main/freeradius: security fixes (CVE-2019-11234, CVE-2019-11235)

Fixes #10327

main/freeradius: security fixes (CVE-2019-11234, CVE-2019-11235)
Fixes #10327
354ae2b1 · Leonardo Arena · 9d48a71d · 354ae2b1 · 354ae2b1
Commit 354ae2b1 authored Apr 25, 2019 by Leonardo Arena
Hide whitespace changes
Inline Side-by-side

Showing with 100 additions and 4 deletions

main/freeradius/APKBUILD main/freeradius/APKBUILD +10 -4

main/freeradius/CVE-2019-11234-5.patch main/freeradius/CVE-2019-11234-5.patch +90 -0

No files found.
--- a/main/freeradius/APKBUILD
+++ b/main/freeradius/APKBUILD
@@ -5,7 +5,7 @@
 pkgname=freeradius
 _realname=freeradius
 pkgver=3.0.15
-pkgrel=3
+pkgrel=4
 pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"
 url="http://freeradius.org/"
 arch="all"
@@ -24,17 +24,22 @@ subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-ldap $pkgname-lib
 	$pkgname-unixodbc $pkgname-pam $pkgname-eap $pkgname-krb5
 	$pkgname-rest $pkgname-redis $pkgname-checkrad"
 provides="freeradius3=$pkgver-r$pkgrel"
-source="ftp://ftp.freeradius.org/pub/freeradius/$_realname-server-$pkgver.tar.gz
+source="ftp://ftp.freeradius.org/pub/freeradius/old/$_realname-server-$pkgver.tar.gz
 	$pkgname.confd
 	$pkgname.initd

 	musl-fix-headers.patch
 	fix-scopeid.patch
 	freeradius-313-default-config.patch
+	CVE-2019-11234-5.patch
 	"
-
 builddir="$srcdir"/$_realname-server-$pkgver

+# secfixes:
+#   3.0.15-r4:
+#     - CVE-2019-11234
+#     - CVE-2019-11235
+
 radconfdir="/etc/raddb"
 radmodsdir="$radconfdir/mods-available"
 radlibdir="/usr/lib/freeradius"
@@ -283,4 +288,5 @@ e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d6
 ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a  freeradius.initd
 c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d  musl-fix-headers.patch
 41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234  fix-scopeid.patch
-666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e  freeradius-313-default-config.patch"
+666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e  freeradius-313-default-config.patch
+05b19e1b4d43eac3ddb2f1d62a31bedb2e3386bdafc0253506304d46e6ea41f1bf798c28d3b1207341c4c9d17de0775a9ca8aa2b9c27a90c92d21c0a73ee6477  CVE-2019-11234-5.patch"
--- a/main/freeradius/CVE-2019-11234-5.patch
+++ b/main/freeradius/CVE-2019-11234-5.patch
+From 85497b5ff37ccb656895b826b88585898c209586 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Tue, 9 Apr 2019 15:17:19 -0400
+Subject: [PATCH] When processing an EAP-pwd Commit frame, the peer's scalar
+ and elliptic curve point were not validated. This allowed an adversary to
+ bypass authentication, and impersonate any user.
+
+Fix this vulnerability by assuring the received scalar lies within the valid
+range, and by checking that the received element is not the point at infinity
+and lies on the elliptic curve being used.
+---
+ .../rlm_eap/types/rlm_eap_pwd/eap_pwd.c       | 22 +++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index 7f91e4b230..848ca2055e 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
+ 	data_len = BN_num_bytes(session->order);
+ 	BN_bin2bn(ptr, data_len, session->peer_scalar);
+ 
+	/* validate received scalar */
+	if (BN_is_zero(session->peer_scalar) ||
+	    BN_is_one(session->peer_scalar) ||
+	    BN_cmp(session->peer_scalar, session->order) >= 0) {
+		ERROR("Peer's scalar is not within the allowed range");
+		goto finish;
+	}
+
+ 	if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
+ 		DEBUG2("pwd: unable to get coordinates of peer's element");
+ 		goto finish;
+ 	}
+ 
+	/* validate received element */
+	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+	    EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+		ERROR("Peer's element is not a point on the elliptic curve");
+		goto finish;
+	}
+
+ 	/* check to ensure peer's element is not in a small sub-group */
+ 	if (BN_cmp(cofactor, BN_value_one())) {
+ 		if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
+@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
+ 		}
+ 	}
+ 
+	/* detect reflection attacks */
+	if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+		ERROR("Reflection attack detected");
+		goto finish;
+	}
+
+ 	/* compute the shared key, k */
+ 	if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
+ 	    (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
+From ab4c767099f263a7cd4109bcdca80ee74210a769 Mon Sep 17 00:00:00 2001
+From: Matthew Newton <matthew-git@newtoncomputing.co.uk>
+Date: Wed, 10 Apr 2019 10:11:23 +0100
+Subject: [PATCH] fix incorrectly named variable
+
+---
+ src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index 848ca2055e..c54f08c030 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -387,7 +387,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
+ 	}
+ 
+ 	/* validate received element */
+-	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
+ 	    EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ 		ERROR("Peer's element is not a point on the elliptic curve");
+ 		goto finish;
+@@ -408,7 +408,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
+ 
+ 	/* detect reflection attacks */
+ 	if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+-	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
+ 		ERROR("Reflection attack detected");
+ 		goto finish;
+ 	}