Bug#782563: unblock: ppp/2.4.6-3.1
Control: tags -1 d-i
Hi,
On Tue, Apr 14, 2015 at 11:18:34AM +0200, Emanuele Rocca wrote:
> Please unblock ppp/2.4.6-3.1. It fixes a DoS vulnerability in the pppd
> radius plugin.
This need a d-i ack (Cc'ed kibi, diff quoted below).
Cheers,
Ivo
> diff -Nru ppp-2.4.6/debian/changelog ppp-2.4.6/debian/changelog
> --- ppp-2.4.6/debian/changelog 2014-10-19 11:56:12.000000000 +0200
> +++ ppp-2.4.6/debian/changelog 2015-04-14 08:29:42.000000000 +0200
> @@ -1,3 +1,16 @@
> +ppp (2.4.6-3.1) unstable; urgency=high
> +
> + * Non-maintainer upload.
> + * Urgency high due to fix for DoS vulnerability.
> + * Fix buffer overflow in rc_mksid().
> + The function converts the PID of pppd to hex to generate a pseudo-unique
> + string. If the process id is bigger than 65535 (FFFF), its hex
> + representation will be longer than 4 characters, resulting in a buffer
> + overflow. This bug can be exploited to cause a remote DoS.
> + (Closes: #782450)
> +
> + -- Emanuele Rocca <ema@debian.org> Tue, 14 Apr 2015 08:18:06 +0200
> +
> ppp (2.4.6-3) unstable; urgency=high
>
> * Urgency high due to fix for CVE-2014-3158.
> diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow
> --- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 1970-01-01 01:00:00.000000000 +0100
> +++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 2015-04-14 08:27:53.000000000 +0200
> @@ -0,0 +1,23 @@
> +Description: Fix buffer overflow in rc_mksid()
> + rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
> + .
> + If the process id is bigger than 65535 (FFFF), its hex representation will be
> + longer than 4 characters, resulting in a buffer overflow.
> + .
> + The bug can be exploited to cause a remote DoS.
> + .
> +Author: Emanuele Rocca <ema@debian.org>
> +Bug-Debian: https://bugs.debian.org/782450
> +Last-Update: <2015-04-14>
> +
> +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
> ++++ ppp-2.4.6/pppd/plugins/radius/util.c
> +@@ -77,7 +77,7 @@ rc_mksid (void)
> + static unsigned short int cnt = 0;
> + sprintf (buf, "%08lX%04X%02hX",
> + (unsigned long int) time (NULL),
> +- (unsigned int) getpid (),
> ++ (unsigned int) getpid () % 65535,
> + cnt & 0xFF);
> + cnt++;
> + return buf;
> diff -Nru ppp-2.4.6/debian/patches/series ppp-2.4.6/debian/patches/series
> --- ppp-2.4.6/debian/patches/series 2014-10-19 11:49:55.000000000 +0200
> +++ ppp-2.4.6/debian/patches/series 2015-04-14 08:17:39.000000000 +0200
> @@ -43,3 +43,4 @@
> resolv.conf_no_log
> zzz_config
> secure-card-interpreter-fix
> +rc_mksid-no-buffer-overflow
Reply to: