Bug#782563: unblock: ppp/2.4.6-3.1

To: Emanuele Rocca <ema@linux.it>, 782563@bugs.debian.org
Cc: kibi@debian.org
Subject: Bug#782563: unblock: ppp/2.4.6-3.1
From: Ivo De Decker <ivodd@debian.org>
Date: Tue, 14 Apr 2015 17:45:57 +0200
Message-id: <[🔎] 20150414154557.GH17727@ugent.be>
Reply-to: Ivo De Decker <ivodd@debian.org>, 782563@bugs.debian.org
In-reply-to: <[🔎] 20150414091834.GA16132@aspi>
References: <[🔎] 20150414091834.GA16132@aspi>

Control: tags -1 d-i

Hi,

On Tue, Apr 14, 2015 at 11:18:34AM +0200, Emanuele Rocca wrote:
> Please unblock ppp/2.4.6-3.1. It fixes a DoS vulnerability in the pppd
> radius plugin.

This need a d-i ack (Cc'ed kibi, diff quoted below).

Cheers,

Ivo

> diff -Nru ppp-2.4.6/debian/changelog ppp-2.4.6/debian/changelog
> --- ppp-2.4.6/debian/changelog	2014-10-19 11:56:12.000000000 +0200
> +++ ppp-2.4.6/debian/changelog	2015-04-14 08:29:42.000000000 +0200
> @@ -1,3 +1,16 @@
> +ppp (2.4.6-3.1) unstable; urgency=high
> +
> +  * Non-maintainer upload.
> +  * Urgency high due to fix for DoS vulnerability.
> +  * Fix buffer overflow in rc_mksid().
> +    The function converts the PID of pppd to hex to generate a pseudo-unique
> +    string. If the process id is bigger than 65535 (FFFF), its hex
> +    representation will be longer than 4 characters, resulting in a buffer
> +    overflow. This bug can be exploited to cause a remote DoS.
> +    (Closes: #782450)
> +
> + -- Emanuele Rocca <ema@debian.org>  Tue, 14 Apr 2015 08:18:06 +0200
> +
>  ppp (2.4.6-3) unstable; urgency=high
>  
>    * Urgency high due to fix for CVE-2014-3158.
> diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow
> --- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	1970-01-01 01:00:00.000000000 +0100
> +++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	2015-04-14 08:27:53.000000000 +0200
> @@ -0,0 +1,23 @@
> +Description: Fix buffer overflow in rc_mksid()
> + rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
> + .
> + If the process id is bigger than 65535 (FFFF), its hex representation will be
> + longer than 4 characters, resulting in a buffer overflow.
> + .
> + The bug can be exploited to cause a remote DoS.
> + .
> +Author: Emanuele Rocca <ema@debian.org>
> +Bug-Debian: https://bugs.debian.org/782450
> +Last-Update: <2015-04-14>
> +
> +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
> ++++ ppp-2.4.6/pppd/plugins/radius/util.c
> +@@ -77,7 +77,7 @@ rc_mksid (void)
> +   static unsigned short int cnt = 0;
> +   sprintf (buf, "%08lX%04X%02hX",
> + 	   (unsigned long int) time (NULL),
> +-	   (unsigned int) getpid (),
> ++	   (unsigned int) getpid () % 65535,
> + 	   cnt & 0xFF);
> +   cnt++;
> +   return buf;
> diff -Nru ppp-2.4.6/debian/patches/series ppp-2.4.6/debian/patches/series
> --- ppp-2.4.6/debian/patches/series	2014-10-19 11:49:55.000000000 +0200
> +++ ppp-2.4.6/debian/patches/series	2015-04-14 08:17:39.000000000 +0200
> @@ -43,3 +43,4 @@
>  resolv.conf_no_log
>  zzz_config
>  secure-card-interpreter-fix
> +rc_mksid-no-buffer-overflow

Reply to:

Follow-Ups:
- Bug#782563: unblock: ppp/2.4.6-3.1
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#782563: unblock: ppp/2.4.6-3.1
  - From: Emanuele Rocca <ema@linux.it>

Prev by Date: Processed: Re: Bug#782563: unblock: ppp/2.4.6-3.1
Next by Date: Bug#782596: RFC: possible wheezy-pu: package debhelper to address #708218 for wheezy?
Previous by thread: Processed: Re: Bug#782563: unblock: ppp/2.4.6-3.1
Next by thread: Bug#782563: unblock: ppp/2.4.6-3.1
Index(es):
- Date
- Thread