fix CVE-2022-41860 and CVE-2022-41861
new file: CVE-2022-41859-pre.patch new file: CVE-2022-41859.patch new file: CVE-2022-41860.patch new file: CVE-2022-41861.patch modified: freeradius.spec modified: freeradius.spec modified: freeradius.spec modified: freeradius.spec (cherry picked from commit 76fbd755f76224e624ce068f9d556633fcfda6ca)
This commit is contained in:
peng2285
openeuler-sync-bot
parent
7e1a016c94
commit
da62b8d7f1
109
CVE-2022-41860.patch
Normal file
109
CVE-2022-41860.patch
Normal file
@ -0,0 +1,109 @@
|
||||
From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001
|
||||
From: "Alan T. DeKok" <aland@freeradius.org>
|
||||
Date: Mon, 7 Feb 2022 22:26:05 -0500
|
||||
Subject: [PATCH] it's probably wrong to be completely retarded. Let's fix
|
||||
that.
|
||||
|
||||
---
|
||||
src/modules/rlm_eap/libeap/eapsimlib.c | 69 +++++++++++++++++++-------
|
||||
1 file changed, 52 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
index cf1e8a7dd924..e438a844eab3 100644
|
||||
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
|
||||
newvp->vp_length = 1;
|
||||
fr_pair_add(&(r->vps), newvp);
|
||||
|
||||
+ /*
|
||||
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
|
||||
+ * reserved.
|
||||
+ */
|
||||
attr += 3;
|
||||
attrlen -= 3;
|
||||
|
||||
- /* now, loop processing each attribute that we find */
|
||||
- while(attrlen > 0) {
|
||||
+ /*
|
||||
+ * Loop over each attribute. The format is:
|
||||
+ *
|
||||
+ * 1 octet of type
|
||||
+ * 1 octet of length (value 1..255)
|
||||
+ * ((4 * length) - 2) octets of data.
|
||||
+ */
|
||||
+ while (attrlen > 0) {
|
||||
uint8_t *p;
|
||||
|
||||
- if(attrlen < 2) {
|
||||
+ if (attrlen < 2) {
|
||||
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (!attr[1]) {
|
||||
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute,
|
||||
+ es_attribute_count);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
eapsim_attribute = attr[0];
|
||||
eapsim_len = attr[1] * 4;
|
||||
|
||||
+ /*
|
||||
+ * The length includes the 2-byte header.
|
||||
+ */
|
||||
if (eapsim_len > attrlen) {
|
||||
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
|
||||
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if(eapsim_len > MAX_STRING_LEN) {
|
||||
- eapsim_len = MAX_STRING_LEN;
|
||||
- }
|
||||
- if (eapsim_len < 2) {
|
||||
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
|
||||
- es_attribute_count);
|
||||
- return 0;
|
||||
- }
|
||||
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
|
||||
+ if (!newvp) {
|
||||
+ /*
|
||||
+ * RFC 4186 Section 8.1 says 0..127 are
|
||||
+ * "non-skippable". If one such
|
||||
+ * attribute is found and we don't
|
||||
+ * understand it, the server has to send:
|
||||
+ *
|
||||
+ * EAP-Request/SIM/Notification packet with an
|
||||
+ * (AT_NOTIFICATION code, which implies general failure ("General
|
||||
+ * failure after authentication" (0), or "General failure" (16384),
|
||||
+ * depending on the phase of the exchange), which terminates the
|
||||
+ * authentication exchange.
|
||||
+ */
|
||||
+ if (eapsim_attribute <= 127) {
|
||||
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
|
||||
+ eapsim_attribute);
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
|
||||
- newvp->vp_length = eapsim_len-2;
|
||||
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||
- memcpy(p, &attr[2], eapsim_len-2);
|
||||
- fr_pair_add(&(r->vps), newvp);
|
||||
- newvp = NULL;
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * It's known, ccount for header, and
|
||||
+ * copy the value over.
|
||||
+ */
|
||||
+ newvp->vp_length = eapsim_len - 2;
|
||||
+
|
||||
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||
+ memcpy(p, &attr[2], newvp->vp_length);
|
||||
+ fr_pair_add(&(r->vps), newvp);
|
||||
+ }
|
||||
|
||||
/* advance pointers, decrement length */
|
||||
attr += eapsim_len;
|
||||
44
CVE-2022-41861.patch
Normal file
44
CVE-2022-41861.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001
|
||||
From: "Alan T. DeKok" <aland@freeradius.org>
|
||||
Date: Mon, 28 Feb 2022 10:34:15 -0500
|
||||
Subject: [PATCH] manual port of commit 5906bfa1
|
||||
|
||||
---
|
||||
src/lib/filters.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/lib/filters.c b/src/lib/filters.c
|
||||
index 4868cd385d9f..3f3b63daeef3 100644
|
||||
--- a/src/lib/filters.c
|
||||
+++ b/src/lib/filters.c
|
||||
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||
}
|
||||
}
|
||||
} else if (filter->type == RAD_FILTER_GENERIC) {
|
||||
- int count;
|
||||
+ size_t count, masklen;
|
||||
+
|
||||
+ masklen = ntohs(filter->u.generic.len);
|
||||
+ if (masklen >= sizeof(filter->u.generic.mask)) {
|
||||
+ *p = '\0';
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
|
||||
p += i;
|
||||
|
||||
/* show the mask */
|
||||
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||
+ for (count = 0; count < masklen; count++) {
|
||||
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
|
||||
p += i;
|
||||
outlen -= i;
|
||||
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||
outlen--;
|
||||
|
||||
/* show the value */
|
||||
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||
+ for (count = 0; count < masklen; count++) {
|
||||
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
|
||||
p += i;
|
||||
outlen -= i;
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
Name: freeradius
|
||||
Version: 3.0.15
|
||||
Release: 24
|
||||
Release: 25
|
||||
Summary: Remote Authentication Dial-In User Service
|
||||
|
||||
License: GPLv2+ and LGPLv2+
|
||||
@ -24,6 +24,8 @@ Patch6004: backport-CVE-2019-13456.patch
|
||||
Patch6005: CVE-2019-17185.patch
|
||||
Patch6006: Fix-radeapclient-option-q.patch
|
||||
Patch6007: radsqlrelay-actually-do-something-in-debug-mode.patch
|
||||
patch6008: CVE-2022-41860.patch
|
||||
patch6009: CVE-2022-41861.patch
|
||||
|
||||
BuildRequires: autoconf gdbm-devel openssl openssl-devel pam-devel zlib-devel net-snmp-devel
|
||||
BuildRequires: net-snmp-utils readline-devel libpcap-devel systemd-units libtalloc-devel
|
||||
@ -439,6 +441,9 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap
|
||||
|
||||
%changelog
|
||||
* Wed Dec 21 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 3.0.15-25
|
||||
- Fix CVE-2022-41860 and CVE-2022-41861
|
||||
|
||||
* Mon May 10 2021 lingsheng <lingsheng@huawei.com> - 3.0.15-24
|
||||
- Fix radsqlrelay debug mode
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user