[ppp/f20] pppd: fix for CVE-2014-3158
Michal Sekletar
msekleta at fedoraproject.org
Tue Aug 12 07:18:26 UTC 2014
commit b872351abe2c594aae2a65bcfbc4d2611d311f05
Author: Michal Sekletar <msekleta at redhat.com>
Date: Tue Aug 12 09:16:08 2014 +0200
pppd: fix for CVE-2014-3158
(cherry picked from commit 7658e8257183f062dc01f87969c140707c7e52cb)
https://github.com/paulusmack/ppp/commit/7658e8257183f062dc01f87969c140707c7e52cb
...ate-potential-integer-overflow-in-option-.patch | 58 ++++++++++++++++++++
ppp.spec | 7 ++-
2 files changed, 64 insertions(+), 1 deletions(-)
---
diff --git a/0001-pppd-Eliminate-potential-integer-overflow-in-option-.patch b/0001-pppd-Eliminate-potential-integer-overflow-in-option-.patch
new file mode 100644
index 0000000..8816362
--- /dev/null
+++ b/0001-pppd-Eliminate-potential-integer-overflow-in-option-.patch
@@ -0,0 +1,58 @@
+From 7658e8257183f062dc01f87969c140707c7e52cb Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus at samba.org>
+Date: Fri, 1 Aug 2014 16:05:42 +1000
+Subject: [PATCH] pppd: Eliminate potential integer overflow in option parsing
+
+When we are reading in a word from an options file, we maintain a count
+of the length we have seen so far in 'len', which is an int. When len
+exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
+buffer but we continue to increment len. Since len is an int, it will
+wrap around to -2147483648 after it reaches 2147483647. At that point
+our test of (len < MAXWORDLEN-1) will succeed and we will start writing
+characters to memory again.
+
+This may enable an attacker to overwrite the heap and thereby corrupt
+security-relevant variables. For this reason it has been assigned a
+CVE identifier, CVE-2014-3158.
+
+This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
+
+Reported-by: Lee Campbell <leecam at google.com>
+Signed-off-by: Paul Mackerras <paulus at samba.org>
+---
+ pppd/options.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/pppd/options.c b/pppd/options.c
+index 45fa742..e9042d1 100644
+--- a/pppd/options.c
++++ b/pppd/options.c
+@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
+ /*
+ * Store the resulting character for the escape sequence.
+ */
+- if (len < MAXWORDLEN-1)
++ if (len < MAXWORDLEN) {
+ word[len] = value;
+- ++len;
++ ++len;
++ }
+
+ if (!got)
+ c = getc(f);
+@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
+ /*
+ * An ordinary character: store it in the word and get another.
+ */
+- if (len < MAXWORDLEN-1)
++ if (len < MAXWORDLEN) {
+ word[len] = c;
+- ++len;
++ ++len;
++ }
+
+ c = getc(f);
+ }
+--
+1.8.3.1
+
diff --git a/ppp.spec b/ppp.spec
index 9adc7de..1662a9f 100644
--- a/ppp.spec
+++ b/ppp.spec
@@ -3,7 +3,7 @@
Summary: The Point-to-Point Protocol daemon
Name: ppp
Version: 2.4.5
-Release: 33%{?dist}
+Release: 34%{?dist}
License: BSD and LGPLv2+ and GPLv2+ and Public Domain
Group: System Environment/Daemons
URL: http://www.samba.org/ppp
@@ -38,6 +38,7 @@ Patch32: ppp-2.4.5-l2tp-multilink.patch
Patch33: ppp-2.4.5-radius-config.patch
Patch34: ppp-2.4.5-crypt.patch
Patch35: ppp-2.4.5-hardened.patch
+Patch36: 0001-pppd-Eliminate-potential-integer-overflow-in-option-.patch
BuildRequires: pam-devel, libpcap-devel, openssl-devel, systemd
Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd
@@ -91,6 +92,7 @@ This package contains the header files for building plugins for ppp.
%patch33 -p1 -b .radius
%patch34 -p1 -b .crypt
%patch35 -p1 -b .hardened
+%patch36 -p1 -b .cve-2014-3158
rm -f scripts/*.local
rm -f scripts/*.change_resolv_conf
@@ -171,6 +173,9 @@ mkdir -p %{_localstatedir}/lock/ppp 2>&1 >/dev/null || :
%doc PLUGINS
%changelog
+* Tue Aug 12 2014 Michal Sekletar <msekleta at redhat.com> - 2.4.5-34
+- Fix for CVE-2014-3158
+
* Thu Aug 01 2013 Michal Sekletar <msekleta at redhat.com> - 2.4.5-33
- fix post installation scriptlet
More information about the scm-commits
mailing list