I've prepared a a fix for CVE-2014-3158, an integer overflow potentially permitting a user in the dip group to abuse the privileges of the setuid root pppd binary by supplying a very, very long options line in ~/.ppprc.
Please review the attached debdiff for squeeze-lts (the other distributions also need a fix). This is my first fix for squeeze-lts, so I'm using this lower-impact issue to learn the ropes, so feedback most welcome. I'm also not yet a Debian Maintainer, but will apply for that soon so I can also do the announcement next time. Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
diff -u ppp-2.4.5/debian/changelog ppp-2.4.5/debian/changelog --- ppp-2.4.5/debian/changelog +++ ppp-2.4.5/debian/changelog @@ -1,3 +1,12 @@ +ppp (2.4.5-4+deb6u1) squeeze-lts; urgency=high + + * Non-maintainer upload. + * Backport fix for CVE-2014-3158 (Bug: 762789 integer overflow in + option parsing) from + https://github.com/paulusmack/ppp/commit/7658e8257183f062dc01f87969c140707c7e52cb + + -- Andrew Bartlett <abartlet+deb...@catalyst.net.nz> Wed, 15 Oct 2014 23:00:47 +0000 + ppp (2.4.5-4) unstable; urgency=low * Make sure to actually rebuild pppd for the udeb instead of using the diff -u ppp-2.4.5/debian/patches/series ppp-2.4.5/debian/patches/series --- ppp-2.4.5/debian/patches/series +++ ppp-2.4.5/debian/patches/series @@ -1,5 +1,6 @@ # pulled from upstream git-20100307 +CVE-2014-3158.patch # to be merged upstream pppoatm_no_modprobe only in patch2: unchanged: --- ppp-2.4.5.orig/debian/patches/CVE-2014-3158.patch +++ ppp-2.4.5/debian/patches/CVE-2014-3158.patch @@ -0,0 +1,55 @@ +From 7658e8257183f062dc01f87969c140707c7e52cb Mon Sep 17 00:00:00 2001 +From: Paul Mackerras <pau...@samba.org> +Date: Fri, 1 Aug 2014 16:05:42 +1000 +Subject: [PATCH] pppd: Eliminate potential integer overflow in option parsing + +When we are reading in a word from an options file, we maintain a count +of the length we have seen so far in 'len', which is an int. When len +exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the +buffer but we continue to increment len. Since len is an int, it will +wrap around to -2147483648 after it reaches 2147483647. At that point +our test of (len < MAXWORDLEN-1) will succeed and we will start writing +characters to memory again. + +This may enable an attacker to overwrite the heap and thereby corrupt +security-relevant variables. For this reason it has been assigned a +CVE identifier, CVE-2014-3158. + +This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN. + +Reported-by: Lee Campbell <lee...@google.com> +Signed-off-by: Paul Mackerras <pau...@samba.org> +--- + pppd/options.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/pppd/options.c b/pppd/options.c +index 45fa742..e9042d1 100644 +--- a/pppd/options.c ++++ b/pppd/options.c +@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename) + /* + * Store the resulting character for the escape sequence. + */ +- if (len < MAXWORDLEN-1) ++ if (len < MAXWORDLEN) { + word[len] = value; +- ++len; ++ ++len; ++ } + + if (!got) + c = getc(f); +@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename) + /* + * An ordinary character: store it in the word and get another. + */ +- if (len < MAXWORDLEN-1) ++ if (len < MAXWORDLEN) { + word[len] = c; +- ++len; ++ ++len; ++ } + + c = getc(f); + }
signature.asc
Description: This is a digitally signed message part
