
service is possible.
v2: CVE-2017-10982. No remote code execution is possible. A denial of
service is possible.
v2, v3: CVE-2017-10983. No remote code execution is possible. A denial
of service is possible.
v3: CVE-2017-10984. Remote code execution is possible. A denial of
service is possible.
v3: CVE-2017-10985. No remote code execution is possible. A denial of
service is possible.
v3: CVE-2017-10986. No remote code execution is possible. A denial of
service is possible.
v3: CVE-2017-10987. No remote code execution is possible. A denial of
service is possible.
v3: CVE-2017-10988. No remote code execution is possible. No denial of
service is possible. Exploitation does not cross a privilege boundary
in a correct and realistic product deployment.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 13:12:13 UTC
From URL:

In June 2017, Guido Vranken found a number of issues with OpenVPN. One issue was a slow memory leak due to mis-use of the OpenSSL API. He contacted us to say that FreeRADIUS had the same issue as OpenVPN. We fixed that issue immediately in the the v2.x.x branch, and also fixed it in the v3.0.x branch, and the v4.0.x branch. The v3.1.x branch is unsupported, and has been deleted. Similarly, we do not discuss the v0 or v1 releases, as those are end of life and unsupported.
Comment 2 Pacho Ramos gentoo-dev 2017-11-09 16:27:22 UTC
isn't this solved stabilizing 3.0.15? I think that version fixes this
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-12 15:40:56 UTC
B2 because there are some write issues.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-12 22:04:17 UTC
(In reply to Agostino Sarubbo from comment #3)
> B2 because there are some write issues.

Did you actually read the CVEs?
Comment 5 Agostino Sarubbo gentoo-dev 2017-11-12 23:11:45 UTC
amd64 stable
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-11-13 00:50:55 UTC
x86 stable

Last arch.


@ Maintainer(s): Please cleanup and drop =net-dialup/freeradius-3.0.14!
Comment 7 Larry the Git Cow gentoo-dev 2017-11-15 12:07:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab4cddf3a9a969fac7236dff8e61f4c4b05eb36e

commit ab4cddf3a9a969fac7236dff8e61f4c4b05eb36e
Author:     Michael Palimaka <kensington@gentoo.org>
AuthorDate: 2017-11-15 12:06:41 +0000
Commit:     Michael Palimaka <kensington@gentoo.org>
CommitDate: 2017-11-15 12:06:50 +0000

    net-dialup/freeradius: remove vulnerable 3.0.14
    
    Bug: https://bugs.gentoo.org/625410
    Package-Manager: Portage-2.3.8, Repoman-2.3.4

 net-dialup/freeradius/Manifest                 |   1 -
 net-dialup/freeradius/freeradius-3.0.14.ebuild | 225 -------------------------
 2 files changed, 226 deletions(-)}
Comment 8 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-15 14:15:49 UTC
GLSA Vote: No

Thank you all.