On 14/04/2015 07:48, Emanuele Rocca wrote: > NMU diff attached.
> ppp_2.4.6-3.1-nmu.diff > diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow > ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow > --- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 1970-01-01 > 01:00:00.000000000 +0100 > +++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 2015-04-14 > 08:27:53.000000000 +0200 > @@ -0,0 +1,23 @@ > +Description: Fix buffer overflow in rc_mksid() > + rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. > + . > + If the process id is bigger than 65535 (FFFF), its hex representation will > be > + longer than 4 characters, resulting in a buffer overflow. > + . > + The bug can be exploited to cause a remote DoS. > + . > +Author: Emanuele Rocca <e...@debian.org> > +Bug-Debian: https://bugs.debian.org/782450 > +Last-Update: <2015-04-14> > + > +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c > ++++ ppp-2.4.6/pppd/plugins/radius/util.c > +@@ -77,7 +77,7 @@ rc_mksid (void) > + static unsigned short int cnt = 0; > + sprintf (buf, "%08lX%04X%02hX", > + (unsigned long int) time (NULL), > +- (unsigned int) getpid (), > ++ (unsigned int) getpid () % 65535, Shouldn't this be 65536? If you're trying to limit to 0xFFFF then 65535 too small. "getpid () & 0xFFFF" might be clearer than using the modulus operator and should have exactly the same effect. > + cnt & 0xFF); > + cnt++; > + return buf; Roger -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
