Python Module with FreeRADIUS 3.0.15

Gary Gwin garygwin at gmail.com
Wed Dec 13 21:00:02 CET 2017


Is anyone using the 3.0.15 release with the Python module on Unbuntu 14.04
(trusty)?

Could FR-AD-002 (v3) have broken?

Gary

FR-AD-002 (v3) String lifetime issues in rlm_python

Issue: The PySys_SetPath() and PySys_SetName() functions require a
long-lived pointer to the path / name.

Impact: Potential crash.

Exploit vector: Administrators who have write access to the server
configuration files.

Fix: Use a long-lived string instead of a short-lived one. Fixed in
FR-AD-002.

CVE: No CVE has been release as this issue has no impact, and exploitation
does not cross a privilege boundary in a correct and realistic product
deployment.

On Tue, Dec 12, 2017 at 6:01 PM, Gary Gwin <garygwin at gmail.com> wrote:

> Trying to implement just the basic Python example as documented is not
> working with the FreeRADIUS 3.0.15 build on Unbuntu 14.04. After enabling
> and running "freeradius -X", FreeRADIUS exits with only this:
>
> # Instantiating module "python" from file /etc/freeradius/mods-enabled/
> python
> Python version: 2.7.6 (default, Oct 26 2016, 20:33:43)  [GCC 4.8.4]
>
> Other than enabling the the python module, the only other change was to
> enable the python_path and uncomment the "func_authorize = authorize" line
> in mods-available/python. The example.pyc is not created.
>
> Everything was working swimmingly under FreeRADIUS 3.0.12.
>
> Any ideas?
>
> Thanks,
>
> Gary
>


More information about the Freeradius-Users mailing list