pppd: fix for CVE-2014-3158

(cherry picked from commit 7658e8257183f062dc01f87969c140707c7e52cb)

7658e82571

0001-pppd-Eliminate-potential-integer-overflow-in-option-.patch

@@ -0,0 +1,58 @@
+From 7658e8257183f062dc01f87969c140707c7e52cb Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@samba.org>
+Date: Fri, 1 Aug 2014 16:05:42 +1000
+Subject: [PATCH] pppd: Eliminate potential integer overflow in option parsing
+
+When we are reading in a word from an options file, we maintain a count
+of the length we have seen so far in 'len', which is an int.  When len
+exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
+buffer but we continue to increment len.  Since len is an int, it will
+wrap around to -2147483648 after it reaches 2147483647.  At that point
+our test of (len < MAXWORDLEN-1) will succeed and we will start writing
+characters to memory again.
+
+This may enable an attacker to overwrite the heap and thereby corrupt
+security-relevant variables.  For this reason it has been assigned a
+CVE identifier, CVE-2014-3158.
+
+This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
+
+Reported-by: Lee Campbell <leecam@google.com>
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+---
+ pppd/options.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/pppd/options.c b/pppd/options.c
+index 45fa742..e9042d1 100644
+--- a/pppd/options.c
++++ b/pppd/options.c
+@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
+ 	    /*
+ 	     * Store the resulting character for the escape sequence.
+ 	     */
+-	    if (len < MAXWORDLEN-1)
++	    if (len < MAXWORDLEN) {
+ 		word[len] = value;
+-	    ++len;
++		++len;
++	    }
+ 
+ 	    if (!got)
+ 		c = getc(f);
+@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
+ 	/*
+ 	 * An ordinary character: store it in the word and get another.
+ 	 */
+-	if (len < MAXWORDLEN-1)
++	if (len < MAXWORDLEN) {
+ 	    word[len] = c;
+-	++len;
++	    ++len;
++	}
+ 
+ 	c = getc(f);
+     }
+-- 
+1.8.3.1
+

ppp.spec

@@ -3,7 +3,7 @@
 Summary: The Point-to-Point Protocol daemon
 Name: ppp
 Version: 2.4.5
-Release: 32%{?dist}
+Release: 33%{?dist}
 License: BSD and LGPLv2+ and GPLv2+ and Public Domain
 Group: System Environment/Daemons
 URL: http://www.samba.org/ppp
@@ -38,6 +38,7 @@ Patch32: ppp-2.4.5-l2tp-multilink.patch
 Patch33: ppp-2.4.5-radius-config.patch
 Patch34: ppp-2.4.5-crypt.patch
 Patch35: ppp-2.4.5-hardened.patch
+Patch36: 0001-pppd-Eliminate-potential-integer-overflow-in-option-.patch
 
 BuildRequires: pam-devel, libpcap-devel, openssl-devel, systemd
 Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd
@@ -91,6 +92,7 @@ This package contains the header files for building plugins for ppp.
 %patch33 -p1 -b .radius
 %patch34 -p1 -b .crypt
 %patch35 -p1 -b .hardened
+%patch36 -p1 -b .cve-2014-3158
 
 rm -f scripts/*.local
 rm -f scripts/*.change_resolv_conf
@@ -171,6 +173,9 @@ mkdir -p %{_localstatedir}/lock/ppp 2>&1 >/dev/null || :
 %doc PLUGINS
 
 %changelog
+* Tue Aug 12 2014 Michal Sekletar <msekleta@redhat.com> - 2.4.5-33
+- Fix for CVE-2014-3158
+
 * Thu Aug 01 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-32
 - fix post installation scriptlet