Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710728 (CVE-2015-9542) - sys-auth/pam_radius: buffer overflow in password field (CVE-2015-9542)
Summary: sys-auth/pam_radius: buffer overflow in password field (CVE-2015-9542)
Status: RESOLVED FIXED
Alias: CVE-2015-9542
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [ebuild masked cve]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2020-02-24 23:54 UTC by GLSAMaker/CVETool Bot
Modified: 2020-10-30 01:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-24 23:54:46 UTC
CVE-2015-9542 (https://nvd.nist.gov/vuln/detail/CVE-2015-9542):
  add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correctly
  check the length of the input password, and is vulnerable to a stack-based
  buffer overflow during memcpy(). An attacker could send a crafted password
  to an application (loading the pam_radius library) and crash it. Arbitrary
  code execution might be possible, depending on the application, C library,
  compiler, and other factors.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2020-05-22 01:33:43 UTC
Readjusting Whiteboard - Not stable in tree
Comment 2 Larry the Git Cow gentoo-dev 2020-08-04 02:43:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f55bc46ee3db205ba4923a067e27d9ac4d548ea

commit 6f55bc46ee3db205ba4923a067e27d9ac4d548ea
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-03 07:57:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-04 02:43:10 +0000

    profiles/package.mask: last-rite sys-auth/pam_radius
    
    Bug: https://bugs.gentoo.org/710728
    Bug: https://bugs.gentoo.org/588606
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-30 01:52:11 UTC
Package was dropped 20200904.