diff -Nru libpam-radius-auth-1.4.0/debian/changelog libpam-radius-auth-1.4.0/debian/changelog --- libpam-radius-auth-1.4.0/debian/changelog 2020-02-19 12:45:34.000000000 +0000 +++ libpam-radius-auth-1.4.0/debian/changelog 2020-02-21 10:17:11.000000000 +0000 @@ -1,15 +1,11 @@ -libpam-radius-auth (1.4.0-2ubuntu1) focal; urgency=medium +libpam-radius-auth (1.4.0-3) unstable; urgency=medium - * SECURITY UPDATE: DoS via stack overflow in password field - - debian/patches/CVE-2015-9542-1.patch: use length, which has been - limited in size in src/pam_radius_auth.c. - - debian/patches/CVE-2015-9542-2.patch: clear out trailing part of the - buffer in src/pam_radius_auth.c. - - debian/patches/CVE-2015-9542-3.patch: copy password to buffer before - rounding length in src/pam_radius_auth.c. - - CVE-2015-9542 + * QA upload + * Add patch to fix buffer overflow in password field. + (Fixes: CVE-2015-9542) (Closes: #951396) + * Bump Standards-Version to 4.5.0 and dh-compat to 12 - -- Marc Deslauriers Wed, 19 Feb 2020 07:45:34 -0500 + -- Utkarsh Gupta Fri, 21 Feb 2020 15:47:11 +0530 libpam-radius-auth (1.4.0-2) unstable; urgency=medium diff -Nru libpam-radius-auth-1.4.0/debian/control libpam-radius-auth-1.4.0/debian/control --- libpam-radius-auth-1.4.0/debian/control 2020-02-19 12:45:34.000000000 +0000 +++ libpam-radius-auth-1.4.0/debian/control 2020-02-21 10:17:11.000000000 +0000 @@ -1,10 +1,9 @@ Source: libpam-radius-auth -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Debian QA Group +Maintainer: Debian QA Group Section: admin Priority: optional -Standards-Version: 4.2.0 -Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 11) +Standards-Version: 4.5.0 +Build-Depends: libpam0g-dev | libpam-dev, debhelper-compat (= 12) Rules-Requires-Root: no Homepage: https://www.freeradius.org/pam_radius_auth/ diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-1.patch libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-1.patch --- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-1.patch 2020-02-19 12:45:23.000000000 +0000 +++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-1.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,22 +0,0 @@ -From 01173ec2426627dbb1e0d96c06c3ffa0b14d36d0 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Thu, 21 May 2015 15:40:11 -0400 -Subject: [PATCH] Use "length", which has been limited in size - ---- - src/pam_radius_auth.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c -index 7c7c9d9..396d1cf 100644 ---- a/src/pam_radius_auth.c -+++ b/src/pam_radius_auth.c -@@ -536,7 +536,7 @@ static void add_password(AUTH_HDR *request, unsigned char type, CONST char *pass - } /* 16*N maps to itself */ - - memset(hashed, 0, length); -- memcpy(hashed, password, strlen(password)); -+ memcpy(hashed, password, length); - - attr = find_attribute(request, PW_PASSWORD); - diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-2.patch libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-2.patch --- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-2.patch 2020-02-19 12:45:27.000000000 +0000 +++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-2.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -From 6bae92df885602b2558333bdb6d2db67d1365683 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Sat, 31 Oct 2015 10:31:11 -0400 -Subject: [PATCH] Clear out trailing part of the buffer - ---- - src/pam_radius_auth.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c -index 694e7b4..90d074a 100644 ---- a/src/pam_radius_auth.c -+++ b/src/pam_radius_auth.c -@@ -535,8 +535,8 @@ static void add_password(AUTH_HDR *request, unsigned char type, CONST char *pass - length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ - } /* 16*N maps to itself */ - -- memset(hashed, 0, length); - memcpy(hashed, password, length); -+ memset(hashed + length, 0, sizeof(hashed) - length); - - attr = find_attribute(request, PW_PASSWORD); - diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-3.patch libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-3.patch --- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-3.patch 2020-02-19 12:45:31.000000000 +0000 +++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542-3.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,33 +0,0 @@ -From ac2c16774be593ebaa769b09c95722d08216cb95 Mon Sep 17 00:00:00 2001 -From: Justin Standring -Date: Thu, 1 Dec 2016 14:44:29 -0800 -Subject: [PATCH] Copy password to buffer before rounding length - ---- - src/pam_radius_auth.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c -index e9b3034..34b2a38 100644 ---- a/src/pam_radius_auth.c -+++ b/src/pam_radius_auth.c -@@ -528,6 +528,9 @@ static void add_password(AUTH_HDR *request, unsigned char type, CONST char *pass - length = MAXPASS; - } - -+ memcpy(hashed, password, length); -+ memset(hashed + length, 0, sizeof(hashed) - length); -+ - if (length == 0) { - length = AUTH_PASS_LEN; /* 0 maps to 16 */ - } if ((length & (AUTH_PASS_LEN - 1)) != 0) { -@@ -535,9 +538,6 @@ static void add_password(AUTH_HDR *request, unsigned char type, CONST char *pass - length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ - } /* 16*N maps to itself */ - -- memcpy(hashed, password, length); -- memset(hashed + length, 0, sizeof(hashed) - length); -- - attr = find_attribute(request, PW_PASSWORD); - - if (type == PW_PASSWORD) { diff -Nru libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix --- libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 1970-01-01 00:00:00.000000000 +0000 +++ libpam-radius-auth-1.4.0/debian/patches/CVE-2015-9542.fix 2020-02-21 09:52:32.000000000 +0000 @@ -0,0 +1,31 @@ +Description: This patch fixes CVE-2015-9542. +Author: Justin Standring +Author: Utkarsh Gupta +Bug-Debian: https://bugs.debian.org/951396 +Origin: https://github.com/FreeRADIUS/pam_radius/commit/01173ec +Origin: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d +Origin: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677 +Last-Update: 2020-02-21 + +--- a/src/pam_radius_auth.c ++++ b/src/pam_radius_auth.c +@@ -528,6 +528,9 @@ + length = MAXPASS; + } + ++ memcpy(hashed, password, length); ++ memset(hashed + length, 0, sizeof(hashed) - length); ++ + if (length == 0) { + length = AUTH_PASS_LEN; /* 0 maps to 16 */ + } if ((length & (AUTH_PASS_LEN - 1)) != 0) { +@@ -535,9 +538,6 @@ + length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ + } /* 16*N maps to itself */ + +- memset(hashed, 0, length); +- memcpy(hashed, password, strlen(password)); +- + attr = find_attribute(request, PW_PASSWORD); + + if (type == PW_PASSWORD) { diff -Nru libpam-radius-auth-1.4.0/debian/patches/series libpam-radius-auth-1.4.0/debian/patches/series --- libpam-radius-auth-1.4.0/debian/patches/series 2020-02-19 12:45:31.000000000 +0000 +++ libpam-radius-auth-1.4.0/debian/patches/series 2020-02-21 10:13:05.000000000 +0000 @@ -1,3 +1 @@ -CVE-2015-9542-1.patch -CVE-2015-9542-2.patch -CVE-2015-9542-3.patch +CVE-2015-9542.fix