Compare commits
6 Commits
Author | SHA1 | Date |
---|---|---|
|
aa7c98ea33 | |
|
27889ba5ca | |
|
2adf79112c | |
|
bab4af81ee | |
|
d5b32b19e1 | |
|
493c048e0d |
|
@ -0,0 +1,58 @@
|
||||||
|
From 7658e8257183f062dc01f87969c140707c7e52cb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paul Mackerras <paulus@samba.org>
|
||||||
|
Date: Fri, 1 Aug 2014 16:05:42 +1000
|
||||||
|
Subject: [PATCH] pppd: Eliminate potential integer overflow in option parsing
|
||||||
|
|
||||||
|
When we are reading in a word from an options file, we maintain a count
|
||||||
|
of the length we have seen so far in 'len', which is an int. When len
|
||||||
|
exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
|
||||||
|
buffer but we continue to increment len. Since len is an int, it will
|
||||||
|
wrap around to -2147483648 after it reaches 2147483647. At that point
|
||||||
|
our test of (len < MAXWORDLEN-1) will succeed and we will start writing
|
||||||
|
characters to memory again.
|
||||||
|
|
||||||
|
This may enable an attacker to overwrite the heap and thereby corrupt
|
||||||
|
security-relevant variables. For this reason it has been assigned a
|
||||||
|
CVE identifier, CVE-2014-3158.
|
||||||
|
|
||||||
|
This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
|
||||||
|
|
||||||
|
Reported-by: Lee Campbell <leecam@google.com>
|
||||||
|
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
||||||
|
---
|
||||||
|
pppd/options.c | 10 ++++++----
|
||||||
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/pppd/options.c b/pppd/options.c
|
||||||
|
index 45fa742..e9042d1 100644
|
||||||
|
--- a/pppd/options.c
|
||||||
|
+++ b/pppd/options.c
|
||||||
|
@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
|
||||||
|
/*
|
||||||
|
* Store the resulting character for the escape sequence.
|
||||||
|
*/
|
||||||
|
- if (len < MAXWORDLEN-1)
|
||||||
|
+ if (len < MAXWORDLEN) {
|
||||||
|
word[len] = value;
|
||||||
|
- ++len;
|
||||||
|
+ ++len;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (!got)
|
||||||
|
c = getc(f);
|
||||||
|
@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
|
||||||
|
/*
|
||||||
|
* An ordinary character: store it in the word and get another.
|
||||||
|
*/
|
||||||
|
- if (len < MAXWORDLEN-1)
|
||||||
|
+ if (len < MAXWORDLEN) {
|
||||||
|
word[len] = c;
|
||||||
|
- ++len;
|
||||||
|
+ ++len;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
c = getc(f);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
19
ppp.spec
19
ppp.spec
|
@ -38,6 +38,7 @@ Patch32: ppp-2.4.5-l2tp-multilink.patch
|
||||||
Patch33: ppp-2.4.5-radius-config.patch
|
Patch33: ppp-2.4.5-radius-config.patch
|
||||||
Patch34: ppp-2.4.5-crypt.patch
|
Patch34: ppp-2.4.5-crypt.patch
|
||||||
Patch35: ppp-2.4.5-hardened.patch
|
Patch35: ppp-2.4.5-hardened.patch
|
||||||
|
Patch36: 0001-pppd-Eliminate-potential-integer-overflow-in-option-.patch
|
||||||
|
|
||||||
BuildRequires: pam-devel, libpcap-devel, openssl-devel, systemd
|
BuildRequires: pam-devel, libpcap-devel, openssl-devel, systemd
|
||||||
Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd
|
Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd
|
||||||
|
@ -91,6 +92,7 @@ This package contains the header files for building plugins for ppp.
|
||||||
%patch33 -p1 -b .radius
|
%patch33 -p1 -b .radius
|
||||||
%patch34 -p1 -b .crypt
|
%patch34 -p1 -b .crypt
|
||||||
%patch35 -p1 -b .hardened
|
%patch35 -p1 -b .hardened
|
||||||
|
%patch36 -p1 -b .cve-2014-3158
|
||||||
|
|
||||||
rm -f scripts/*.local
|
rm -f scripts/*.local
|
||||||
rm -f scripts/*.change_resolv_conf
|
rm -f scripts/*.change_resolv_conf
|
||||||
|
@ -171,25 +173,26 @@ mkdir -p %{_localstatedir}/lock/ppp 2>&1 >/dev/null || :
|
||||||
%doc PLUGINS
|
%doc PLUGINS
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Aug 01 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-33
|
* Tue Aug 12 2014 Michal Sekletar <msekleta@redhat.com> - 2.4.5-33
|
||||||
|
- Fix for CVE-2014-3158
|
||||||
|
|
||||||
|
* Thu Aug 01 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-32
|
||||||
- fix post installation scriptlet
|
- fix post installation scriptlet
|
||||||
|
|
||||||
* Fri Jul 12 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-32
|
* Tue Jul 30 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-31
|
||||||
- don't ship /var/lock/ppp in rpm payload and create it in %post instead
|
- don't ship /var/lock/ppp in rpm payload and create it in %post instead
|
||||||
- fix installation of tmpfiles.d configuration
|
- fix installation of tmpfiles.d configuration
|
||||||
- enable hardened build
|
- enable hardened build
|
||||||
- fix bogus dates in changelog
|
- fix bogus dates in changelog
|
||||||
- compile all binaries with hardening flags
|
- compile all binaries with hardening flags
|
||||||
|
|
||||||
* Thu Jul 04 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-31
|
* Thu Jul 04 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-30
|
||||||
- fix possible NULL pointer dereferencing
|
- fix possible NULL pointer dereferencing
|
||||||
|
|
||||||
* Wed May 29 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-30
|
* Wed May 29 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-29
|
||||||
- make radius plugin config parser less strict
|
- make radius plugin config parser less strict
|
||||||
- resolves : #906913
|
- add creation of dip system group
|
||||||
|
- resolves : #906913, #918296
|
||||||
* Wed Mar 20 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-29
|
|
||||||
- Add creation of dip system group
|
|
||||||
|
|
||||||
* Wed Mar 20 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-28
|
* Wed Mar 20 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-28
|
||||||
- Add /etc/logrotate.d to files section since we no longer hard depend on logrotate
|
- Add /etc/logrotate.d to files section since we no longer hard depend on logrotate
|
||||||
|
|
Loading…
Reference in New Issue