diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-03-04 07:55:01 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-03-04 07:55:01 +0000 |
commit | 897da111fe2e7af6647e9bd2da62bf84782779a4 (patch) | |
tree | 49e01b9d3765d797b1ca72daa9b98fda4378de66 /main/freeradius | |
parent | 69d5ba09d08d7ada4503154e51646e5bd67adf34 (diff) | |
download | aports-897da111fe2e7af6647e9bd2da62bf84782779a4.tar.bz2 aports-897da111fe2e7af6647e9bd2da62bf84782779a4.tar.xz |
main/freeradius: upgrade to 2.2.3 and security fix (CVE-2014-2015). Backports a number of enhancements and fixes from 2.7-stable. Fixes #2719
Diffstat (limited to 'main/freeradius')
-rw-r--r-- | main/freeradius/APKBUILD | 169 | ||||
-rw-r--r-- | main/freeradius/CVE-2014-2015.patch | 35 | ||||
-rw-r--r-- | main/freeradius/freeradius.initd | 2 | ||||
-rw-r--r-- | main/freeradius/freeradius.pre-install | 4 |
4 files changed, 152 insertions, 58 deletions
diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD index 0096c10311..0ebc281505 100644 --- a/main/freeradius/APKBUILD +++ b/main/freeradius/APKBUILD @@ -1,46 +1,55 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org> pkgname=freeradius -pkgver=2.2.0 -pkgrel=7 +pkgver=2.2.3 +pkgrel=5 pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server" url="http://freeradius.org/" arch="all" license="GPL" -depends="freeradius-radclient" -makedepends="openssl-dev pth-dev mysql-dev postgresql-dev gdbm-dev readline-dev +depends="freeradius-radclient freeradius-lib" +makedepends="openssl-dev mysql-dev postgresql-dev gdbm-dev readline-dev bash libtool autoconf automake perl-dev python-dev openldap-dev - unixodbc-dev linux-pam-dev" -pkggroups="radiusd" -pkgusers="radiusd" + unixodbc-dev linux-pam-dev sqlite-dev" +pkggroups="radius" +pkgusers="radius" install="freeradius.pre-install" -subpackages="$pkgname-doc $pkgname-dev $pkgname-ldap $pkgname-lib - $pkgname-mssql $pkgname-mysql $pkgname-oracle $pkgname-perl - $pkgname-postgresql $pkgname-python $pkgname-radclient - $pkgname-unixodbc $pkgname-pam" +subpackages="$pkgname-doc $pkgname-dev $pkgname-dbg $pkgname-ldap $pkgname-lib + $pkgname-mssql $pkgname-mysql $pkgname-oracle $pkgname-perl + $pkgname-postgresql $pkgname-python $pkgname-radclient $pkgname-sqlite + $pkgname-unixodbc $pkgname-pam $pkgname-webif $pkgname-webif-doc" source="ftp://ftp.freeradius.org/pub/freeradius/$pkgname-server-$pkgver.tar.gz freeradius.confd freeradius.initd + CVE-2014-2015.patch " _builddir="$srcdir"/$pkgname-server-$pkgver prepare() { cd "$_builddir" -# for i in ../*.patch; do -# msg "Applying $i" -# patch -p1 -i $i || return 1 -# done - + for i in $source; do + case $i in + *.patch) + msg "Applying $i" + patch -p1 -i "$srcdir"/$i || return 1 + ;; + esac + done + update_config_sub || return 1 + # we dont have libnsl sed -i 's/nsl, //g' configure.in || return 1 - + # Fix compilation with heimdal >= 1.3.1 sed -i 's/ -DKRB5_DEPRECATED//' src/modules/rlm_krb5/Makefile.in || return 1 # Fix default config sed -i 's%run_dir = .*%run_dir = \$\{localstatedir\}/run/radius%' \ raddb/radiusd.conf.in || return 1 + # disable directive that pulls in freeradius-mysql package + sed -i 's%$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf%#$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf%' \ + raddb/modules/dhcp_sqlippool || return 1 rm -f libtool.m4 libtoolize --force -c || return 1 @@ -49,11 +58,14 @@ prepare() { build() { cd "$_builddir" - ./configure --prefix=/usr \ + ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ - --localstatedir=/var \ + --localstatedir=/var \ --libdir=/usr/lib/freeradius \ --disable-static \ --enable-shared \ @@ -61,26 +73,36 @@ build() { --with-system-libtool \ --with-system-libltdl \ --with-udpfromto \ + --with-experimental-modules \ + --with-rlm_sql_sqlite \ + --without-rlm_sql_oracle \ + --without-rlm_sql_iodbc \ + --without-rlm_sql_firebird \ + --without-rlm_sql_db2 \ + --without-rlm_ruby \ + --without-rlm_rediswho \ + --without-rlm_redis \ + --without-rlm_krb5 \ || return 1 # * workaround parallel build issue # * add -lssl to fix: # radiusd: symbol 'SSL_set_ex_data': can't resolve symbol in lib # '/usr/lib/freeradius/libfreeradius-eap-2.1.10.so'. - make LDFLAGS="$LDFLAGS -lssl" LIBTOOL="$PWD/libtool" -j1 || return 1 + make LDFLAGS="$LDFLAGS -lssl" LIBTOOL="$PWD/libtool" || return 1 } package() { cd "$_builddir" - install -d -m0750 -o root -g radiusd "$pkgdir"/etc/raddb - install -d -m0770 -o root -g radiusd "$pkgdir"/var/run/radius - install -d -m0750 -o root -g radiusd "$pkgdir"/var/log/radius - install -d -m0750 -o root -g radiusd "$pkgdir"/var/log/radius/radacct + install -d -m0750 -o root -g radius "$pkgdir"/etc/raddb + install -d -m0750 -o radius -g radius "$pkgdir"/var/run/radius + install -d -m0750 -o radius -g radius "$pkgdir"/var/log/radius + install -d -m0750 -o radius -g radius "$pkgdir"/var/log/radius/radacct make -j1 R="$pkgdir" LIBTOOL="$PWD/libtool" install - sed -i -e 's:^#user *= *nobody:user = radiusd:;s:^#group *= *nobody:group = radiusd:' \ - "$pkgdir"/etc/raddb/radiusd.conf - chown -R root:radiusd "$pkgdir"/etc/raddb/* + #sed -i -e 's:^#user *= *radius:user = radiusd:;s:^#group *= *radius:group = radiusd:' \ + # "$pkgdir"/etc/raddb/radiusd.conf || exit 1 + chown -R root:radius "$pkgdir"/etc/raddb/* rm -f "$pkgdir/usr/sbin/rc.radiusd" install -m755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/radiusd install -m644 -D "$srcdir"/$pkgname.confd "$pkgdir"/etc/conf.d/radiusd @@ -91,94 +113,131 @@ package() { ldap() { depends="freeradius" mkdir -p $subpkgdir/etc/raddb - mv $pkgdir/etc/raddb/ldap.attrmap $subpkgdir/etc/raddb + mv $pkgdir/etc/raddb/ldap.attrmap $subpkgdir/etc/raddb || exit 1 mkdir -p $subpkgdir/etc/raddb/modules - mv $pkgdir/etc/raddb/modules/ldap $subpkgdir/etc/raddb/modules + mv $pkgdir/etc/raddb/modules/ldap $subpkgdir/etc/raddb/modules || exit 1 mkdir -p $subpkgdir/usr/lib/freeradius - mv $pkgdir/usr/lib/freeradius/rlm_ldap* $subpkgdir/usr/lib/freeradius + mv $pkgdir/usr/lib/freeradius/rlm_ldap* $subpkgdir/usr/lib/freeradius || exit 1 } lib() { replaces="freeradius" depends="" mkdir -p $subpkgdir/usr/lib/freeradius $subpkgdir/etc/raddb \ - $subpkgdir/usr/share - mv $pkgdir/usr/lib/freeradius/libfreeradius-radius-${pkgver}.so \ - $subpkgdir/usr/lib/freeradius - mv $pkgdir/etc/raddb/dictionary $subpkgdir/etc/raddb/dictionary - mv $pkgdir/usr/share/freeradius $subpkgdir/usr/share/freeradius + $subpkgdir/usr/share || exit 1 + mv $pkgdir/usr/lib/freeradius/libfreeradius-*.so \ + $subpkgdir/usr/lib/freeradius || exit 1 + mv $pkgdir/etc/raddb/dictionary $subpkgdir/etc/raddb/dictionary || exit 1 + mv $pkgdir/usr/share/freeradius $subpkgdir/usr/share/freeradius || exit 1 } mysql() { depends="freeradius" mkdir -p $subpkgdir/etc/raddb/sql - mv $pkgdir/etc/raddb/sql/mysql $subpkgdir/etc/raddb/sql - mv $pkgdir/etc/raddb/sql/ndb $subpkgdir/etc/raddb/sql + mv $pkgdir/etc/raddb/sql/mysql $subpkgdir/etc/raddb/sql || exit 1 + mv $pkgdir/etc/raddb/sql/ndb $subpkgdir/etc/raddb/sql || exit 1 mkdir -p $subpkgdir/usr/lib/freeradius - mv $pkgdir/usr/lib/freeradius/rlm_sql_mysql* $subpkgdir/usr/lib/freeradius + mv $pkgdir/usr/lib/freeradius/rlm_sql_mysql* $subpkgdir/usr/lib/freeradius || exit 1 } mssql() { depends="freeradius" arch="noarch" mkdir -p $subpkgdir/etc/raddb/sql - mv $pkgdir/etc/raddb/sql/mssql $subpkgdir/etc/raddb/sql + mv $pkgdir/etc/raddb/sql/mssql $subpkgdir/etc/raddb/sql || exit 1 } oracle() { depends="freeradius" arch="noarch" mkdir -p $subpkgdir/etc/raddb/sql - mv $pkgdir/etc/raddb/sql/oracle $subpkgdir/etc/raddb/sql + mv $pkgdir/etc/raddb/sql/oracle $subpkgdir/etc/raddb/sql || exit 1 } perl() { depends="freeradius perl" mkdir -p $subpkgdir/usr/lib/freeradius - mv $pkgdir/usr/lib/freeradius/rlm_perl* $subpkgdir/usr/lib/freeradius + mv $pkgdir/usr/lib/freeradius/rlm_perl* $subpkgdir/usr/lib/freeradius || exit 1 mkdir -p $subpkgdir/usr/bin - mv $pkgdir/usr/sbin/checkrad $subpkgdir/usr/bin/checkrad + mv $pkgdir/usr/sbin/checkrad $subpkgdir/usr/bin/checkrad || exit 1 mkdir -p $subpkgdir/etc/raddb/modules - mv $pkgdir/etc/raddb/modules/perl $subpkgdir/etc/raddb/modules/perl + mv $pkgdir/etc/raddb/modules/perl $subpkgdir/etc/raddb/modules/perl || exit 1 } postgresql() { depends="freeradius" mkdir -p $subpkgdir/etc/raddb/sql - mv $pkgdir/etc/raddb/sql/postgresql $subpkgdir/etc/raddb/sql + mv $pkgdir/etc/raddb/sql/postgresql $subpkgdir/etc/raddb/sql || exit 1 mkdir -p $subpkgdir/usr/lib/freeradius - mv $pkgdir/usr/lib/freeradius/rlm_sql_postgresql* $subpkgdir/usr/lib/freeradius + mv $pkgdir/usr/lib/freeradius/rlm_sql_postgresql* $subpkgdir/usr/lib/freeradius || exit 1 } python() { depends="freeradius python" mkdir -p $subpkgdir/usr/lib/freeradius - mv $pkgdir/usr/lib/freeradius/rlm_python* $subpkgdir/usr/lib/freeradius + mv $pkgdir/usr/lib/freeradius/rlm_python* $subpkgdir/usr/lib/freeradius || exit 1 } radclient() { depends="" mkdir -p $subpkgdir/usr/bin - mv $pkgdir/usr/bin/radclient $subpkgdir/usr/bin/radclient + mv $pkgdir/usr/bin/radclient $subpkgdir/usr/bin/radclient || exit 1 +} + +sqlite() { + depends="freeradius" + mkdir -p $subpkgdir/usr/lib/freeradius + mv $pkgdir/usr/lib/freeradius/rlm_sql_sqlite* $subpkgdir/usr/lib/freeradius || exit 1 } unixodbc() { depends="freeradius" mkdir -p $subpkgdir/usr/lib/freeradius - mv $pkgdir/usr/lib/freeradius/rlm_sql_unixodbc* $subpkgdir/usr/lib/freeradius + mv $pkgdir/usr/lib/freeradius/rlm_sql_unixodbc* $subpkgdir/usr/lib/freeradius || exit 1 } pam() { depends="freeradius" mkdir -p $subpkgdir/usr/lib/freeradius - mv $pkgdir/usr/lib/freeradius/rlm_pam* $subpkgdir/usr/lib/freeradius + mv $pkgdir/usr/lib/freeradius/rlm_pam* $subpkgdir/usr/lib/freeradius || exit 1 } -md5sums="2e45d3c0d22ab14c560c7c3029893a8a freeradius-server-2.2.0.tar.gz + +webif() { + depends="php" + pkgdesc="Dialupadmin interface for FreeRADIUS" + arch="noarch" + mkdir -p $subpkgdir/usr/share/webapps/dialupadmin + mkdir -p $subpkgdir/usr/share/doc/freeradius/dialupadmin + mkdir -p $subpkgdir/etc/raddb/dialupadmin + for dir in bin htdocs html lib sql; + do + mv $_builddir/dialup_admin/$dir \ + $subpkgdir/usr/share/webapps/dialupadmin || exit 1 + done + mkdir -p $subpkgdir-doc/usr/share/doc/freeradius/dialupadmin + mv $_builddir/dialup_admin/doc/* \ + $subpkgdir-doc/usr/share/doc/freeradius/dialupadmin || exit 1 + mv $_builddir/dialup_admin/README \ + $subpkgdir-doc/usr/share/doc/freeradius/dialupadmin || exit 1 + mv $_builddir/dialup_admin/conf/* $subpkgdir/etc/raddb/dialupadmin || exit 1 + for file in $(ls $subpkgdir/usr/share/webapps/dialupadmin/bin) + do + sed -i "s|/usr/local/dialup_admin/conf|/etc/raddb/dialupadmin|g" \ + $subpkgdir/usr/share/webapps/dialupadmin/bin/$file + sed -i "s|/data/local/dialupadmin/conf|/etc/raddb/dialupadmin|g" \ + $subpkgdir/usr/share/webapps/dialupadmin/bin/$file + done +} + +md5sums="3186e75882c5aaed699da55be10511fe freeradius-server-2.2.3.tar.gz fc6693f3df5a0694610110287a28568a freeradius.confd -5d83f40bd5c3a5d4e4a5f43c29e7f0da freeradius.initd" -sha256sums="ac22eefe7bd7c1c2b4de28613e628fd3e9ccae08a00a103e5f75aac0927bf009 freeradius-server-2.2.0.tar.gz +b3eefdfc466d80c241cd1bb11face405 freeradius.initd +7dd09b1b0631f6bf126517e737c5e576 CVE-2014-2015.patch" +sha256sums="3be1e132f243ac53a7d35e0710bd116e8e126b64a1fc1198034195355072f593 freeradius-server-2.2.3.tar.gz 2d5b3e1af1299373182f2c8021bdf45c29db5d82b0a077b965a16ded32cb6292 freeradius.confd -78b1de6399f99c16f761700024bcf171557a64060ef4801b04b65886fb2d365d freeradius.initd" -sha512sums="8652d27a292c3a8627c13b0bf12b829d3f2c50d82ed85eb342d1ec5c84ceabf8963907d50464a5907d2934f1b069a491411b1d5129efaaecefe4a30251b2b607 freeradius-server-2.2.0.tar.gz +719bbe4a44df60e76f68d327f7ee70d4dfd6a95e51f9cb01f850cd4ed153f9de freeradius.initd +d70b898811cbbb9d77d9863a7ba9b243b9782bdc767b586e4e9b8787558f1072 CVE-2014-2015.patch" +sha512sums="d51208d9926872292ef333bcf4e556a7fd06ac78def846c620422258c18ab77f98a22459a78bb92a35e684469d167a018ba2d47d894c32c7368a57e79fba9ede freeradius-server-2.2.3.tar.gz e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d610940bc4ae50c022594e219ce341b36abe85c572acad418b freeradius.confd -34c98c4ccded62aaa4a7539a9139288f7c39dbd8b6ca816c92cf6b0ae7546f81aa6c529dea943af5d8958cac2aad3d368a90f455ceaef725fce9fe5ef0cee84d freeradius.initd" +57f12f06ef9112817204dec4ab2591bcd4baf3c8a033afadb2376e115911f76045c70b7a2c80b294a83dac4e05b1ff22335a3bcc9af1c0760682622ab2cdbd31 freeradius.initd +62d98d8316e147d57de9ac05c05c9703c08bd23e294b95827c58fe976cb3bc5ce040d9e310ada552cb2350dde9e9e2c97e2160210cc1ab5d1ce35889000d7951 CVE-2014-2015.patch" diff --git a/main/freeradius/CVE-2014-2015.patch b/main/freeradius/CVE-2014-2015.patch new file mode 100644 index 0000000000..fbd5ff0833 --- /dev/null +++ b/main/freeradius/CVE-2014-2015.patch @@ -0,0 +1,35 @@ +From 0d606cfc29ab2e91764854e733d4525e6c667eb9 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Thu, 13 Feb 2014 09:29:35 -0500 +Subject: [PATCH] Increase buffer size. Use output buffer size as limit for + hex2bin + +--- + src/modules/rlm_pap/rlm_pap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c +index 8ef2152..1492a44 100644 +--- a/src/modules/rlm_pap/rlm_pap.c ++++ b/src/modules/rlm_pap/rlm_pap.c +@@ -247,7 +247,7 @@ static int base64_decode (const char *src, uint8_t *dst) + static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + { + size_t decoded; +- uint8_t buffer[64]; ++ uint8_t buffer[256]; + + if (min_length >= sizeof(buffer)) return; /* paranoia */ + +@@ -255,7 +255,7 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + * Hex encoding. + */ + if (vp->length >= (2 * min_length)) { +- decoded = fr_hex2bin(vp->vp_strvalue, buffer, vp->length >> 1); ++ decoded = fr_hex2bin(vp->vp_strvalue, buffer, sizeof(buffer)); + if (decoded == (vp->length >> 1)) { + RDEBUG2("Normalizing %s from hex encoding", vp->name); + memcpy(vp->vp_octets, buffer, decoded); +-- +1.8.5.5 + diff --git a/main/freeradius/freeradius.initd b/main/freeradius/freeradius.initd index 8f9bbaa33b..2fd6d55c2a 100644 --- a/main/freeradius/freeradius.initd +++ b/main/freeradius/freeradius.initd @@ -44,7 +44,7 @@ checkconfig() { #radius.log is created before privileges drop; we need to set proper permissions on it [ -f radius.log ] || touch radius.log || return 1 - chown -R "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" . /var/run/radiusd && \ + chown -R "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" . /var/run/radius && \ chmod -R u+rwX,g+rX . /var/run/radius || return 1 } diff --git a/main/freeradius/freeradius.pre-install b/main/freeradius/freeradius.pre-install index 04c48bb3fe..30ff04814e 100644 --- a/main/freeradius/freeradius.pre-install +++ b/main/freeradius/freeradius.pre-install @@ -1,6 +1,6 @@ #!/bin/sh -addgroup radiusd 2>/dev/null -adduser -S -G radiusd -h /var/log/radius -s /bin/false -D radiusd 2>/dev/null +addgroup radius 2>/dev/null +adduser -S -G radius -h /var/log/radius -s /sbin/nologin -D radius 2>/dev/null exit 0 |