Control: tags -1 d-i Hi,
On Tue, Apr 14, 2015 at 11:18:34AM +0200, Emanuele Rocca wrote: > Please unblock ppp/2.4.6-3.1. It fixes a DoS vulnerability in the pppd > radius plugin. This need a d-i ack (Cc'ed kibi, diff quoted below). Cheers, Ivo > diff -Nru ppp-2.4.6/debian/changelog ppp-2.4.6/debian/changelog > --- ppp-2.4.6/debian/changelog 2014-10-19 11:56:12.000000000 +0200 > +++ ppp-2.4.6/debian/changelog 2015-04-14 08:29:42.000000000 +0200 > @@ -1,3 +1,16 @@ > +ppp (2.4.6-3.1) unstable; urgency=high > + > + * Non-maintainer upload. > + * Urgency high due to fix for DoS vulnerability. > + * Fix buffer overflow in rc_mksid(). > + The function converts the PID of pppd to hex to generate a pseudo-unique > + string. If the process id is bigger than 65535 (FFFF), its hex > + representation will be longer than 4 characters, resulting in a buffer > + overflow. This bug can be exploited to cause a remote DoS. > + (Closes: #782450) > + > + -- Emanuele Rocca <[email protected]> Tue, 14 Apr 2015 08:18:06 +0200 > + > ppp (2.4.6-3) unstable; urgency=high > > * Urgency high due to fix for CVE-2014-3158. > diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow > ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow > --- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 1970-01-01 > 01:00:00.000000000 +0100 > +++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow 2015-04-14 > 08:27:53.000000000 +0200 > @@ -0,0 +1,23 @@ > +Description: Fix buffer overflow in rc_mksid() > + rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. > + . > + If the process id is bigger than 65535 (FFFF), its hex representation will > be > + longer than 4 characters, resulting in a buffer overflow. > + . > + The bug can be exploited to cause a remote DoS. > + . > +Author: Emanuele Rocca <[email protected]> > +Bug-Debian: https://bugs.debian.org/782450 > +Last-Update: <2015-04-14> > + > +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c > ++++ ppp-2.4.6/pppd/plugins/radius/util.c > +@@ -77,7 +77,7 @@ rc_mksid (void) > + static unsigned short int cnt = 0; > + sprintf (buf, "%08lX%04X%02hX", > + (unsigned long int) time (NULL), > +- (unsigned int) getpid (), > ++ (unsigned int) getpid () % 65535, > + cnt & 0xFF); > + cnt++; > + return buf; > diff -Nru ppp-2.4.6/debian/patches/series ppp-2.4.6/debian/patches/series > --- ppp-2.4.6/debian/patches/series 2014-10-19 11:49:55.000000000 +0200 > +++ ppp-2.4.6/debian/patches/series 2015-04-14 08:17:39.000000000 +0200 > @@ -43,3 +43,4 @@ > resolv.conf_no_log > zzz_config > secure-card-interpreter-fix > +rc_mksid-no-buffer-overflow -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
