ppp: CVE-2014-3158: Integer overflow in option parsing

Debian Bug report logs - #762789
ppp: CVE-2014-3158: Integer overflow in option parsing

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: submit@bugs.debian.org

Subject: ppp: CVE-2014-3158: Integer overflow in option parsing

Date: Thu, 25 Sep 2014 10:08:29 +0200

Package: ppp
Severity: grave
Tags: security

Hi,
the following vulnerability was published for ppp.

CVE-2014-3158[0]:
Potential integer overflow in option parsing 

This is fixed in this commit
https://github.com/paulusmack/ppp/commit/7658e8257183f062dc01f87969c140707c7e52cb
and in the 2.4.7 upstream release.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3158
    https://security-tracker.debian.org/tracker/CVE-2014-3158
http://marc.info/?l=linux-ppp&m=140764978420764

Please adjust the affected versions in the BTS as needed.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

Message #12 received at 762789@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Andrew Bartlett <abartlet+debian@catalyst.net.nz>

Cc: debian-lts@lists.debian.org, 762789@bugs.debian.org, jelmer@samba.org

Subject: Re: proposed fix for ppp CVE-2014-3158

Date: Thu, 16 Oct 2014 01:36:48 +0200

[Message part 1 (text/plain, inline)]

On Oct 16, Andrew Bartlett <abartlet+debian@catalyst.net.nz> wrote:

> I've prepared a a fix for CVE-2014-3158, an integer overflow potentially
> permitting a user in the dip group to abuse the privileges of the setuid
> root pppd binary by supplying a very, very long options line in
> ~/.ppprc.
Is this actually known to be exploitable?
If you believe that it is worth fixing then your changes look fine to 
me.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 762789@bugs.debian.org (full text, mbox, reply):

From: Andrew Bartlett <abartlet+debian@catalyst.net.nz>

To: debian-lts@lists.debian.org

Cc: 762789@bugs.debian.org, md@linux.it, jelmer@samba.org

Subject: proposed fix for ppp CVE-2014-3158

Date: Thu, 16 Oct 2014 12:32:46 +1300

[Message part 1 (text/plain, inline)]

I've prepared a a fix for CVE-2014-3158, an integer overflow potentially
permitting a user in the dip group to abuse the privileges of the setuid
root pppd binary by supplying a very, very long options line in
~/.ppprc.

Please review the attached debdiff for squeeze-lts (the other
distributions also need a fix).

This is my first fix for squeeze-lts, so I'm using this lower-impact
issue to learn the ropes, so feedback most welcome.  I'm also not yet a
Debian Maintainer, but will apply for that soon so I can also do the
announcement next time. 

Thanks!

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

[ppp_2.4.5-4+deb6u1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 762789@bugs.debian.org (full text, mbox, reply):

From: Andrew Bartlett <abartlet+debian@catalyst.net.nz>

To: Marco d'Itri <md@linux.it>

Cc: debian-lts@lists.debian.org, 762789@bugs.debian.org, jelmer@samba.org

Subject: Re: proposed fix for ppp CVE-2014-3158

Date: Thu, 16 Oct 2014 13:12:32 +1300

[Message part 1 (text/plain, inline)]

On Thu, 2014-10-16 at 01:36 +0200, Marco d'Itri wrote:
> On Oct 16, Andrew Bartlett <abartlet+debian@catalyst.net.nz> wrote:
> 
> > I've prepared a a fix for CVE-2014-3158, an integer overflow potentially
> > permitting a user in the dip group to abuse the privileges of the setuid
> > root pppd binary by supplying a very, very long options line in
> > ~/.ppprc.
> Is this actually known to be exploitable?

This is the one bit I haven't proven yet.  I didn't have the patience to
generate a 2G config line to test, but it will read the user's .ppprc
file while setuid.

The variable the user could overflow is on the stack, so I'm assuming
all the usual stack smashing attacks apply. 

> If you believe that it is worth fixing then your changes look fine to 
> me.

Thanks.  How do you wish to proceed?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 762789@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Andrew Bartlett <abartlet+debian@catalyst.net.nz>, 762789@bugs.debian.org

Cc: debian-lts@lists.debian.org, jelmer@samba.org

Subject: Re: Bug#762789: proposed fix for ppp CVE-2014-3158

Date: Thu, 16 Oct 2014 02:30:48 +0200

[Message part 1 (text/plain, inline)]

On Oct 16, Andrew Bartlett <abartlet+debian@catalyst.net.nz> wrote:

> Thanks.  How do you wish to proceed?
I suggest that you just upload the package.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 762789@bugs.debian.org (full text, mbox, reply):

From: Andrew Bartlett <abartlet+debian@catalyst.net.nz>

To: Marco d'Itri <md@linux.it>

Cc: 762789@bugs.debian.org, debian-lts@lists.debian.org, jelmer@samba.org

Subject: Re: Bug#762789: proposed fix for ppp CVE-2014-3158

Date: Thu, 16 Oct 2014 15:17:27 +1300

[Message part 1 (text/plain, inline)]

On Thu, 2014-10-16 at 02:30 +0200, Marco d'Itri wrote:
> On Oct 16, Andrew Bartlett <abartlet+debian@catalyst.net.nz> wrote:
> 
> > Thanks.  How do you wish to proceed?
> I suggest that you just upload the package.

Just to be clear, I'm not (yet) a Debian Maintainer, so I don't have
upload rights, or the right to send out the DLA.  

In particular, I was trying to understand how would you like the
sid/jessie/wheezy part done.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 762789@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Andrew Bartlett <abartlet+debian@catalyst.net.nz>

Cc: Marco d'Itri <md@linux.it>, 762789@bugs.debian.org, debian-lts@lists.debian.org, jelmer@samba.org

Subject: Re: Bug#762789: proposed fix for ppp CVE-2014-3158

Date: Thu, 16 Oct 2014 08:37:44 +0200

On Thu, 16 Oct 2014, Andrew Bartlett wrote:
> On Thu, 2014-10-16 at 02:30 +0200, Marco d'Itri wrote:
> > On Oct 16, Andrew Bartlett <abartlet+debian@catalyst.net.nz> wrote:
> > 
> > > Thanks.  How do you wish to proceed?
> > I suggest that you just upload the package.
> 
> Just to be clear, I'm not (yet) a Debian Maintainer, so I don't have
> upload rights, or the right to send out the DLA.  

If Marco doesn't want to do it, let me know and I can take care of the
upload + announce for squeeze-lts.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #40 received at 762789-submitter@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <debian@bootc.net>

To: 762789-submitter@bugs.debian.org

Subject: Re: Bug#762789: proposed fix for ppp CVE-2014-3158

Date: Thu, 16 Oct 2014 09:06:55 +0100

Control: -1 pending

On 16/10/14 07:37, Raphael Hertzog wrote:
> On Thu, 16 Oct 2014, Andrew Bartlett wrote:
>> On Thu, 2014-10-16 at 02:30 +0200, Marco d'Itri wrote:
>>> On Oct 16, Andrew Bartlett <abartlet+debian@catalyst.net.nz> wrote:
>>>
>>>> Thanks.  How do you wish to proceed?
>>> I suggest that you just upload the package.
>>
>> Just to be clear, I'm not (yet) a Debian Maintainer, so I don't have
>> upload rights, or the right to send out the DLA.  
> 
> If Marco doesn't want to do it, let me know and I can take care of the
> upload + announce for squeeze-lts.

Folks,

I have an upload waiting in the wings with many of the patches from
2.4.7 (including for CVE-2014-3158) but excluding the ABI breaks. I'm
planning to upload it over the weekend.

HTH,
Chris

-- 
Chris Boot
debian@bootc.net
GPG: 8467 53CB 1921 3142 C56D  C918 F5C8 3C05 D9CE EEEE

Message #45 received at 762789@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Raphael Hertzog <hertzog@debian.org>, Andrew Bartlett <abartlet+debian@catalyst.net.nz>, 762789@bugs.debian.org, debian-lts@lists.debian.org, jelmer@samba.org

Subject: Re: Bug#762789: proposed fix for ppp CVE-2014-3158

Date: Thu, 16 Oct 2014 12:08:30 +0200

[Message part 1 (text/plain, inline)]

On Oct 16, Raphael Hertzog <hertzog@debian.org> wrote:

> If Marco doesn't want to do it, let me know and I can take care of the
> upload + announce for squeeze-lts.
I do not really use pppd anymore and my co-maintainer does not have much 
time either, so I do not really have plans to work on it right now.
(Yes, I have been looking for co-maintainers for years.)

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 762789-close@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <debian@bootc.net>

To: 762789-close@bugs.debian.org

Subject: Bug#762789: fixed in ppp 2.4.6-3

Date: Sun, 19 Oct 2014 10:20:43 +0000

Source: ppp
Source-Version: 2.4.6-3

We believe that the bug you reported is fixed in the latest version of
ppp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 762789@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Boot <debian@bootc.net> (supplier of updated ppp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 Oct 2014 10:47:59 +0100
Source: ppp
Binary: ppp ppp-udeb ppp-dev
Architecture: source amd64 all
Version: 2.4.6-3
Distribution: unstable
Urgency: high
Maintainer: Marco d'Itri <md@linux.it>
Changed-By: Chris Boot <debian@bootc.net>
Description:
 ppp        - Point-to-Point Protocol (PPP) - daemon
 ppp-dev    - Point-to-Point Protocol (PPP) - development files
 ppp-udeb   - Point-to-Point Protocol (PPP) - package for Debian Installer (udeb)
Closes: 762789
Changes:
 ppp (2.4.6-3) unstable; urgency=high
 .
   * Urgency high due to fix for CVE-2014-3158.
   * Cherry-pick patches from 2.4.7 upstream release. These are 9 of 11 patches
     in the 2.4.7 upstream release of PPP, including the fix for CVE-2014-3158.
     The two patches left out were not imported in order to preserve ABI
     stability. (Closes: #762789)
     - ppp-2.4.7-001-pppd-Separate-IPv6-handling-for-sifup-sifdown.patch
     - ppp-2.4.7-002-pppol2tp-Connect-up-down-events-to-notifiers-and-add.patch
     - ppp-2.4.7-003-pppd-Add-declarations-to-eliminate-compile-warnings.patch
     - ppp-2.4.7-004-pppd-Eliminate-some-unnecessary-ifdefs.patch
     - ppp-2.4.7-005-radius-Fix-realms-config-file-option.patch
     - ppp-2.4.7-006-pppd-Eliminate-potential-integer-overflow-in-option-.patch
     - ppp-2.4.7-007-pppd-Eliminate-memory-leak-with-multiple-instances-o.patch
     - ppp-2.4.7-008-pppd-Fix-a-stack-variable-overflow-in-MSCHAP-v2.patch
     - ppp-2.4.7-009-winbind-plugin-Add-DMPPE-1-to-eliminate-compiler-war.patch
   * Refresh debian/patches/cifdefroute.dif
   * Update Standards-Version to 3.9.6 (no changes required).
Checksums-Sha1:
 baf7403160be6a3ebe1341811bd1efd36f96e240 2131 ppp_2.4.6-3.dsc
 fbac3897e7b9c8400cbb03a6716f620528a14f4a 92032 ppp_2.4.6-3.debian.tar.xz
 a7eba6f5fcf786d2c7479259e1f62c44ee67f323 334980 ppp_2.4.6-3_amd64.deb
 50ffc80cec24f4ebb64d55e50ee9389104800f34 119612 ppp-udeb_2.4.6-3_amd64.udeb
 5e26a58ede93189fb1d23914e2d0dac83518c6f9 54778 ppp-dev_2.4.6-3_all.deb
Checksums-Sha256:
 9bf536fad50420c1e0a693c04b1c77aa643e12e0efd46ca5bef7638e2e84b476 2131 ppp_2.4.6-3.dsc
 011408b9bc664a1d62737443902f09cb77f26cea8afc2ad71da9b0a0f3624830 92032 ppp_2.4.6-3.debian.tar.xz
 9517f6b0f4fbdc4b96906bcc02a9721cd197c4ceab328d0a43ad4c6eafd74ba2 334980 ppp_2.4.6-3_amd64.deb
 8de86a778795008466237c46345442f654b30a3c7471989b4e3a1a4801f47fde 119612 ppp-udeb_2.4.6-3_amd64.udeb
 78a30cee9119fed805837e6aedbc7dde84bbf023bf1e57f34b92d1bfa713558f 54778 ppp-dev_2.4.6-3_all.deb
Files:
 aa8d57ba3a6758a75bd21e69db7a6655 2131 admin optional ppp_2.4.6-3.dsc
 f3d4816d88f8404cc474e0c4c029de93 92032 admin optional ppp_2.4.6-3.debian.tar.xz
 10729a3b19ddc4f90b0f6450430e08fe 334980 admin optional ppp_2.4.6-3_amd64.deb
 306373772ed57846fe3ef5be92b48c1d 119612 debian-installer optional ppp-udeb_2.4.6-3_amd64.udeb
 9c351773f972e86f4957f223396d16d4 54778 devel extra ppp-dev_2.4.6-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQJ8BAEBCgBmBQJUQ48AXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREQThBOTBGNTdGRkIxRDY0N0U0MDM0REE0
MTFBNzMzRTY3RDY0RkZFAAoJEEEacz5n1k/+8gQP/0mQ4BdWvGvrsjbv3mkkPJ+W
+JFQcsfaoWDDBKJlB4XHhD8HqGkCgZQTDim28U3G8a9L9GYnkSCO8x6pA8gVAfg0
QR5h6vmJuS1onphB0bsIDIx1r73wJe8eISDkCuDyk4CqzKnO7osWlnb2/35WIEBf
9AEDBCP19TB+kASbiMhneUdna8qYijFAHkQqfPYIWJzwczM8hJJGZNfqQt8V9ux1
VKaGPigjmb1CiyDaCoiucdw9FLabDH+fyX3ZvaxljmWCK7p4EgKbeTEKnKwp6xD3
VYrL713i+HnotmOlTfHJN/mEidr0m8O/ZjWIiV8c5W5VXED5p/T34zJXeepEk2D+
ctEC9AkLBDg3TVVklvk0af4Iq4Zue2myremGvvMDPqZcXDR+xDIZ1U1S4w4F7EGz
trT8xijaRmcLNiewDNWubp1eMu+ukri4zk1gHzcS7nFPdh/qkfIv5T+hJ8QeEuUS
8dIdUvP/KYbYy5htgqO8Dvn3h4SSQpnr4/I6UWMgRs3hE4eSLz1RpIhlxfbLVmyW
XjS5uX6TcCc6gFAJbY8P0SoKSJLURo0Vl8SiVAWnerN4u/FqZQFE7zvSOBBIO5pG
SA/YO+//TVJmSH+jeJCv7u3h65XFJpHGXWMBISgKEBHGNoZ6yhkMpUBUVX5Ffhb5
fD5hvp8mN+WNkqldCLf8
=puSH
-----END PGP SIGNATURE-----

Message #59 received at 762789-close@bugs.debian.org (full text, mbox, reply):

From: Sebastien Delafond <seb@debian.org>

To: 762789-close@bugs.debian.org

Subject: Bug#762789: fixed in ppp 2.4.5-5.1+deb7u1

Date: Sun, 30 Nov 2014 23:17:12 +0000

Source: ppp
Source-Version: 2.4.5-5.1+deb7u1

We believe that the bug you reported is fixed in the latest version of
ppp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 762789@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated ppp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Nov 2014 09:49:28 +0100
Source: ppp
Binary: ppp ppp-udeb ppp-dev
Architecture: source all amd64
Version: 2.4.5-5.1+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Marco d'Itri <md@linux.it>
Changed-By: Sebastien Delafond <seb@debian.org>
Description: 
 ppp        - Point-to-Point Protocol (PPP) - daemon
 ppp-dev    - Point-to-Point Protocol (PPP) - development files
 ppp-udeb   - Point-to-Point Protocol (PPP) - package for Debian Installer (udeb)
Closes: 762789
Changes: 
 ppp (2.4.5-5.1+deb7u1) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team (thanks to Pierre
     Schweitzer <pierre@reactos.org> for preparing the update).
   * Fix CVE-2014-3158: integer overflow which may allow overwrite
     security-relevant variables (Closes: #762789).
Checksums-Sha1: 
 fa8d9c42f20eead98fe3d9053a2e6ccd087b2911 1412 ppp_2.4.5-5.1+deb7u1.dsc
 cb977b31584e3488e08a643aaa672fdb229d2e78 684342 ppp_2.4.5.orig.tar.gz
 3d3b79b36dcc967cb605c76ebcb3c393cc5878c3 96877 ppp_2.4.5-5.1+deb7u1.diff.gz
 519f4b04df2cbf504bb9a70f7e50d216f49210df 57194 ppp-dev_2.4.5-5.1+deb7u1_all.deb
 0c6f9fd2fa2dee685cff044944e332e8987db79a 380810 ppp_2.4.5-5.1+deb7u1_amd64.deb
 468453bf2de8f0e2a30106f149e5d9aa47789c5e 112454 ppp-udeb_2.4.5-5.1+deb7u1_amd64.udeb
Checksums-Sha256: 
 eeb418bbbf42ce579bbc0984927c14ee8bfa6d68e39e5af52214b398237233ed 1412 ppp_2.4.5-5.1+deb7u1.dsc
 43317afec9299f9920b96f840414c977f0385410202d48e56d2fdb8230003505 684342 ppp_2.4.5.orig.tar.gz
 e1e19cef43f235bd657b9fea68a17d8faa19f97bd32e0e8e1b69fa61a05fb449 96877 ppp_2.4.5-5.1+deb7u1.diff.gz
 c043b4eb11da765a11ff26500901388180685c51c310956b89b2b7738d7ee9be 57194 ppp-dev_2.4.5-5.1+deb7u1_all.deb
 0c74caa1418019d8352a1750f1db32f0d6c9024191d28b17324c78642e5f6fe3 380810 ppp_2.4.5-5.1+deb7u1_amd64.deb
 b71dc1adc6f3e8fdbcf288e0f5c369b8ed20729b6f3e533717538548a1e97ef3 112454 ppp-udeb_2.4.5-5.1+deb7u1_amd64.udeb
Files: 
 988620c88831781181eb2ad9e3edcc22 1412 admin optional ppp_2.4.5-5.1+deb7u1.dsc
 4621bc56167b6953ec4071043fe0ec57 684342 admin optional ppp_2.4.5.orig.tar.gz
 d6069a42908e69d4ecb7df32af27cb3e 96877 admin optional ppp_2.4.5-5.1+deb7u1.diff.gz
 4b46acb465c9d1d9700d8b4986e32df9 57194 devel extra ppp-dev_2.4.5-5.1+deb7u1_all.deb
 59edd4b76fc05e2f953c232bcefd0297 380810 admin optional ppp_2.4.5-5.1+deb7u1_amd64.deb
 4b0344e9bdda447caee49fe62ad13c02 112454 debian-installer optional ppp-udeb_2.4.5-5.1+deb7u1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJUeDlLAAoJEBC+iYPz1Z1kjc4H/0Ise2jUZs5WGyghQj1PNeST
C533QX3N4diZwhJ+InH5+NY4ZdZRKbEQsPj3Oce27Vv7dL0MBUcloBSITsT2/jwH
AdYClnxIIrBch4UauQQqZsZsMp5YolA3v4wQrW6mKKq8cn6zuPVcn39X3Nwqv7V+
MLwx0d0rxi+IAb4yv85weyVzKdj2ZKhKp4ugAr+NGF1iMu8QDYpE3USckzXLriLz
+Ue9d0+tUEgDgwUWrzmM91NZVoOtTXaq6KY7g1fLPuZ+aE4e+1yrQ9zmX3t3AoAT
ixpcIYRmWgXjjVf2q1o6G5Ty5pJ0AwM8GtePvmwE3ZE/Y6F3WdpeQZHroEP656I=
=5+9H
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.