Bug#782563: unblock: ppp/2.4.6-3.1

To: submit@bugs.debian.org
Subject: Bug#782563: unblock: ppp/2.4.6-3.1
From: Emanuele Rocca <ema@linux.it>
Date: Tue, 14 Apr 2015 11:18:34 +0200
Message-id: <[🔎] 20150414091834.GA16132@aspi>
Reply-to: Emanuele Rocca <ema@linux.it>, 782563@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock ppp/2.4.6-3.1. It fixes a DoS vulnerability in the pppd
radius plugin.

Thanks,
  ema

diff -Nru ppp-2.4.6/debian/changelog ppp-2.4.6/debian/changelog
--- ppp-2.4.6/debian/changelog	2014-10-19 11:56:12.000000000 +0200
+++ ppp-2.4.6/debian/changelog	2015-04-14 08:29:42.000000000 +0200
@@ -1,3 +1,16 @@
+ppp (2.4.6-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Urgency high due to fix for DoS vulnerability.
+  * Fix buffer overflow in rc_mksid().
+    The function converts the PID of pppd to hex to generate a pseudo-unique
+    string. If the process id is bigger than 65535 (FFFF), its hex
+    representation will be longer than 4 characters, resulting in a buffer
+    overflow. This bug can be exploited to cause a remote DoS.
+    (Closes: #782450)
+
+ -- Emanuele Rocca <ema@debian.org>  Tue, 14 Apr 2015 08:18:06 +0200
+
 ppp (2.4.6-3) unstable; urgency=high
 
   * Urgency high due to fix for CVE-2014-3158.
diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow
--- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	2015-04-14 08:27:53.000000000 +0200
@@ -0,0 +1,23 @@
+Description: Fix buffer overflow in rc_mksid()
+ rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
+ .
+ If the process id is bigger than 65535 (FFFF), its hex representation will be
+ longer than 4 characters, resulting in a buffer overflow.
+ .
+ The bug can be exploited to cause a remote DoS.
+ .
+Author: Emanuele Rocca <ema@debian.org>
+Bug-Debian: https://bugs.debian.org/782450
+Last-Update: <2015-04-14>
+
+--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
++++ ppp-2.4.6/pppd/plugins/radius/util.c
+@@ -77,7 +77,7 @@ rc_mksid (void)
+   static unsigned short int cnt = 0;
+   sprintf (buf, "%08lX%04X%02hX",
+ 	   (unsigned long int) time (NULL),
+-	   (unsigned int) getpid (),
++	   (unsigned int) getpid () % 65535,
+ 	   cnt & 0xFF);
+   cnt++;
+   return buf;
diff -Nru ppp-2.4.6/debian/patches/series ppp-2.4.6/debian/patches/series
--- ppp-2.4.6/debian/patches/series	2014-10-19 11:49:55.000000000 +0200
+++ ppp-2.4.6/debian/patches/series	2015-04-14 08:17:39.000000000 +0200
@@ -43,3 +43,4 @@
 resolv.conf_no_log
 zzz_config
 secure-card-interpreter-fix
+rc_mksid-no-buffer-overflow

Reply to:

Follow-Ups:
- Processed: Re: Bug#782563: unblock: ppp/2.4.6-3.1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#782563: unblock: ppp/2.4.6-3.1
  - From: Ivo De Decker <ivodd@debian.org>
- Processed: Re: Bug#782563: unblock: ppp/2.4.6-3.1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#782563: marked as done (unblock: ppp/2.4.6-3.1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#782520: unblock: rinse/3.0.9
Next by Date: Bug#782565: unblock: commons-httpclient/3.1-11
Previous by thread: Bug#782520: unblock: rinse/3.0.9
Next by thread: Processed: Re: Bug#782563: unblock: ppp/2.4.6-3.1
Index(es):
- Date
- Thread