Compare commits
6 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
aa7c98ea33 | ||
|
27889ba5ca | ||
|
2adf79112c | ||
|
bab4af81ee | ||
|
d5b32b19e1 | ||
|
493c048e0d |
@ -0,0 +1,58 @@
|
||||
From 7658e8257183f062dc01f87969c140707c7e52cb Mon Sep 17 00:00:00 2001
|
||||
From: Paul Mackerras <paulus@samba.org>
|
||||
Date: Fri, 1 Aug 2014 16:05:42 +1000
|
||||
Subject: [PATCH] pppd: Eliminate potential integer overflow in option parsing
|
||||
|
||||
When we are reading in a word from an options file, we maintain a count
|
||||
of the length we have seen so far in 'len', which is an int. When len
|
||||
exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
|
||||
buffer but we continue to increment len. Since len is an int, it will
|
||||
wrap around to -2147483648 after it reaches 2147483647. At that point
|
||||
our test of (len < MAXWORDLEN-1) will succeed and we will start writing
|
||||
characters to memory again.
|
||||
|
||||
This may enable an attacker to overwrite the heap and thereby corrupt
|
||||
security-relevant variables. For this reason it has been assigned a
|
||||
CVE identifier, CVE-2014-3158.
|
||||
|
||||
This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
|
||||
|
||||
Reported-by: Lee Campbell <leecam@google.com>
|
||||
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
||||
---
|
||||
pppd/options.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/pppd/options.c b/pppd/options.c
|
||||
index 45fa742..e9042d1 100644
|
||||
--- a/pppd/options.c
|
||||
+++ b/pppd/options.c
|
||||
@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
|
||||
/*
|
||||
* Store the resulting character for the escape sequence.
|
||||
*/
|
||||
- if (len < MAXWORDLEN-1)
|
||||
+ if (len < MAXWORDLEN) {
|
||||
word[len] = value;
|
||||
- ++len;
|
||||
+ ++len;
|
||||
+ }
|
||||
|
||||
if (!got)
|
||||
c = getc(f);
|
||||
@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
|
||||
/*
|
||||
* An ordinary character: store it in the word and get another.
|
||||
*/
|
||||
- if (len < MAXWORDLEN-1)
|
||||
+ if (len < MAXWORDLEN) {
|
||||
word[len] = c;
|
||||
- ++len;
|
||||
+ ++len;
|
||||
+ }
|
||||
|
||||
c = getc(f);
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
19
ppp.spec
19
ppp.spec
@ -38,6 +38,7 @@ Patch32: ppp-2.4.5-l2tp-multilink.patch
|
||||
Patch33: ppp-2.4.5-radius-config.patch
|
||||
Patch34: ppp-2.4.5-crypt.patch
|
||||
Patch35: ppp-2.4.5-hardened.patch
|
||||
Patch36: 0001-pppd-Eliminate-potential-integer-overflow-in-option-.patch
|
||||
|
||||
BuildRequires: pam-devel, libpcap-devel, openssl-devel, systemd
|
||||
Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd
|
||||
@ -91,6 +92,7 @@ This package contains the header files for building plugins for ppp.
|
||||
%patch33 -p1 -b .radius
|
||||
%patch34 -p1 -b .crypt
|
||||
%patch35 -p1 -b .hardened
|
||||
%patch36 -p1 -b .cve-2014-3158
|
||||
|
||||
rm -f scripts/*.local
|
||||
rm -f scripts/*.change_resolv_conf
|
||||
@ -171,25 +173,26 @@ mkdir -p %{_localstatedir}/lock/ppp 2>&1 >/dev/null || :
|
||||
%doc PLUGINS
|
||||
|
||||
%changelog
|
||||
* Thu Aug 01 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-33
|
||||
* Tue Aug 12 2014 Michal Sekletar <msekleta@redhat.com> - 2.4.5-33
|
||||
- Fix for CVE-2014-3158
|
||||
|
||||
* Thu Aug 01 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-32
|
||||
- fix post installation scriptlet
|
||||
|
||||
* Fri Jul 12 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-32
|
||||
* Tue Jul 30 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-31
|
||||
- don't ship /var/lock/ppp in rpm payload and create it in %post instead
|
||||
- fix installation of tmpfiles.d configuration
|
||||
- enable hardened build
|
||||
- fix bogus dates in changelog
|
||||
- compile all binaries with hardening flags
|
||||
|
||||
* Thu Jul 04 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-31
|
||||
* Thu Jul 04 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-30
|
||||
- fix possible NULL pointer dereferencing
|
||||
|
||||
* Wed May 29 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-30
|
||||
* Wed May 29 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-29
|
||||
- make radius plugin config parser less strict
|
||||
- resolves : #906913
|
||||
|
||||
* Wed Mar 20 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-29
|
||||
- Add creation of dip system group
|
||||
- add creation of dip system group
|
||||
- resolves : #906913, #918296
|
||||
|
||||
* Wed Mar 20 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-28
|
||||
- Add /etc/logrotate.d to files section since we no longer hard depend on logrotate
|
||||
|
Loading…
Reference in New Issue
Block a user