Hello community, here is the log from the commit of package ppp for openSUSE:Factory checked in at 2020-02-15 22:23:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ppp (Old) and /work/SRC/openSUSE:Factory/.ppp.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ppp" Sat Feb 15 22:23:36 2020 rev:39 rq:772130 version:2.4.7 Changes: -------- --- /work/SRC/openSUSE:Factory/ppp/ppp.changes 2018-10-12 13:09:17.419419666 +0200 +++ /work/SRC/openSUSE:Factory/.ppp.new.26092/ppp.changes 2020-02-15 22:23:40.567253142 +0100 @@ -1,0 +2,6 @@ +Fri Feb 7 14:30:35 UTC 2020 - Reinhard Max <m...@suse.com> + +- CVE-2020-8597, bsc#1162610, ppp-CVE-2020-8597.patch: rhostname + buffer overflow in the eap_request and eap_response functions. + +------------------------------------------------------------------- New: ---- ppp-CVE-2020-8597.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ppp.spec ++++++ --- /var/tmp/diff_new_pack.BE6pyL/_old 2020-02-15 22:23:41.323253551 +0100 +++ /var/tmp/diff_new_pack.BE6pyL/_new 2020-02-15 22:23:41.327253553 +0100 @@ -1,7 +1,7 @@ # # spec file for package ppp # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -75,6 +75,7 @@ Patch24: ppp-CVE-2015-3310.patch Patch25: fix-header-conflict.patch Patch26: ppp-2.4.7-DES-openssl.patch +Patch27: ppp-CVE-2020-8597.patch BuildRequires: libpcap-devel BuildRequires: linux-atm-devel BuildRequires: openssl-devel @@ -146,6 +147,7 @@ %patch24 %patch25 -p1 %patch26 -p1 +%patch27 sed -i -e '1s/local\///' scripts/secure-card find scripts -type f | xargs chmod a-x find -type f -name '*.orig' | xargs rm -f ++++++ ppp-CVE-2020-8597.patch ++++++ >From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 From: Paul Mackerras <pau...@ozlabs.org> Date: Mon, 3 Feb 2020 15:53:28 +1100 Subject: [PATCH] pppd: Fix bounds check in EAP code Given that we have just checked vallen < len, it can never be the case that vallen >= len + sizeof(rhostname). This fixes the check so we actually avoid overflowing the rhostname array. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Paul Mackerras <pau...@ozlabs.org> --- pppd/eap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- pppd/eap.c.orig +++ pppd/eap.c @@ -1421,7 +1421,7 @@ int len; } /* Not so likely to happen. */ - if (vallen >= len + sizeof (rhostname)) { + if (len - vallen >= sizeof (rhostname)) { dbglog("EAP: trimming really long peer name down"); BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); rhostname[sizeof (rhostname) - 1] = '\0'; @@ -1847,7 +1847,7 @@ int len; } /* Not so likely to happen. */ - if (vallen >= len + sizeof (rhostname)) { + if (len - vallen >= sizeof (rhostname)) { dbglog("EAP: trimming really long peer name down"); BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); rhostname[sizeof (rhostname) - 1] = '\0';