Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
aports
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Johannes Müller
aports
Commits
354ae2b1
Commit
354ae2b1
authored
Apr 25, 2019
by
Leonardo Arena
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
main/freeradius: security fixes (CVE-2019-11234, CVE-2019-11235)
Fixes #10327
parent
9d48a71d
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
100 additions
and
4 deletions
+100
-4
main/freeradius/APKBUILD
main/freeradius/APKBUILD
+10
-4
main/freeradius/CVE-2019-11234-5.patch
main/freeradius/CVE-2019-11234-5.patch
+90
-0
No files found.
main/freeradius/APKBUILD
View file @
354ae2b1
...
...
@@ -5,7 +5,7 @@
pkgname
=
freeradius
_realname
=
freeradius
pkgver
=
3.0.15
pkgrel
=
3
pkgrel
=
4
pkgdesc
=
"RADIUS (Remote Authentication Dial-In User Service) server"
url
=
"http://freeradius.org/"
arch
=
"all"
...
...
@@ -24,17 +24,22 @@ subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-ldap $pkgname-lib
$pkgname
-unixodbc
$pkgname
-pam
$pkgname
-eap
$pkgname
-krb5
$pkgname
-rest
$pkgname
-redis
$pkgname
-checkrad"
provides
=
"freeradius3=
$pkgver
-r
$pkgrel
"
source
=
"ftp://ftp.freeradius.org/pub/freeradius/
$_realname
-server-
$pkgver
.tar.gz
source
=
"ftp://ftp.freeradius.org/pub/freeradius/
old/
$_realname
-server-
$pkgver
.tar.gz
$pkgname
.confd
$pkgname
.initd
musl-fix-headers.patch
fix-scopeid.patch
freeradius-313-default-config.patch
CVE-2019-11234-5.patch
"
builddir
=
"
$srcdir
"
/
$_realname
-server-
$pkgver
# secfixes:
# 3.0.15-r4:
# - CVE-2019-11234
# - CVE-2019-11235
radconfdir
=
"/etc/raddb"
radmodsdir
=
"
$radconfdir
/mods-available"
radlibdir
=
"/usr/lib/freeradius"
...
...
@@ -283,4 +288,5 @@ e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d6
ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a freeradius.initd
c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d musl-fix-headers.patch
41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234 fix-scopeid.patch
666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e freeradius-313-default-config.patch"
666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e freeradius-313-default-config.patch
05b19e1b4d43eac3ddb2f1d62a31bedb2e3386bdafc0253506304d46e6ea41f1bf798c28d3b1207341c4c9d17de0775a9ca8aa2b9c27a90c92d21c0a73ee6477 CVE-2019-11234-5.patch"
main/freeradius/CVE-2019-11234-5.patch
0 → 100644
View file @
354ae2b1
From 85497b5ff37ccb656895b826b88585898c209586 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Date: Tue, 9 Apr 2019 15:17:19 -0400
Subject: [PATCH] When processing an EAP-pwd Commit frame, the peer's scalar
and elliptic curve point were not validated. This allowed an adversary to
bypass authentication, and impersonate any user.
Fix this vulnerability by assuring the received scalar lies within the valid
range, and by checking that the received element is not the point at infinity
and lies on the elliptic curve being used.
---
.../rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@
int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@
int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
From ab4c767099f263a7cd4109bcdca80ee74210a769 Mon Sep 17 00:00:00 2001
From: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Date: Wed, 10 Apr 2019 10:11:23 +0100
Subject: [PATCH] fix incorrectly named variable
---
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 848ca2055e..c54f08c030 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -387,7 +387,7 @@
int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
/* validate received element */
- if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
EC_POINT_is_at_infinity(session->group, session->peer_element)) {
ERROR("Peer's element is not a point on the elliptic curve");
goto finish;
@@ -408,7 +408,7 @@
int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
/* detect reflection attacks */
if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
- EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
ERROR("Reflection attack detected");
goto finish;
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment