Bug#782563: unblock: ppp/2.4.6-3.1

Tue, 14 Apr 2015 02:22:15 -0700 

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock ppp/2.4.6-3.1. It fixes a DoS vulnerability in the pppd
radius plugin.

Thanks,
  ema

diff -Nru ppp-2.4.6/debian/changelog ppp-2.4.6/debian/changelog
--- ppp-2.4.6/debian/changelog  2014-10-19 11:56:12.000000000 +0200
+++ ppp-2.4.6/debian/changelog  2015-04-14 08:29:42.000000000 +0200
@@ -1,3 +1,16 @@
+ppp (2.4.6-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Urgency high due to fix for DoS vulnerability.
+  * Fix buffer overflow in rc_mksid().
+    The function converts the PID of pppd to hex to generate a pseudo-unique
+    string. If the process id is bigger than 65535 (FFFF), its hex
+    representation will be longer than 4 characters, resulting in a buffer
+    overflow. This bug can be exploited to cause a remote DoS.
+    (Closes: #782450)
+
+ -- Emanuele Rocca <e...@debian.org>  Tue, 14 Apr 2015 08:18:06 +0200
+
 ppp (2.4.6-3) unstable; urgency=high
 
   * Urgency high due to fix for CVE-2014-3158.
diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 
ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow
--- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow        1970-01-01 
01:00:00.000000000 +0100
+++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow        2015-04-14 
08:27:53.000000000 +0200
@@ -0,0 +1,23 @@
+Description: Fix buffer overflow in rc_mksid()
+ rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
+ .
+ If the process id is bigger than 65535 (FFFF), its hex representation will be
+ longer than 4 characters, resulting in a buffer overflow.
+ .
+ The bug can be exploited to cause a remote DoS.
+ .
+Author: Emanuele Rocca <e...@debian.org>
+Bug-Debian: https://bugs.debian.org/782450
+Last-Update: <2015-04-14>
+
+--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
++++ ppp-2.4.6/pppd/plugins/radius/util.c
+@@ -77,7 +77,7 @@ rc_mksid (void)
+   static unsigned short int cnt = 0;
+   sprintf (buf, "%08lX%04X%02hX",
+          (unsigned long int) time (NULL),
+-         (unsigned int) getpid (),
++         (unsigned int) getpid () % 65535,
+          cnt & 0xFF);
+   cnt++;
+   return buf;
diff -Nru ppp-2.4.6/debian/patches/series ppp-2.4.6/debian/patches/series
--- ppp-2.4.6/debian/patches/series     2014-10-19 11:49:55.000000000 +0200
+++ ppp-2.4.6/debian/patches/series     2015-04-14 08:17:39.000000000 +0200
@@ -43,3 +43,4 @@
 resolv.conf_no_log
 zzz_config
 secure-card-interpreter-fix
+rc_mksid-no-buffer-overflow


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to