Ubuntu
freeradius package

smbencrypt segfaults when run with any parameter

Bug #2042824 reported by Roman Smid
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeradius (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
Fix Released
Undecided
Graham Inggs

Bug Description

[ Impact ]

 A segmentation fault occurs when a user tries to to obtain a pair of NTLM hashes in plain text using smbencrypt.
 The reason behind this is that the NTLM protocol uses MD4 and MD5 algorithms that have been declared cryptographically broken (also sha1) and moved to legacy providers since openssl3 [1].
 Therefore, to use those algorithms, smbscrypt has to be able to load them: this imported upstream fixup does that.

[ Test Plan ]

#0.Prepare a Jammy VM or Container. i.e:
# lxc launch ubuntu-daily:jammy Jfreeradius
# lxc shell Jfreeradius

## Bad Case

#1. Install freeradius-utils
# apt update && apt upgrade -y
# apt install -y freeradius-utils

#2.Raise the issue by running
# smbencrypt test
root@Jfreeradius:~# smbencrypt test
LM Hash NT Hash
-------------------------------- --------------------------------
Segmentation fault (core dumped)

## Good case (after upgrading to proposed package in this SRU)
# apt update && apt upgrade -y freeradius-utils
# smbencrypt test
root@Jfreeradius:~# smbencrypt test
LM Hash NT Hash
-------------------------------- --------------------------------
01FC5A6BE7BC6929AAD3B435B51404EE 0CB6948805F797BF2A82807973B89537

[ Where problems could occur ]

The fix comes from upstream and is already part of the versions present in Lunar, Mantic and Noble: we can then consider that it is well-tested and supported.

Bringing a non-recommended algorithm is never good from a security point of view, with exceptions: this is one of those exceptions because the NTML protocol is based on those algorithms, and this tool for the freeRADIUS client is specifically for that, without further ado. The community is aware of this, and why SMB still uses this protocol, I think, is interesting but out of the scope of this SRU.

Also, and to finish, smbencrypt is a small tool to help LDAP admins that is not called by anything else within the freeRADIUS suite, so it is almost non-existent the risk of breaking something (except ad-hoc scripts that use it, but that must be broken at the time of writing this due to this bug).

[ Other Info ]

The same package was fixed in the same way when Jammy was still our development release [2].

[1] https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms
[2] https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1962046

[Original Report]
------------------------------------------------------------
This is due to this bug:
https://github.com/FreeRADIUS/freeradius-server/issues/4539
Please update the packages if possible.
Thank you.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: freeradius-utils 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1
ProcVersionSignature: Ubuntu 5.15.0-88.98-generic 5.15.126
Uname: Linux 5.15.0-88-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
Date: Mon Nov 6 11:25:39 2023
InstallationDate: Installed on 2023-01-06 (303 days ago)
InstallationMedia: Ubuntu-Server 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: freeradius
UpgradeStatus: No upgrade log present (probably fresh install)

See original description

Related branches

~mirespace/ubuntu/+source/freeradius:lp2042824-2042824-segfaults-j
git-ubuntu bot: Approve
Graham Inggs (community): Approve
Canonical Server Reporter: Pending requested
Diff: 136 lines (+114/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/avoid-smbencrypt-segfault-with-openssl3-fixes.patch (+105/-0)
debian/patches/series (+1/-0)
Revision history for this message
Roman Smid (smid-v) wrote :
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for taking the time to report this bug and trying to make Ubuntu better.

I was able to reproduce the bug in a Jammy container by just installing freeradius-utils and running 'smbencrypt test'.

After taking a look at the bug, this seems to be the upstream patch to fix this issue:

https://github.com/FreeRADIUS/freeradius-server/commit/25114031a868e37256b4292f3898c0e050cab1d0

Changed in freeradius (Ubuntu):
status: New → Triaged
tags: added: bitesize
Changed in freeradius (Ubuntu Jammy):
status: New → Triaged
Changed in freeradius (Ubuntu):
status: Triaged → Invalid
Robie Basak (racb)
tags: added: server-todo
Miriam España Acebal (mirespace)
Changed in freeradius (Ubuntu Jammy):
assignee: nobody → Miriam España Acebal (mirespace)
Miriam España Acebal (mirespace)
Changed in freeradius (Ubuntu Jammy):
status: Triaged → In Progress
Miriam España Acebal (mirespace)
description: updated
Revision history for this message
Graham Inggs (ginggs) wrote :

I sponsored the upload of freeradius 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2, now waiting for approval in the Jammy queue.

Changed in freeradius (Ubuntu Jammy):
assignee: Miriam España Acebal (mirespace) → Graham Inggs (ginggs)
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Roman, or anyone else affected,

Accepted freeradius into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/freeradius/3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in freeradius (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Miriam España Acebal (mirespace) wrote :

All OK in Jammy:

root@Jfreeradius:~# apt list --upgradable | grep freeradius

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

freeradius-common/jammy-proposed 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 all [upgradable from: 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1]
freeradius-config/jammy-proposed 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 amd64 [upgradable from: 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1]
freeradius-utils/jammy-proposed 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 amd64 [upgradable from: 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1]
freeradius/jammy-proposed 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 amd64 [upgradable from: 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1]
libfreeradius3/jammy-proposed 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 amd64 [upgradable from: 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1]

#Upgrading ...
root@Jfreeradius:~# dpkg -l | grep freeradius
ii freeradius 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 amd64 high-performance and highly configurable RADIUS server
ii freeradius-common 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 all FreeRADIUS common files
ii freeradius-config 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 amd64 FreeRADIUS default config files
ii freeradius-utils 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 amd64 FreeRADIUS client utilities
ii libfreeradius3 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2 amd64 FreeRADIUS shared library

#Testing OK...

root@Jfreeradius:~# smbencrypt test
LM Hash NT Hash
-------------------------------- --------------------------------
01FC5A6BE7BC6929AAD3B435B51404EE 0CB6948805F797BF2A82807973B89537
root@Jfreeradius:~#

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Robie Basak (racb) wrote :

It is good to have checked that the bug itself is fixed. But before releasing, could we do something to ensure that freeradius itself still works please, and hasn't been regressed by eg. some difference in build dependencies or a non-deterministic build?

Revision history for this message
Robie Basak (racb) wrote :

Some basic smoke test would be fine, as would a smoke autopkgtest that has passed. But I don't see that in the Test Plan but think it's important enough to have _something_ at least.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

freeradius has a non-trivial DEP8 test collection[1], I think that would satisfy the smoke test and more. Currently, though, the DEP8 infrastructure is rebuilding its database[2] and the results are not available.

1. https://git.launchpad.net/ubuntu/+source/freeradius/tree/debian/tests?h=ubuntu/jammy-devel
2. https://discourse.ubuntu.com/t/autopkgtest-service/34490 which currently has this paragraph:
"""
The database is currently [2024-01-31] being recreated to recover it from corruption. Some results are currently not accessible via the web page. Expect slowness in operations that require a database query.
"""

Revision history for this message
Alan DeKok (aland-freeradius) wrote : Re: [Bug 2042824] smbencrypt segfaults when run with any parameter

On Jan 31, 2024, at 12:50 PM, Andreas Hasenack <email address hidden> wrote:
>
> freeradius has a non-trivial DEP8 test collection[1], I think that would
> satisfy the smoke test and more. Currently, though, the DEP8
> infrastructure is rebuilding its database[2] and the results are not
> available.

  The server also comes with tests included with the source. After building the server, you can do:

 make test

  It will run a suite of tests, including sending / receiving packets, and verifying that MS-CHAP works.

Revision history for this message
Robie Basak (racb) wrote :

Sorry for the delay in releasing this. autopkgtests should be sufficient then but https://autopkgtest.ubuntu.com/packages/f/freeradius doesn't show any results for Jammy. I've enquired in #ubuntu-devel just now.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm trying to find the autopkgtest results

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The infrastructure is still handling the DB rebuild, so results are not easy to fetch.

I just triggered a test manually, and got this log:
https://objectstorage.prodstack5.canonical.com/swift/v1/AUTH_0f9aae918d5b4744bf7b827671c86842/autopkgtest-jammy/jammy/amd64/f/freeradius/20240208_183808_83c31@/log.gz

That is from today, and shows the tests passing, including the d/t/test-freeradius.py python one which tests pap, chap, mschap and eap-md5, with valid and invalid users.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freeradius - 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2

---------------
freeradius (3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.2) jammy; urgency=medium

  * d/p/avoid-smbencrypt-segfault-with-openssl3-fixes.patch: load the
    OpenSSL legacy providers and use OpenSSL3 init for MD4/MD5
    (LP: #2042824).

 -- Miriam España Acebal <email address hidden> Fri, 12 Jan 2024 17:59:58 +0100

Changed in freeradius (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Update Released

The verification of the Stable Release Update for freeradius has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.