[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#782563: marked as done (unblock: ppp/2.4.6-3.1)

Your message dated Tue, 14 Apr 2015 18:05:39 +0200
with message-id <20150414160539.GA20967@ugent.be>
and subject line Re: Bug#782563: unblock: ppp/2.4.6-3.1
has caused the Debian Bug report #782563,
regarding unblock: ppp/2.4.6-3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
782563: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782563
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock ppp/2.4.6-3.1. It fixes a DoS vulnerability in the pppd
radius plugin.

Thanks,
  ema

diff -Nru ppp-2.4.6/debian/changelog ppp-2.4.6/debian/changelog
--- ppp-2.4.6/debian/changelog	2014-10-19 11:56:12.000000000 +0200
+++ ppp-2.4.6/debian/changelog	2015-04-14 08:29:42.000000000 +0200
@@ -1,3 +1,16 @@
+ppp (2.4.6-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Urgency high due to fix for DoS vulnerability.
+  * Fix buffer overflow in rc_mksid().
+    The function converts the PID of pppd to hex to generate a pseudo-unique
+    string. If the process id is bigger than 65535 (FFFF), its hex
+    representation will be longer than 4 characters, resulting in a buffer
+    overflow. This bug can be exploited to cause a remote DoS.
+    (Closes: #782450)
+
+ -- Emanuele Rocca <ema@debian.org>  Tue, 14 Apr 2015 08:18:06 +0200
+
 ppp (2.4.6-3) unstable; urgency=high
 
   * Urgency high due to fix for CVE-2014-3158.
diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow
--- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	2015-04-14 08:27:53.000000000 +0200
@@ -0,0 +1,23 @@
+Description: Fix buffer overflow in rc_mksid()
+ rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
+ .
+ If the process id is bigger than 65535 (FFFF), its hex representation will be
+ longer than 4 characters, resulting in a buffer overflow.
+ .
+ The bug can be exploited to cause a remote DoS.
+ .
+Author: Emanuele Rocca <ema@debian.org>
+Bug-Debian: https://bugs.debian.org/782450
+Last-Update: <2015-04-14>
+
+--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
++++ ppp-2.4.6/pppd/plugins/radius/util.c
+@@ -77,7 +77,7 @@ rc_mksid (void)
+   static unsigned short int cnt = 0;
+   sprintf (buf, "%08lX%04X%02hX",
+ 	   (unsigned long int) time (NULL),
+-	   (unsigned int) getpid (),
++	   (unsigned int) getpid () % 65535,
+ 	   cnt & 0xFF);
+   cnt++;
+   return buf;
diff -Nru ppp-2.4.6/debian/patches/series ppp-2.4.6/debian/patches/series
--- ppp-2.4.6/debian/patches/series	2014-10-19 11:49:55.000000000 +0200
+++ ppp-2.4.6/debian/patches/series	2015-04-14 08:17:39.000000000 +0200
@@ -43,3 +43,4 @@
 resolv.conf_no_log
 zzz_config
 secure-card-interpreter-fix
+rc_mksid-no-buffer-overflow

--- End Message ---
--- Begin Message --- 
Hi,

On Tue, Apr 14, 2015 at 05:55:13PM +0200, Cyril Brulebois wrote:
> > On Tue, Apr 14, 2015 at 11:18:34AM +0200, Emanuele Rocca wrote:
> > > Please unblock ppp/2.4.6-3.1. It fixes a DoS vulnerability in the pppd
> > > radius plugin.
> > 
> > This need a d-i ack (Cc'ed kibi, diff quoted below).
> 
> Fun… no objections, thanks.

OK, add unblock and unblock-udeb.

Cheers,

Ivo

--- End Message ---
Reply to: