On Thu, 2014-10-16 at 01:36 +0200, Marco d'Itri wrote: > On Oct 16, Andrew Bartlett <abartlet+deb...@catalyst.net.nz> wrote: > > > I've prepared a a fix for CVE-2014-3158, an integer overflow potentially > > permitting a user in the dip group to abuse the privileges of the setuid > > root pppd binary by supplying a very, very long options line in > > ~/.ppprc. > Is this actually known to be exploitable?
This is the one bit I haven't proven yet. I didn't have the patience to generate a 2G config line to test, but it will read the user's .ppprc file while setuid. The variable the user could overflow is on the stack, so I'm assuming all the usual stack smashing attacks apply. > If you believe that it is worth fixing then your changes look fine to > me. Thanks. How do you wish to proceed? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
signature.asc
Description: This is a digitally signed message part