[Pkg-freeradius-maintainers] Bug#1120965: trixie-pu: package freeradius/3.2.7+dfsg-1+deb13u2

Bernhard Schmidt berni at debian.org
Tue Nov 18 21:20:53 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: freeradius at packages.debian.org
Control: affects -1 + src:freeradius
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
FreeRADIUS 3.2.7 in Trixie contains a bug that causes it to segfault
when a certificate chain with two intermediate certificates are loaded, see

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927
https://github.com/FreeRADIUS/freeradius-server/issues/5515

It can be fixed by backporting a single commit from 3.2.8, therefor
unstable is already fixed.

The issue was found, the patch prepared and verified by OdyX

[ Impact ]
Segmentation fault when a new certificate chain is loaded

[ Tests ]
Fix verified by Didier 'OdyX' Radoud
FreeRADIUS has some non-trivial autopkgtest, however that does not test
EAP/TLS-related codepaths

[ Risks ]
Verified fix, direct backport of a commit released with a later upstream
version

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- Backporting fix
- Change salsa-ci to run in trixie

[ Other info ]
As CAs tend to change their intermediate structure and may introduce
intermediates with certificate refreshs (as it has happened here for the
original reporter) I consider this somewhat urgent. Therefor I would
like to push this to proposed as soon as possible.
-------------- next part --------------
diff -Nru freeradius-3.2.7+dfsg/debian/changelog freeradius-3.2.7+dfsg/debian/changelog
--- freeradius-3.2.7+dfsg/debian/changelog	2025-10-01 19:36:38.000000000 +0200
+++ freeradius-3.2.7+dfsg/debian/changelog	2025-11-18 21:51:33.000000000 +0100
@@ -1,3 +1,11 @@
+freeradius (3.2.7+dfsg-1+deb13u2) trixie; urgency=medium
+
+  [ Didier Raboud ]
+  * Backport patch to fix segfaults on TLS connections with more than one
+    intermediate certificate (Closes: #1120927)
+
+ -- Bernhard Schmidt <berni at debian.org>  Tue, 18 Nov 2025 21:51:33 +0100
+
 freeradius (3.2.7+dfsg-1+deb13u1) trixie; urgency=medium
 
   * Non-maintainer upload.
diff -Nru freeradius-3.2.7+dfsg/debian/patches/series freeradius-3.2.7+dfsg/debian/patches/series
--- freeradius-3.2.7+dfsg/debian/patches/series	2025-10-01 19:31:39.000000000 +0200
+++ freeradius-3.2.7+dfsg/debian/patches/series	2025-11-18 21:51:33.000000000 +0100
@@ -6,3 +6,4 @@
 dont-install-tests.diff
 snakeoil-certs.diff
 fips.patch
+wrap-crl_dp-checks-in-if-certs--lookup-=.patch
diff -Nru freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch
--- freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch	1970-01-01 01:00:00.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch	2025-11-18 21:51:33.000000000 +0100
@@ -0,0 +1,63 @@
+From: Alan T. DeKok <aland at freeradius.org>
+Date: Wed, 12 Feb 2025 07:03:13 -0500
+X-Dgit-Generated: 3.2.7+dfsg-1+deb13u1+OdyX0 05125f178649b7af17a1dc81642b91c937f4d93a
+Subject: wrap crl_dp checks in if (certs && (lookup <= 1). Fixes #5515
+
+
+---
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 2e97940..2821b93 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3077,30 +3077,33 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ 	/*
+ 	 *	Get the Certificate Distribution points
+ 	 */
+-	crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+-	if (crl_dp) {
+-		DIST_POINT *dp;
+-		const char *url_ptr;
++	if (certs && (lookup <= 1)) {
++		crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+ 
+-		for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
+-			size_t len;
+-			char cdp[1024];
++		if (crl_dp) {
++			DIST_POINT *dp;
++			const char *url_ptr;
+ 
+-			dp = sk_DIST_POINT_value(crl_dp, i);
+-			if (!dp) continue;
++			for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
++				size_t len;
++				char cdp[1024];
+ 
+-			url_ptr = get_cdp_url(dp);
+-			if (!url_ptr) continue;
++				dp = sk_DIST_POINT_value(crl_dp, i);
++				if (!dp) continue;
+ 
+-			len = strlen(url_ptr);
+-			if (len >= sizeof(cdp)) continue;
++				url_ptr = get_cdp_url(dp);
++				if (!url_ptr) continue;
+ 
+-			memcpy(cdp, url_ptr, len + 1);
++				len = strlen(url_ptr);
++				if (len >= sizeof(cdp)) continue;
+ 
+-			vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
+-			rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++				memcpy(cdp, url_ptr, len + 1);
++
++				vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
++				rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++			}
++			sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ 		}
+-		sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ 	}
+ 
+ 	/*
diff -Nru freeradius-3.2.7+dfsg/debian/salsa-ci.yml freeradius-3.2.7+dfsg/debian/salsa-ci.yml
--- freeradius-3.2.7+dfsg/debian/salsa-ci.yml	2025-02-10 22:50:22.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/salsa-ci.yml	2025-11-18 21:51:33.000000000 +0100
@@ -3,7 +3,7 @@
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 
 variables:
-  RELEASE: 'unstable'
+  RELEASE: 'trixie'
 
 # mark currently failing tests as allowed to fail
 blhc:

More information about the Pkg-freeradius-maintainers mailing list