main/freeradius: security fix for CVE-2015-4680

ref #4377 fixes #4381 (cherry picked from commit 1314c0d82fee33213ea17cc7805bdf3a60efac78)
author: Natanael Copa <ncopa@alpinelinux.org> 2015-07-07 14:48:41 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-07-07 19:45:05 +0000
commit: 1794998b957c4311b20aa504cb0c1576e702d3d9 (patch)
tree: 9420179b2b69ad52632a27b245a5e11e786fbc20
parent: 7a26617a5bf6fd3ba752b735501c4080b2d514ec (diff)
download: alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.tar.bz2
alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.tar.xz
alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.zip
2 files changed, 87 insertions, 4 deletions
diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD
index 58952a7163..633d4c600d 100644
--- a/main/freeradius/APKBUILD
+++ b/main/freeradius/APKBUILD
@@ -5,7 +5,7 @@
 pkgname=freeradius
 _realname=freeradius
 pkgver=3.0.8
-pkgrel=6
+pkgrel=7
 pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"
 url="http://freeradius.org/"
 arch="all"
@@ -30,6 +30,7 @@ source="ftp://ftp.freeradius.org/pub/freeradius/$_realname-server-$pkgver.tar.gz
        musl-fix-headers.patch
        disable-cert-generation.patch
        freeradius-305-default-config.patch
+        CVE-2015-4680.patch
        "
 _builddir="$srcdir"/$_realname-server-$pkgver
@@ -272,16 +273,19 @@ fc6693f3df5a0694610110287a28568a  freeradius.confd
 e27f11a11fa167b5185d3e11de79d3bc  freeradius.initd
 d86558365a1deea4914ed139797805b0  musl-fix-headers.patch
 ecd9ecfba4cf86a203de6faf8398c44a  disable-cert-generation.patch
-f8a7b00835f2108acc06af212cede16e  freeradius-305-default-config.patch"
+f8a7b00835f2108acc06af212cede16e  freeradius-305-default-config.patch
+3bc4cd4994c9a197daf36585487438a0  CVE-2015-4680.patch"
 sha256sums="c27252d7a86ba252904612d9b1f90e846f3ef1f4afee6a748f5287b730e87e3a  freeradius-server-3.0.8.tar.gz
 2d5b3e1af1299373182f2c8021bdf45c29db5d82b0a077b965a16ded32cb6292  freeradius.confd
 a5208f13420c28446b85dfc48cb9193a4651c994d15cc2c9b0bc43734c66e8f0  freeradius.initd
 872aaebf86a663f819460d98924a9dc1f3e428facac6930dc98d1e442df1633f  musl-fix-headers.patch
 008fa3a4da7b3c01df238bf492a8ccda4077289c02c553a60ad8f4439ec136a2  disable-cert-generation.patch
-02cad546ffaf3f9be531cb45b96c7fb31f83c717e40ece4ff28a73c86f921f33  freeradius-305-default-config.patch"
+02cad546ffaf3f9be531cb45b96c7fb31f83c717e40ece4ff28a73c86f921f33  freeradius-305-default-config.patch
+e7cbb3af9f90d741f91907898f9c0b156a2ae448cc812cbd6fd8322eb8bcea54  CVE-2015-4680.patch"
 sha512sums="89aabc474e95226eeb5003feef40fbe240f28aa65c40e0566a9bec08991d95fab83826f3b14f416cf4d7d832a814912521cb3c83097c1a2ce5d3e3537ee3a732  freeradius-server-3.0.8.tar.gz
 e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d610940bc4ae50c022594e219ce341b36abe85c572acad418b  freeradius.confd
 ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a  freeradius.initd
 c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d  musl-fix-headers.patch
 09b78c6baa992f82ab81c43aad6792536a4708d460170f0a373e242a5fafe8db10662dc7fcef99a966b828ed91fa7fe38567c961c938de9a447f1ee03aebb142  disable-cert-generation.patch
-b69b899da6f80dbdb7422847536e37461315ba587a07fedc1eee28b96be7d16993b758ccd34e3a271ce2937d72c6ddff878aec61a3a4c0750deaaa959d10ed5e  freeradius-305-default-config.patch"
+b69b899da6f80dbdb7422847536e37461315ba587a07fedc1eee28b96be7d16993b758ccd34e3a271ce2937d72c6ddff878aec61a3a4c0750deaaa959d10ed5e  freeradius-305-default-config.patch
+68f00ea6353a2951c95d58fd674701c250e4de713c1bbfba80eb7247df1dc477fa2e277c9f0866ee5591e66eef4f52da70ee1794588df1f411f5e40773317fe7  CVE-2015-4680.patch"
diff --git a/main/freeradius/CVE-2015-4680.patch b/main/freeradius/CVE-2015-4680.patch
new file mode 100644
index 0000000000..ade38c9ee7
--- /dev/null
+++ b/main/freeradius/CVE-2015-4680.patch
@@ -0,0 +1,79 @@
+From 874b39451702338389260edbfc52b381b20352ec Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Mon, 22 Jun 2015 15:27:10 -0400
+Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL
+---
+ raddb/mods-available/eap |  6 +++++-
+ src/include/tls-h        |  1 +
+ src/main/tls.c           | 12 ++++++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 165971a..10026ec 100644
+--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
+@@ -269,9 +269,13 @@ eap {
+                #  1) Copy CA certificates and CRLs to same directory.
+                #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+                #    'c_rehash' is OpenSSL's command.
+-               #  3) uncomment the line below.
+               #  3) uncomment the lines below.
+                #  5) Restart radiusd
+        #       check_crl = yes
+
+               # Check if intermediate CAs have been revoked.
+       #       check_all_crl = yes
+
+                ca_path = ${cadir}
+ 
+                #
+diff --git a/src/include/tls-h b/src/include/tls-h
+index 9fdc775..a41c6f5 100644
+--- a/src/include/tls-h
+++ b/src/include/tls-h
+@@ -347,6 +347,7 @@ struct fr_tls_server_conf_t {
+         */
+        uint32_t        fragment_size;
+        bool            check_crl;
+       bool            check_all_crl;
+        bool            allow_expired_crl;
+        char const      *check_cert_cn;
+        char const      *cipher_list;
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 692651f..9df48b4 100644
+--- a/src/main/tls.c
+++ b/src/main/tls.c
+@@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = {
+        { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
+        { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
+        { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+       { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
+#endif
+        { "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
+        { "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
+        { "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
+@@ -2104,6 +2107,10 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
+        if (conf->check_crl)
+                X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
+ #endif
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+       if (conf->check_all_crl)
+               X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
+        return store;
+ }
+ #endif /* HAVE_OPENSSL_OCSP_H */
+@@ -2591,6 +2598,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
+                        return NULL;
+                }
+                X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
+
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+               if (conf->check_all_crl)
+                       X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
+        }
+ #endif
+
author	Natanael Copa <ncopa@alpinelinux.org>	2015-07-07 14:48:41 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-07-07 19:45:05 +0000
commit	1794998b957c4311b20aa504cb0c1576e702d3d9 (patch)
tree	9420179b2b69ad52632a27b245a5e11e786fbc20
parent	7a26617a5bf6fd3ba752b735501c4080b2d514ec (diff)
download	alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.tar.bz2 alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.tar.xz alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.zip

diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD index 58952a7163..633d4c600d 100644 --- a/main/freeradius/APKBUILD +++ b/main/freeradius/APKBUILD
@@ -5,7 +5,7 @@
5	pkgname=freeradius	5	pkgname=freeradius
6	_realname=freeradius	6	_realname=freeradius
7	pkgver=3.0.8	7	pkgver=3.0.8
8	pkgrel=6	8	pkgrel=7
9	pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"	9	pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"
10	url="http://freeradius.org/"	10	url="http://freeradius.org/"
11	arch="all"	11	arch="all"
@@ -30,6 +30,7 @@ source="ftp://ftp.freeradius.org/pub/freeradius/$_realname-server-$pkgver.tar.gz
30	musl-fix-headers.patch	30	musl-fix-headers.patch
31	disable-cert-generation.patch	31	disable-cert-generation.patch
32	freeradius-305-default-config.patch	32	freeradius-305-default-config.patch
		33	CVE-2015-4680.patch
33	"	34	"
34		35
35	_builddir="$srcdir"/$_realname-server-$pkgver	36	_builddir="$srcdir"/$_realname-server-$pkgver
@@ -272,16 +273,19 @@ fc6693f3df5a0694610110287a28568a freeradius.confd
272	e27f11a11fa167b5185d3e11de79d3bc freeradius.initd	273	e27f11a11fa167b5185d3e11de79d3bc freeradius.initd
273	d86558365a1deea4914ed139797805b0 musl-fix-headers.patch	274	d86558365a1deea4914ed139797805b0 musl-fix-headers.patch
274	ecd9ecfba4cf86a203de6faf8398c44a disable-cert-generation.patch	275	ecd9ecfba4cf86a203de6faf8398c44a disable-cert-generation.patch
275	f8a7b00835f2108acc06af212cede16e freeradius-305-default-config.patch"	276	f8a7b00835f2108acc06af212cede16e freeradius-305-default-config.patch
		277	3bc4cd4994c9a197daf36585487438a0 CVE-2015-4680.patch"
276	sha256sums="c27252d7a86ba252904612d9b1f90e846f3ef1f4afee6a748f5287b730e87e3a freeradius-server-3.0.8.tar.gz	278	sha256sums="c27252d7a86ba252904612d9b1f90e846f3ef1f4afee6a748f5287b730e87e3a freeradius-server-3.0.8.tar.gz
277	2d5b3e1af1299373182f2c8021bdf45c29db5d82b0a077b965a16ded32cb6292 freeradius.confd	279	2d5b3e1af1299373182f2c8021bdf45c29db5d82b0a077b965a16ded32cb6292 freeradius.confd
278	a5208f13420c28446b85dfc48cb9193a4651c994d15cc2c9b0bc43734c66e8f0 freeradius.initd	280	a5208f13420c28446b85dfc48cb9193a4651c994d15cc2c9b0bc43734c66e8f0 freeradius.initd
279	872aaebf86a663f819460d98924a9dc1f3e428facac6930dc98d1e442df1633f musl-fix-headers.patch	281	872aaebf86a663f819460d98924a9dc1f3e428facac6930dc98d1e442df1633f musl-fix-headers.patch
280	008fa3a4da7b3c01df238bf492a8ccda4077289c02c553a60ad8f4439ec136a2 disable-cert-generation.patch	282	008fa3a4da7b3c01df238bf492a8ccda4077289c02c553a60ad8f4439ec136a2 disable-cert-generation.patch
281	02cad546ffaf3f9be531cb45b96c7fb31f83c717e40ece4ff28a73c86f921f33 freeradius-305-default-config.patch"	283	02cad546ffaf3f9be531cb45b96c7fb31f83c717e40ece4ff28a73c86f921f33 freeradius-305-default-config.patch
		284	e7cbb3af9f90d741f91907898f9c0b156a2ae448cc812cbd6fd8322eb8bcea54 CVE-2015-4680.patch"
282	sha512sums="89aabc474e95226eeb5003feef40fbe240f28aa65c40e0566a9bec08991d95fab83826f3b14f416cf4d7d832a814912521cb3c83097c1a2ce5d3e3537ee3a732 freeradius-server-3.0.8.tar.gz	285	sha512sums="89aabc474e95226eeb5003feef40fbe240f28aa65c40e0566a9bec08991d95fab83826f3b14f416cf4d7d832a814912521cb3c83097c1a2ce5d3e3537ee3a732 freeradius-server-3.0.8.tar.gz
283	e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d610940bc4ae50c022594e219ce341b36abe85c572acad418b freeradius.confd	286	e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d610940bc4ae50c022594e219ce341b36abe85c572acad418b freeradius.confd
284	ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a freeradius.initd	287	ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a freeradius.initd
285	c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d musl-fix-headers.patch	288	c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d musl-fix-headers.patch
286	09b78c6baa992f82ab81c43aad6792536a4708d460170f0a373e242a5fafe8db10662dc7fcef99a966b828ed91fa7fe38567c961c938de9a447f1ee03aebb142 disable-cert-generation.patch	289	09b78c6baa992f82ab81c43aad6792536a4708d460170f0a373e242a5fafe8db10662dc7fcef99a966b828ed91fa7fe38567c961c938de9a447f1ee03aebb142 disable-cert-generation.patch
287	b69b899da6f80dbdb7422847536e37461315ba587a07fedc1eee28b96be7d16993b758ccd34e3a271ce2937d72c6ddff878aec61a3a4c0750deaaa959d10ed5e freeradius-305-default-config.patch"	290	b69b899da6f80dbdb7422847536e37461315ba587a07fedc1eee28b96be7d16993b758ccd34e3a271ce2937d72c6ddff878aec61a3a4c0750deaaa959d10ed5e freeradius-305-default-config.patch
		291	68f00ea6353a2951c95d58fd674701c250e4de713c1bbfba80eb7247df1dc477fa2e277c9f0866ee5591e66eef4f52da70ee1794588df1f411f5e40773317fe7 CVE-2015-4680.patch"


diff --git a/main/freeradius/CVE-2015-4680.patch b/main/freeradius/CVE-2015-4680.patch new file mode 100644 index 0000000000..ade38c9ee7 --- /dev/null +++ b/main/freeradius/CVE-2015-4680.patch
@@ -0,0 +1,79 @@
		1	From 874b39451702338389260edbfc52b381b20352ec Mon Sep 17 00:00:00 2001
		2	From: "Alan T. DeKok" <aland@freeradius.org>
		3	Date: Mon, 22 Jun 2015 15:27:10 -0400
		4	Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL
		5
		6	---
		7	raddb/mods-available/eap \| 6 +++++-
		8	src/include/tls-h \| 1 +
		9	src/main/tls.c \| 12 ++++++++++++
		10	3 files changed, 18 insertions(+), 1 deletion(-)
		11
		12	diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
		13	index 165971a..10026ec 100644
		14	--- a/raddb/mods-available/eap
		15	+++ b/raddb/mods-available/eap
		16	@@ -269,9 +269,13 @@ eap {
		17	# 1) Copy CA certificates and CRLs to same directory.
		18	# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
		19	# 'c_rehash' is OpenSSL's command.
		20	- # 3) uncomment the line below.
		21	+ # 3) uncomment the lines below.
		22	# 5) Restart radiusd
		23	# check_crl = yes
		24	+
		25	+ # Check if intermediate CAs have been revoked.
		26	+ # check_all_crl = yes
		27	+
		28	ca_path = ${cadir}
		29
		30	#
		31	diff --git a/src/include/tls-h b/src/include/tls-h
		32	index 9fdc775..a41c6f5 100644
		33	--- a/src/include/tls-h
		34	+++ b/src/include/tls-h
		35	@@ -347,6 +347,7 @@ struct fr_tls_server_conf_t {
		36	*/
		37	uint32_t fragment_size;
		38	bool check_crl;
		39	+ bool check_all_crl;
		40	bool allow_expired_crl;
		41	char const *check_cert_cn;
		42	char const *cipher_list;
		43	diff --git a/src/main/tls.c b/src/main/tls.c
		44	index 692651f..9df48b4 100644
		45	--- a/src/main/tls.c
		46	+++ b/src/main/tls.c
		47	@@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = {
		48	{ "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
		49	{ "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
		50	{ "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
		51	+#ifdef X509_V_FLAG_CRL_CHECK_ALL
		52	+ { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
		53	+#endif
		54	{ "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
		55	{ "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
		56	{ "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
		57	@@ -2104,6 +2107,10 @@ static X509_STORE init_revocation_store(fr_tls_server_conf_t conf)
		58	if (conf->check_crl)
		59	X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
		60	#endif
		61	+#ifdef X509_V_FLAG_CRL_CHECK_ALL
		62	+ if (conf->check_all_crl)
		63	+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
		64	+#endif
		65	return store;
		66	}
		67	#endif /* HAVE_OPENSSL_OCSP_H */
		68	@@ -2591,6 +2598,11 @@ SSL_CTX tls_init_ctx(fr_tls_server_conf_t conf, int client)
		69	return NULL;
		70	}
		71	X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
		72	+
		73	+#ifdef X509_V_FLAG_CRL_CHECK_ALL
		74	+ if (conf->check_all_crl)
		75	+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
		76	+#endif
		77	}
		78	#endif
		79