[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

proposed fix for ppp CVE-2014-3158

I've prepared a a fix for CVE-2014-3158, an integer overflow potentially
permitting a user in the dip group to abuse the privileges of the setuid
root pppd binary by supplying a very, very long options line in
~/.ppprc.

Please review the attached debdiff for squeeze-lts (the other
distributions also need a fix).

This is my first fix for squeeze-lts, so I'm using this lower-impact
issue to learn the ropes, so feedback most welcome.  I'm also not yet a
Debian Maintainer, but will apply for that soon so I can also do the
announcement next time. 

Thanks!

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




diff -u ppp-2.4.5/debian/changelog ppp-2.4.5/debian/changelog
--- ppp-2.4.5/debian/changelog
+++ ppp-2.4.5/debian/changelog
@@ -1,3 +1,12 @@
+ppp (2.4.5-4+deb6u1) squeeze-lts; urgency=high
+
+  * Non-maintainer upload.
+  * Backport fix for CVE-2014-3158 (Bug: 762789 integer overflow in 
+    option parsing) from 
+    https://github.com/paulusmack/ppp/commit/7658e8257183f062dc01f87969c140707c7e52cb
+
+ -- Andrew Bartlett <abartlet+debian@catalyst.net.nz>  Wed, 15 Oct 2014 23:00:47 +0000
+
 ppp (2.4.5-4) unstable; urgency=low
 
   * Make sure to actually rebuild pppd for the udeb instead of using the
diff -u ppp-2.4.5/debian/patches/series ppp-2.4.5/debian/patches/series
--- ppp-2.4.5/debian/patches/series
+++ ppp-2.4.5/debian/patches/series
@@ -1,5 +1,6 @@
 # pulled from upstream
 git-20100307
+CVE-2014-3158.patch
 
 # to be merged upstream
 pppoatm_no_modprobe
only in patch2:
unchanged:
--- ppp-2.4.5.orig/debian/patches/CVE-2014-3158.patch
+++ ppp-2.4.5/debian/patches/CVE-2014-3158.patch
@@ -0,0 +1,55 @@
+From 7658e8257183f062dc01f87969c140707c7e52cb Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@samba.org>
+Date: Fri, 1 Aug 2014 16:05:42 +1000
+Subject: [PATCH] pppd: Eliminate potential integer overflow in option parsing
+
+When we are reading in a word from an options file, we maintain a count
+of the length we have seen so far in 'len', which is an int.  When len
+exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
+buffer but we continue to increment len.  Since len is an int, it will
+wrap around to -2147483648 after it reaches 2147483647.  At that point
+our test of (len < MAXWORDLEN-1) will succeed and we will start writing
+characters to memory again.
+
+This may enable an attacker to overwrite the heap and thereby corrupt
+security-relevant variables.  For this reason it has been assigned a
+CVE identifier, CVE-2014-3158.
+
+This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
+
+Reported-by: Lee Campbell <leecam@google.com>
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+---
+ pppd/options.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/pppd/options.c b/pppd/options.c
+index 45fa742..e9042d1 100644
+--- a/pppd/options.c
++++ b/pppd/options.c
+@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
+ 	    /*
+ 	     * Store the resulting character for the escape sequence.
+ 	     */
+-	    if (len < MAXWORDLEN-1)
++	    if (len < MAXWORDLEN) {
+ 		word[len] = value;
+-	    ++len;
++		++len;
++	    }
+ 
+ 	    if (!got)
+ 		c = getc(f);
+@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
+ 	/*
+ 	 * An ordinary character: store it in the word and get another.
+ 	 */
+-	if (len < MAXWORDLEN-1)
++	if (len < MAXWORDLEN) {
+ 	    word[len] = c;
+-	++len;
++	    ++len;
++	}
+ 
+ 	c = getc(f);
+     }

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: