* [gentoo-security] CVE-2012-3547 vulnerability in net-dialup/freeradius
@ 2012-09-11 14:56 Štefan Sakalík
2012-09-11 19:20 ` Agostino Sarubbo
0 siblings, 1 reply; 2+ messages in thread
From: Štefan Sakalík @ 2012-09-11 14:56 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 339 bytes --]
Hi,
we are affected by this vulnerability so I have created a patch for
freeradius-2.1.11-r1 (in attachment) inspired by upstream patch in git
at git://git.freeradius.org/freeradius-server.git , commit 684dce7da5fd078.
Please review this patch and include it in gentoo since it's a rather
severe vulnerability.
Regards,
Stefan Sakalik
[-- Attachment #2: freeradius-2.1.10-cve2012-3547.patch --]
[-- Type: text/x-patch, Size: 591 bytes --]
--- freeradius-server-2.1.11.orig/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2011-06-20 16:57:14.000000000 +0200
+++ freeradius-server-2.1.11/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2012-09-11 13:55:45.000000000 +0200
@@ -484,7 +484,7 @@
*/
buf[0] = '\0';
asn_time = X509_get_notAfter(client_cert);
- if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
+ if ((lookup <= 1) && asn_time && (asn_time->length < sizeof(buf))) {
memcpy(buf, (char*) asn_time->data, asn_time->length);
buf[asn_time->length] = '\0';
pairadd(&handler->certs,
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [gentoo-security] CVE-2012-3547 vulnerability in net-dialup/freeradius
2012-09-11 14:56 [gentoo-security] CVE-2012-3547 vulnerability in net-dialup/freeradius Štefan Sakalík
@ 2012-09-11 19:20 ` Agostino Sarubbo
0 siblings, 0 replies; 2+ messages in thread
From: Agostino Sarubbo @ 2012-09-11 19:20 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 704 bytes --]
On Tuesday 11 September 2012 16:56:09 Štefan Sakalík wrote:
> Hi,
> we are affected by this vulnerability so I have created a patch for
> freeradius-2.1.11-r1 (in attachment) inspired by upstream patch in git
> at git://git.freeradius.org/freeradius-server.git , commit 684dce7da5fd078.
> Please review this patch and include it in gentoo since it's a rather
> severe vulnerability.
Please use our bugzilla for this stuff. File a new bug and proceed with your
request.
Anyway, I see, from this advisory[1], that is enough bump the latest version.
[1]: https://secunia.com/advisories/50484/
--
Agostino Sarubbo / ago -at- gentoo.org
Gentoo/AMD64 Arch Security Liaison
GPG: 0x7CD2DC5D
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-09-11 19:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-11 14:56 [gentoo-security] CVE-2012-3547 vulnerability in net-dialup/freeradius Štefan Sakalík
2012-09-11 19:20 ` Agostino Sarubbo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox