Re: proposed fix for ppp CVE-2014-3158

To: Andrew Bartlett <abartlet+debian@catalyst.net.nz>
Cc: debian-lts@lists.debian.org, 762789@bugs.debian.org, jelmer@samba.org
Subject: Re: proposed fix for ppp CVE-2014-3158
From: Marco d'Itri <md@linux.it>
Date: Thu, 16 Oct 2014 01:36:48 +0200
Message-id: <[🔎] 20141015233648.GA25217@bongo.bofh.it>
Mail-followup-to: Marco d'Itri <md@linux.it>, Andrew Bartlett <abartlet+debian@catalyst.net.nz>, debian-lts@lists.debian.org, 762789@bugs.debian.org, jelmer@samba.org
In-reply-to: <[🔎] 1413415966.16906.2.camel@catalyst.net.nz>
References: <[🔎] 1413415966.16906.2.camel@catalyst.net.nz>

On Oct 16, Andrew Bartlett <abartlet+debian@catalyst.net.nz> wrote:

> I've prepared a a fix for CVE-2014-3158, an integer overflow potentially
> permitting a user in the dip group to abuse the privileges of the setuid
> root pppd binary by supplying a very, very long options line in
> ~/.ppprc.
Is this actually known to be exploitable?
If you believe that it is worth fixing then your changes look fine to 
me.

-- 
ciao,
Marco

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: proposed fix for ppp CVE-2014-3158
  - From: Andrew Bartlett <abartlet+debian@catalyst.net.nz>

References:
- proposed fix for ppp CVE-2014-3158
  - From: Andrew Bartlett <abartlet+debian@catalyst.net.nz>

Prev by Date: Re: Please test new apache2 2.2.16-6+squeeze14
Next by Date: proposed fix for ppp CVE-2014-3158
Previous by thread: proposed fix for ppp CVE-2014-3158
Next by thread: Re: proposed fix for ppp CVE-2014-3158
Index(es):
- Date
- Thread