Merge branch 'jb45678-pppd-unroot' into 'master'

[ppp] [pppd] Update to version 2.4.8, fix CVE-2015-3310. JB#48797 See merge request mer-core/ppp!3
sailfishos · Jun 3, 2020 · 1313398 · 1313398
2 parents 51a75c8 + dfa4a67
commit 1313398
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 113 deletions.
diff --git a/ppp b/ppp
diff --git a/rpm/CVE-2015-3310.patch b/rpm/CVE-2015-3310.patch
@@ -0,0 +1,18 @@
+Fix buffer overflow in rc_mksid()
+
+rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
+If the process id is bigger than 65535 (FFFF), its hex representation will be
+longer than 4 characters, resulting in a buffer overflow.
+
+The bug can be exploited to cause a remote DoS.
+--- ppp-2.4.7/pppd/plugins/radius/util.c
++++ ppp-2.4.7/pppd/plugins/radius/util.c
+@@ -77,7 +77,7 @@ rc_mksid (void)
+   static unsigned short int cnt = 0;
+   sprintf (buf, "%08lX%04X%02hX",
+ 	   (unsigned long int) time (NULL),
+-	   (unsigned int) getpid (),
++	   (unsigned int) getpid () & 0xFFFF,
+ 	   cnt & 0xFF);
+   cnt++;
+   return buf;
diff --git a/rpm/ppp.spec b/rpm/ppp.spec
@@ -1,13 +1,13 @@
 Name:       ppp
 Summary:    Point-to-Point
-Version:    2.4.7
+Version:    2.4.8
 Release:    1
 Group:      Applications/Internet
 License:    BSD and GPLv2+ and LGPLv2+ and Public Domain
 URL:        https://ppp.samba.org/
 Source0:    https://download.samba.org/pub/%{name}/%{name}-%{version}.tar.gz
 Patch0:     ppp-destdir.patch
-Patch1:     use-openssl.patch
+Patch1:     CVE-2015-3310.patch
 Requires:   openssl-libs
 BuildRequires:  coreutils
 BuildRequires:  sed

diff --git a/rpm/use-openssl.patch b/rpm/use-openssl.patch