main/freeradius: security fix for CVE-2012-3547

fixes #1389

5 files changed, 22 insertions, 115 deletions

diff --git a/main/freeradius/0001-Fix-detection-of-TLS-for-uClibc.patch b/main/freeradius/0001-Fix-detection-of-TLS-for-uClibc.patch
deleted file mode 100644
index e76571a21c..0000000000
--- a/main/freeradius/0001-Fix-detection-of-TLS-for-uClibc.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 51cb058c6a9472585622582d16e01c5540627c25 Mon Sep 17 00:00:00 2001
-From: Natanael Copa <ncopa@alpinelinux.org>
-Date: Tue, 13 Oct 2009 12:53:38 +0000
-Subject: [PATCH] Fix detection of TLS for uClibc
-
-On uClibc the configure script will wrongly detect that TLS is
-available. This happends becuase the variable val in the test program
-is optimized away and missing during link time.
-
-This patch make sure that the variable val is not optimized away so
-configure correctly will detect that TLS is missing on uClibc.
-
-Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
----
- acinclude.m4 |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/acinclude.m4 b/acinclude.m4
-index 6025474..100e5b0 100644
---- a/acinclude.m4
-+++ b/acinclude.m4
-@@ -382,7 +382,7 @@ m4_pushdef([AC_OUTPUT],
- AC_DEFUN([FR_TLS],
- [
-     AC_MSG_CHECKING(for TLS)
--    AC_RUN_IFELSE([AC_LANG_SOURCE([[ static __thread int val; int main() { return 0; } ]])],[have_tls=yes],[have_tls=no],[have_tls=no ])
-+    AC_RUN_IFELSE([AC_LANG_SOURCE([[ static __thread int val; int main(int argc, char *argv[]) { return val = argc; } ]])],[have_tls=yes],[have_tls=no],[have_tls=no ])
-     AC_MSG_RESULT($have_tls)
-     if test "$have_tls" = "yes"; then
-         AC_DEFINE([HAVE_THREAD_TLS],[1],[Define if the compiler supports __thread])
--- 
-1.6.4.4
-
diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD
index 5c659684cf..3c9e103587 100644
--- a/main/freeradius/APKBUILD
+++ b/main/freeradius/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Leonardo Arena <rnalrd@gmail.com>
 pkgname=freeradius
 pkgver=2.1.12
-pkgrel=0
+pkgrel=1
 pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"
 url="http://freeradius.org/"
 license="GPL"
@@ -16,6 +16,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-ldap $pkgname-mssql \
 	$pkgname-mysql $pkgname-oracle $pkgname-perl $pkgname-postgresql \
 	$pkgname-python $pkgname-unixodbc"
 source="ftp://ftp.freeradius.org/pub/freeradius/$pkgname-server-$pkgver.tar.gz
+	CVE-2012-3547.patch
 	freeradius.confd
 	freeradius.initd
 	"
@@ -24,11 +25,12 @@ _builddir="$srcdir"/$pkgname-server-$pkgver
 
 prepare() {
 	cd "$_builddir"
-#	for i in ../*.patch; do
-#		msg "Applying $i"
-#		patch -p1 -i $i || return 1
-#	done
-	
+	for i in "$srcdir"; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+
 	# we dont have libnsl
 	sed -i 's/-lnsl //g' configure || return 1
 	sed -i 's/nsl, //g' configure.in || return 1
@@ -145,5 +147,6 @@ unixodbc() {
 }
 
 md5sums="dcbaed16df8ccff672ba132a08bf8510  freeradius-server-2.1.12.tar.gz
+8473b8eeb4107c2e6181829553e4c7b3  CVE-2012-3547.patch
 fc6693f3df5a0694610110287a28568a  freeradius.confd
 6cd5d02575f514a51d741dba3f7c70d2  freeradius.initd"
diff --git a/main/freeradius/CVE-2012-3547.patch b/main/freeradius/CVE-2012-3547.patch
new file mode 100644
index 0000000000..dd45d77af3
--- /dev/null
+++ b/main/freeradius/CVE-2012-3547.patch
@@ -0,0 +1,13 @@
+Index: freeradius-2.1.12+dfsg/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+===================================================================
+--- freeradius-2.1.12+dfsg.orig/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2011-09-30 16:12:07.000000000 +0200
++++ freeradius-2.1.12+dfsg/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2012-09-11 19:36:21.000000000 +0200
+@@ -531,7 +531,7 @@
+ 	 */
+ 	buf[0] = '\0';
+ 	asn_time = X509_get_notAfter(client_cert);
+-	if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
++	if ((lookup <= 1) && asn_time && (asn_time->length < sizeof(buf))) {
+ 		memcpy(buf, (char*) asn_time->data, asn_time->length);
+ 		buf[asn_time->length] = '\0';
+ 		pairadd(&handler->certs,
diff --git a/main/freeradius/freeradius-2.1.6-nothreads.patch b/main/freeradius/freeradius-2.1.6-nothreads.patch
deleted file mode 100644
index 41a41c8d6e..0000000000
--- a/main/freeradius/freeradius-2.1.6-nothreads.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -Nru freeradius-server-2.1.6.orig/src/main/event.c freeradius-server-2.1.6/src/main/event.c
---- freeradius-server-2.1.6.orig/src/main/event.c	2009-05-18 13:13:55.000000000 +0200
-+++ freeradius-server-2.1.6/src/main/event.c	2009-09-05 07:52:42.000000000 +0200
-@@ -1667,7 +1667,9 @@
- 	 */
- 	request->num_proxied_requests = 1;
- 	request->num_proxied_responses = 0;
-+#ifdef HAVE_PTHREAD_H
- 	request->child_pid = NO_SUCH_CHILD_PID;
-+#endif
- 
- 	update_event_timestamp(request->proxy, request->proxy_when.tv_sec);
- 
diff --git a/main/freeradius/freeradius-2.1.7-pkglibdir.patch b/main/freeradius/freeradius-2.1.7-pkglibdir.patch
deleted file mode 100644
index d5767fbd02..0000000000
--- a/main/freeradius/freeradius-2.1.7-pkglibdir.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff -ru freeradius-server-2.1.7.orig/Make.inc.in freeradius-server-2.1.7/Make.inc.in
---- freeradius-server-2.1.7.orig/Make.inc.in	2009-10-09 08:38:58.000000000 +0000
-+++ freeradius-server-2.1.7/Make.inc.in	2009-10-09 08:39:15.000000000 +0000
-@@ -10,6 +10,7 @@
- sysconfdir	= @sysconfdir@
- localstatedir	= @localstatedir@
- libdir		= @libdir@
-+pkglibdir	= @libdir@/freeradius
- bindir		= @bindir@
- sbindir		= @sbindir@
- docdir		= @docdir@
-diff -ru freeradius-server-2.1.7.orig/raddb/radiusd.conf.in freeradius-server-2.1.7/raddb/radiusd.conf.in
---- freeradius-server-2.1.7.orig/raddb/radiusd.conf.in	2009-10-09 08:38:58.000000000 +0000
-+++ freeradius-server-2.1.7/raddb/radiusd.conf.in	2009-10-09 08:39:15.000000000 +0000
-@@ -103,7 +103,7 @@
- #	make
- #	make install
- #
--libdir = @libdir@
-+libdir = @libdir@/freeradius
- 
- #  pidfile: Where to place the PID of the RADIUS server.
- #
-diff -ru freeradius-server-2.1.7.orig/src/modules/Makefile freeradius-server-2.1.7/src/modules/Makefile
---- freeradius-server-2.1.7.orig/src/modules/Makefile	2009-10-09 08:38:58.000000000 +0000
-+++ freeradius-server-2.1.7/src/modules/Makefile	2009-10-09 08:39:15.000000000 +0000
-@@ -12,7 +12,7 @@
- 	@$(MAKE) $(MFLAGS) WHAT_TO_MAKE=$@ common
- 
- install:
--	$(INSTALL) -d -m 755 $(R)$(libdir)
-+	$(INSTALL) -d -m 755 $(R)$(pkglibdir)
- 	@$(MAKE) $(MFLAGS) WHAT_TO_MAKE=$@ common
- 
- clean:
-diff -ru freeradius-server-2.1.7.orig/src/modules/rules.mak freeradius-server-2.1.7/src/modules/rules.mak
---- freeradius-server-2.1.7.orig/src/modules/rules.mak	2009-10-09 08:38:58.000000000 +0000
-+++ freeradius-server-2.1.7/src/modules/rules.mak	2009-10-09 08:40:56.000000000 +0000
-@@ -123,7 +123,7 @@
- $(TARGET).la: $(LT_OBJS)
- 	$(LIBTOOL) --mode=link $(CC) -release $(RADIUSD_VERSION) \
- 	-module $(LINK_MODE) $(LDFLAGS) $(RLM_LDFLAGS) -o $@     \
--	-rpath $(libdir) $^ $(LIBRADIUS) $(RLM_LIBS) $(LIBS)
-+	-rpath $(pkglibdir) $^ $(LIBRADIUS) $(RLM_LIBS) $(LIBS)
- 
- #######################################################################
- #
-@@ -164,13 +164,13 @@
- #  Do any module-specific installation.
- #
- #  If there isn't a TARGET defined, then don't do anything.
--#  Otherwise, install the libraries into $(libdir)
-+#  Otherwise, install the libraries into $(pkglibdir)
- #
- install:
- 	@[ "x$(RLM_INSTALL)" = "x" ] || $(MAKE) $(MFLAGS) $(RLM_INSTALL)
- 	if [ "x$(TARGET)" != "x" ]; then \
- 	    $(LIBTOOL) --mode=install $(INSTALL) -c \
--		$(TARGET).la $(R)$(libdir)/$(TARGET).la || exit $$?; \
-+ 		$(TARGET).la $(R)$(pkglibdir)/$(TARGET).la || exit $$?; \
- 	    rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la; \
- 	    ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la || exit $$?; \
- 	fi