Bug#782563: unblock: ppp/2.4.6-3.1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock ppp/2.4.6-3.1. It fixes a DoS vulnerability in the pppd
radius plugin.
Thanks,
ema
diff -Nru ppp-2.4.6/debian/changelog ppp-2.4.6/debian/changelog
--- ppp-2.4.6/debian/changelog 2014-10-19 11:56:12.000000000 +0200
+++ ppp-2.4.6/debian/changelog 2015-04-14 08:29:42.000000000 +0200
@@ -1,3 +1,16 @@
+ppp (2.4.6-3.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Urgency high due to fix for DoS vulnerability.
+ * Fix buffer overflow in rc_mksid().
+ The function converts the PID of pppd to hex to generate a pseudo-unique
+ string. If the process id is bigger than 65535 (FFFF), its hex
+ representation will be longer than 4 characters, resulting in a buffer
+ overflow. This bug can be exploited to cause a remote DoS.
+ (Closes: #782450)
+
+ -- Emanuele Rocca <ema@debian.org> Tue, 14 Apr 2015 08:18:06 +0200
+
ppp (2.4.6-3) unstable; urgency=high
* Urgency high due to fix for CVE-2014-3158.
diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow
--- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 2015-04-14 08:27:53.000000000 +0200
@@ -0,0 +1,23 @@
+Description: Fix buffer overflow in rc_mksid()
+ rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
+ .
+ If the process id is bigger than 65535 (FFFF), its hex representation will be
+ longer than 4 characters, resulting in a buffer overflow.
+ .
+ The bug can be exploited to cause a remote DoS.
+ .
+Author: Emanuele Rocca <ema@debian.org>
+Bug-Debian: https://bugs.debian.org/782450
+Last-Update: <2015-04-14>
+
+--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
++++ ppp-2.4.6/pppd/plugins/radius/util.c
+@@ -77,7 +77,7 @@ rc_mksid (void)
+ static unsigned short int cnt = 0;
+ sprintf (buf, "%08lX%04X%02hX",
+ (unsigned long int) time (NULL),
+- (unsigned int) getpid (),
++ (unsigned int) getpid () % 65535,
+ cnt & 0xFF);
+ cnt++;
+ return buf;
diff -Nru ppp-2.4.6/debian/patches/series ppp-2.4.6/debian/patches/series
--- ppp-2.4.6/debian/patches/series 2014-10-19 11:49:55.000000000 +0200
+++ ppp-2.4.6/debian/patches/series 2015-04-14 08:17:39.000000000 +0200
@@ -43,3 +43,4 @@
resolv.conf_no_log
zzz_config
secure-card-interpreter-fix
+rc_mksid-no-buffer-overflow
Reply to: