ppp: CVE-2015-3310: Buffer overflow in radius plugin

Debian Bug report logs - #782450
ppp: CVE-2015-3310: Buffer overflow in radius plugin

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Emanuele Rocca <ema@linux.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ppp: Buffer overflow in radius plugin

Date: Sun, 12 Apr 2015 14:20:02 +0200

Package: ppp
Version: 2.4.6-3
Severity: important
Tags: patch

On systems with more than 65535 processes running, pppd aborts when
sending a "start" accounting message to the RADIUS server because of a
buffer overflow in rc_mksid.

The process id is used in rc_mksid to generate a pseudo-unique string,
assuming that the hex representation of the pid will be at most 4
characters (FFFF). __sprintf_chk(), used when compiling with
optimization levels greater than 0 and FORTIFY_SOURCE, detects the
buffer overflow and makes pppd crash.

The following patch fixes the problem.

--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
+++ ppp-2.4.6/pppd/plugins/radius/util.c
@@ -77,7 +77,7 @@ rc_mksid (void)
   static unsigned short int cnt = 0;
   sprintf (buf, "%08lX%04X%02hX",
 	   (unsigned long int) time (NULL),
-	   (unsigned int) getpid (),
+	   (unsigned int) getpid () % 65535,
 	   cnt & 0xFF);
   cnt++;
   return buf;


-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ppp depends on:
ii  init-system-helpers  1.22
ii  libc6                2.19-17
ii  libpam-modules       1.1.8-3.1
ii  libpam-runtime       1.1.8-3.1
ii  libpam0g             1.1.8-3.1
ii  libpcap0.8           1.6.2-2
ii  procps               2:3.3.9-9

Message #10 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Emanuele Rocca <ema@linux.it>

To: 782450@bugs.debian.org

Subject: ppp: Buffer overflow in radius plugin

Date: Mon, 13 Apr 2015 10:38:42 +0200

[Message part 1 (text/plain, inline)]

Correction: the bug occurs if pppd's pid is greater than 65535. The number
of
running processes is irrelevant.

[Message part 2 (text/html, inline)]

Message #17 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Emanuele Rocca <ema@linux.it>

To: 782450@bugs.debian.org

Subject: Re: ppp: Buffer overflow in radius plugin

Date: Tue, 14 Apr 2015 08:48:15 +0200

[Message part 1 (text/plain, inline)]

NMU diff attached.

[ppp_2.4.6-3.1-nmu.diff (text/x-diff, attachment)]

Message #22 received at 782450-close@bugs.debian.org (full text, mbox, reply):

From: Emanuele Rocca <ema@debian.org>

To: 782450-close@bugs.debian.org

Subject: Bug#782450: fixed in ppp 2.4.6-3.1

Date: Tue, 14 Apr 2015 07:03:46 +0000

Source: ppp
Source-Version: 2.4.6-3.1

We believe that the bug you reported is fixed in the latest version of
ppp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emanuele Rocca <ema@debian.org> (supplier of updated ppp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Apr 2015 08:18:06 +0200
Source: ppp
Binary: ppp ppp-udeb ppp-dev
Architecture: source amd64 all
Version: 2.4.6-3.1
Distribution: unstable
Urgency: high
Maintainer: Marco d'Itri <md@linux.it>
Changed-By: Emanuele Rocca <ema@debian.org>
Description:
 ppp        - Point-to-Point Protocol (PPP) - daemon
 ppp-dev    - Point-to-Point Protocol (PPP) - development files
 ppp-udeb   - Point-to-Point Protocol (PPP) - package for Debian Installer (udeb)
Closes: 782450
Changes:
 ppp (2.4.6-3.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Urgency high due to fix for DoS vulnerability.
   * Fix buffer overflow in rc_mksid().
     The function converts the PID of pppd to hex to generate a pseudo-unique
     string. If the process id is bigger than 65535 (FFFF), its hex
     representation will be longer than 4 characters, resulting in a buffer
     overflow. This bug can be exploited to cause a remote DoS.
     (Closes: #782450)
Checksums-Sha1:
 2b12c44afe616cee58c0c7dd1dab270b8d425b3a 1992 ppp_2.4.6-3.1.dsc
 f723145993142936e88be3b14600f2e1092bba65 92212 ppp_2.4.6-3.1.debian.tar.xz
 faba372c7ae3306f15c947f165093efe37a70116 337520 ppp_2.4.6-3.1_amd64.deb
 72e35519b96e8ede48fa2e5706e578b2f5df63b9 120564 ppp-udeb_2.4.6-3.1_amd64.udeb
 2f159bc6d8a86b1c91659252c4e1b93a105329ff 55022 ppp-dev_2.4.6-3.1_all.deb
Checksums-Sha256:
 885c3aeae3fc9ef8bb3217f2fd623bd86596850d6d145d4ed30b1eba12c10cc8 1992 ppp_2.4.6-3.1.dsc
 695095daa7efddff5332139d92d1514ca7e1079cfba146bb9e3c70feda52cd2d 92212 ppp_2.4.6-3.1.debian.tar.xz
 37c6a39aaa897490e74114bbf12f0d2edcba804904df31e170a4fcb937ec7fcc 337520 ppp_2.4.6-3.1_amd64.deb
 bc3e6817dce2c34c8f59e7b48cd0dfb0476c9c2c68af4724accf9629d5205647 120564 ppp-udeb_2.4.6-3.1_amd64.udeb
 ed362defdc88f1ce66fd9c2ab4054f29cc121d42f7d04d31c604f997a23fd21d 55022 ppp-dev_2.4.6-3.1_all.deb
Files:
 deadef2597e0abf924b2755929a982ee 1992 admin optional ppp_2.4.6-3.1.dsc
 82f8a21b47900d7e8ce0ea95ae1d741d 92212 admin optional ppp_2.4.6-3.1.debian.tar.xz
 1fcbf02cea6381fd0e899a320a9d95a0 337520 admin optional ppp_2.4.6-3.1_amd64.deb
 7c62e225e99719e2fc96683667888e25 120564 debian-installer optional ppp-udeb_2.4.6-3.1_amd64.udeb
 03abea2a2bade9ab4da60c6ef69e96d2 55022 devel extra ppp-dev_2.4.6-3.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVLLalAAoJENUIWgdQ/bejaoIQAJIBTLNHeUmcXFm2dLyHEy44
KTSQQbzmN6k2OSdBxEEDwO2UC4KOCFNKtBlHc62aJhz8trykUkZlB/9x3uhRMxAM
0LgeMkvDe3Y16RboQHfZaH46W2EUBd0AF31BUMlW2/FRBZ2bdf/Wfl//1bPWYQxl
8969pcl6qXw9N5PKpQCFFZCPn0DVWoBLcgrmlyCCnRyfxkYhUVMFaHQE1j8pOFl/
yQY0afDvq9MOmhq9QZfexhdybRvLi8Rs8bpZlt9acKfMVD5gMf/1uhsM+W8VN02W
612qf3zO5grMKJq9AyuVQnuZZ/fdIHtTixK0Akq2YS5LcktqF4TnsGQgi12Ug/rd
og5EpPGZWNblzNxnHbVUEY/qBXyeOOWSgS7LgHe0ABpQY1yZOzDJboT4ODgChrL/
Prhd+Mz89tf/PnNeXEsufX346NQIjZ6g0wHiu7y4ilJpQbXzDOMEhUBH8n/gupf4
X1QKwWCAp1l81DIBoeV7pNnosMSS6aSsNuMHy78vFU/iBwOqmPwijO8pidWJaRzJ
a5W++2iQWYRNM0bB5ucWlD1BD+Nhs+2b0CrDjUk2zXuKzOKSSAshDZ2b9bAk5iE1
/OwsHHg7UGC1D9dhNhpNzvCVozfx6xe1dLEMLcgrnJGRqUVbDNgzrYRwHf4PJOi/
+lAaGJQoJWXjXY/z45B8
=gzqy
-----END PGP SIGNATURE-----

Message #27 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Roger Lynn <RLynn@fundamentalsltd.co.uk>

To: Emanuele Rocca <ema@linux.it>, <782450@bugs.debian.org>

Subject: Re: Bug#782450: ppp: Buffer overflow in radius plugin

Date: Tue, 14 Apr 2015 12:13:23 +0100

On 14/04/2015 07:48, Emanuele Rocca wrote:
> NMU diff attached.


> ppp_2.4.6-3.1-nmu.diff

> diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow
> --- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	1970-01-01 01:00:00.000000000 +0100
> +++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	2015-04-14 08:27:53.000000000 +0200
> @@ -0,0 +1,23 @@
> +Description: Fix buffer overflow in rc_mksid()
> + rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
> + .
> + If the process id is bigger than 65535 (FFFF), its hex representation will be
> + longer than 4 characters, resulting in a buffer overflow.
> + .
> + The bug can be exploited to cause a remote DoS.
> + .
> +Author: Emanuele Rocca <ema@debian.org>
> +Bug-Debian: https://bugs.debian.org/782450
> +Last-Update: <2015-04-14>
> +
> +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
> ++++ ppp-2.4.6/pppd/plugins/radius/util.c
> +@@ -77,7 +77,7 @@ rc_mksid (void)
> +   static unsigned short int cnt = 0;
> +   sprintf (buf, "%08lX%04X%02hX",
> + 	   (unsigned long int) time (NULL),
> +-	   (unsigned int) getpid (),
> ++	   (unsigned int) getpid () % 65535,

Shouldn't this be 65536? If you're trying to limit to 0xFFFF then 65535  too
small. "getpid () & 0xFFFF" might be clearer than using the modulus operator
and should have exactly the same effect.

> + 	   cnt & 0xFF);
> +   cnt++;
> +   return buf;


Roger

Message #32 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Roger Lynn <Roger@rilynn.me.uk>

To: Emanuele Rocca <ema@linux.it>, 782450@bugs.debian.org

Subject: Re: Bug#782450: ppp: Buffer overflow in radius plugin

Date: Tue, 14 Apr 2015 12:13:32 +0100

On 14/04/2015 07:48, Emanuele Rocca wrote:
> NMU diff attached.


> ppp_2.4.6-3.1-nmu.diff

> diff -Nru ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow
> --- ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	1970-01-01 01:00:00.000000000 +0100
> +++ ppp-2.4.6/debian/patches/rc_mksid-no-buffer-overflow	2015-04-14 08:27:53.000000000 +0200
> @@ -0,0 +1,23 @@
> +Description: Fix buffer overflow in rc_mksid()
> + rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
> + .
> + If the process id is bigger than 65535 (FFFF), its hex representation will be
> + longer than 4 characters, resulting in a buffer overflow.
> + .
> + The bug can be exploited to cause a remote DoS.
> + .
> +Author: Emanuele Rocca <ema@debian.org>
> +Bug-Debian: https://bugs.debian.org/782450
> +Last-Update: <2015-04-14>
> +
> +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
> ++++ ppp-2.4.6/pppd/plugins/radius/util.c
> +@@ -77,7 +77,7 @@ rc_mksid (void)
> +   static unsigned short int cnt = 0;
> +   sprintf (buf, "%08lX%04X%02hX",
> + 	   (unsigned long int) time (NULL),
> +-	   (unsigned int) getpid (),
> ++	   (unsigned int) getpid () % 65535,

Shouldn't this be 65536? If you're trying to limit to 0xFFFF then 65535  too
small. "getpid () & 0xFFFF" might be clearer than using the modulus operator
and should have exactly the same effect.

> + 	   cnt & 0xFF);
> +   cnt++;
> +   return buf;


Roger

Message #37 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Emanuele Rocca <ema@linux.it>

To: Roger Lynn <Roger@rilynn.me.uk>

Cc: 782450@bugs.debian.org

Subject: Re: Bug#782450: ppp: Buffer overflow in radius plugin

Date: Tue, 14 Apr 2015 15:42:48 +0200

Hi Roger,

On 14/04 12:13, Roger Lynn wrote:
> On 14/04/2015 07:48, Emanuele Rocca wrote:
> > +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
> > ++++ ppp-2.4.6/pppd/plugins/radius/util.c
> > +@@ -77,7 +77,7 @@ rc_mksid (void)
> > +   static unsigned short int cnt = 0;
> > +   sprintf (buf, "%08lX%04X%02hX",
> > + 	   (unsigned long int) time (NULL),
> > +-	   (unsigned int) getpid (),
> > ++	   (unsigned int) getpid () % 65535,
> 
> Shouldn't this be 65536? If you're trying to limit to 0xFFFF then 65535  too
> small. "getpid () & 0xFFFF" might be clearer than using the modulus operator
> and should have exactly the same effect.

Good catch! You are right, the patch limits to 0xFFFE instead of 0xFFFF.

However it does fix the vulnerability, so I don't think a new upload is
required.

Cheers,
  ema

Message #42 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Marco d'Itri <md@linux.it>

Cc: debian-lts@lists.debian.org, 782450@bugs.debian.org, Emanuele Rocca <ema@debian.org>

Subject: squeeze update of ppp?

Date: Tue, 14 Apr 2015 16:47:05 +0200

Hello Marco & Emanuele,

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of ppp:
https://security-tracker.debian.org/tracker/source-package/ppp

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #47 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org, 782450@bugs.debian.org, Emanuele Rocca <ema@debian.org>

Subject: Re: squeeze update of ppp?

Date: Tue, 14 Apr 2015 16:58:49 +0200

[Message part 1 (text/plain, inline)]

On Apr 14, Raphael Hertzog <hertzog@debian.org> wrote:

> Would you like to take care of this yourself? We are still understaffed so
No, I am not sure if we will fix it for stable either.
It is not really such a big deal, so I am not concerned.

-- 
ciao,
Marco

[Message part 2 (application/pgp-signature, inline)]

Message #52 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Emanuele Rocca <ema@linux.it>, 782450@bugs.debian.org

Subject: Re: Bug#782450: ppp: Buffer overflow in radius plugin

Date: Thu, 16 Apr 2015 08:55:50 +0200

Control: retitle -1 ppp: CVE-2015-3310: Buffer overflow in radius plugin

Hi

This issue has been assigned CVE-2015-3310.

Regards,
Salvatore

Message #59 received at 782450-close@bugs.debian.org (full text, mbox, reply):

From: Sebastien Delafond <seb@debian.org>

To: 782450-close@bugs.debian.org

Subject: Bug#782450: fixed in ppp 2.4.5-5.1+deb7u2

Date: Fri, 17 Apr 2015 16:32:05 +0000

Source: ppp
Source-Version: 2.4.5-5.1+deb7u2

We believe that the bug you reported is fixed in the latest version of
ppp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated ppp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 16 Apr 2015 09:37:44 +0200
Source: ppp
Binary: ppp ppp-udeb ppp-dev
Architecture: source amd64 all
Version: 2.4.5-5.1+deb7u2
Distribution: wheezy-security
Urgency: medium
Maintainer: Marco d'Itri <md@linux.it>
Changed-By: Sebastien Delafond <seb@debian.org>
Description: 
 ppp        - Point-to-Point Protocol (PPP) - daemon
 ppp-dev    - Point-to-Point Protocol (PPP) - development files
 ppp-udeb   - Point-to-Point Protocol (PPP) - package for Debian Installer (udeb)
Closes: 782450
Changes: 
 ppp (2.4.5-5.1+deb7u2) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team (thanks to Emanuele Rocca
     for the patch).
   * Fix CVE-2015-3310: buffer overflow which may lead to DoS (Closes:
     #782450).
Checksums-Sha1: 
 719ded51eb54e5fd05c7bb72bc59cba260ca7f54 1412 ppp_2.4.5-5.1+deb7u2.dsc
 36bb7fc982cf558ed20eb18cc11125f2fefe1b32 97247 ppp_2.4.5-5.1+deb7u2.diff.gz
 f2f47a3724305a2d37cf17cb912b5269198dd0f5 380948 ppp_2.4.5-5.1+deb7u2_amd64.deb
 8628f30f8f6bbfd6bf877d86c7e080e8db2a6647 112662 ppp-udeb_2.4.5-5.1+deb7u2_amd64.udeb
 648a608f5ef20ff5034c7f03be17429ed71ab19f 57274 ppp-dev_2.4.5-5.1+deb7u2_all.deb
Checksums-Sha256: 
 a0dd2c8ae992b86fc1da8f966aa3d3955faaee57bb59accb1579c4fef7cbea9e 1412 ppp_2.4.5-5.1+deb7u2.dsc
 6905ccb710a2cbf450d9e081b67ea6c9c39278c7e46e93d6f55b28da37077d95 97247 ppp_2.4.5-5.1+deb7u2.diff.gz
 00439340d1c3bc46282fe212d1f1ca96c7d840e414d7f375cab3e941e33fa5d6 380948 ppp_2.4.5-5.1+deb7u2_amd64.deb
 c2c4a637f7ec21385fa7921ae15119b925b9440f9dd7d0ea67b4c5ae7be70011 112662 ppp-udeb_2.4.5-5.1+deb7u2_amd64.udeb
 0088ff5481d37aabfe5a83036edb54a97bafec8527fdcbb7a16240682d3c596c 57274 ppp-dev_2.4.5-5.1+deb7u2_all.deb
Files: 
 b5c4ac00e57b3e324d2af0a6f2bf7b06 1412 admin optional ppp_2.4.5-5.1+deb7u2.dsc
 9b71b9c832424e9069a91f93dd47c69e 97247 admin optional ppp_2.4.5-5.1+deb7u2.diff.gz
 221dd3b7508ce77a087ab7c4e464e27d 380948 admin optional ppp_2.4.5-5.1+deb7u2_amd64.deb
 55e1aae061a80fd6fb8327a088925133 112662 debian-installer optional ppp-udeb_2.4.5-5.1+deb7u2_amd64.udeb
 c5bb6f22c6301a9504851fc7eb964527 57274 devel extra ppp-dev_2.4.5-5.1+deb7u2_all.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVL2eUAAoJEBC+iYPz1Z1khR8H/0JmVbhAer0GMZwrVi6uhT8+
Dt9FLjPNk9032KCh4+15HwnoaUhxUFdO6wMX7dB3D3mmsnN7ZLTuTcqIot9YgTi2
mQruFa2aKlA13Q/vX7AGhGaC5Y3uVZ30XaVYpWSsnS++XqWXhWc+Eh4sGZdJZSsD
nNONj+JjX0QUCNvifeNXISaWXiulXfTUJdXAF03d1ezLcyjNmXQrpmWCaqJeGMX5
vpRS8BoVx4ujEOou8PBfYYNazpZNFybMVGOQ14cSLiaDj+cNgMAtnPv9CMyKg1ET
WytPgwVUt9NC8ghXq6cB2hD1+gi9z4OZANFDjaOf3pnfrXPdbeDg3Tl7pHawjjs=
=cHka
-----END PGP SIGNATURE-----

Message #64 received at 782450-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>

To: 782450-close@bugs.debian.org

Subject: Bug#782450: fixed in ppp 2.4.5-4+deb6u2

Date: Sun, 19 Apr 2015 15:19:49 +0000

Source: ppp
Source-Version: 2.4.5-4+deb6u2

We believe that the bug you reported is fixed in the latest version of
ppp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated ppp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 Apr 2015 16:00:47 +0200
Source: ppp
Binary: ppp ppp-udeb ppp-dev
Architecture: source i386 all
Version: 2.4.5-4+deb6u2
Distribution: squeeze-lts
Urgency: high
Maintainer: Marco d'Itri <md@linux.it>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 ppp        - Point-to-Point Protocol (PPP) - daemon
 ppp-dev    - Point-to-Point Protocol (PPP) - development files
 ppp-udeb   - Point-to-Point Protocol (PPP) - package for Debian Installer (udeb)
Closes: 782450
Changes: 
 ppp (2.4.5-4+deb6u2) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Fix CVE-2015-3310: buffer overflow which may lead to DoS (Closes: #782450).
     (thanks to Emanuele Rocca for the patch).
Checksums-Sha1: 
 33d28ab19c5b260a52b5887ba831f327de180c95 1765 ppp_2.4.5-4+deb6u2.dsc
 cb977b31584e3488e08a643aaa672fdb229d2e78 684342 ppp_2.4.5.orig.tar.gz
 263138f23fd1ad778604e53dcd12dfa696886628 98377 ppp_2.4.5-4+deb6u2.diff.gz
 3bcbcbdd7e95ddd44fe4f663fb18089f90da91bb 351422 ppp_2.4.5-4+deb6u2_i386.deb
 9ef823345ef638a99ce0581811197ef0dd30eb5b 117154 ppp-udeb_2.4.5-4+deb6u2_i386.udeb
 f32c7f00d8a5ec7f8a6d03e097ac21a4325eab17 57360 ppp-dev_2.4.5-4+deb6u2_all.deb
Checksums-Sha256: 
 97751146fbc2e8a447ec456e5e64cfdaef787672370869dcf006c212ab969931 1765 ppp_2.4.5-4+deb6u2.dsc
 43317afec9299f9920b96f840414c977f0385410202d48e56d2fdb8230003505 684342 ppp_2.4.5.orig.tar.gz
 821c9178d0c9e0d67d452b786cbf365d63237262b23d8cab51fd0eb9a1ef5ee9 98377 ppp_2.4.5-4+deb6u2.diff.gz
 8a9e8f9b54c1588a882b7b3b4a93f7929f796ea56456e413f5e869487dfb864f 351422 ppp_2.4.5-4+deb6u2_i386.deb
 d75e8b373e662874c2b6c5ac83f689d09df39e03b2605c1f10670ebfa23d927f 117154 ppp-udeb_2.4.5-4+deb6u2_i386.udeb
 681efe1a7b1680ae501577b91a4d5c58c8fc913bfee03949c2ec0e71f4b602e6 57360 ppp-dev_2.4.5-4+deb6u2_all.deb
Files: 
 ae5f111f77d822582bbe4cf179f7134e 1765 admin optional ppp_2.4.5-4+deb6u2.dsc
 4621bc56167b6953ec4071043fe0ec57 684342 admin optional ppp_2.4.5.orig.tar.gz
 747a78dd7e4f17ddfabe555ffa335849 98377 admin optional ppp_2.4.5-4+deb6u2.diff.gz
 ea5854906186f06fdb50a21c5d68dda4 351422 admin optional ppp_2.4.5-4+deb6u2_i386.deb
 f21f2762bcdf12ba2db42405d2ae1d34 117154 debian-installer optional ppp-udeb_2.4.5-4+deb6u2_i386.udeb
 cd0e19ba39e698258a995b3373c6211e 57360 devel extra ppp-dev_2.4.5-4+deb6u2_all.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJVM8MGXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHirEQAKiFQb+fih4FOLQJUVV8Hpmv
gV2qPw2grtcpr3Em6PECcLkCaBewpudiLpDWbY9xrOkLTJUCkBYeBRaAzDi4DrXR
C3MfiIXeGZd/u9PGA/GJj3JfUpn4qPZXkA+rjLBke2eD6M1xQq1q+LbARStAu2Hh
YwWwzWUhAQ0icBHv+AXTyBwPUOhHUPqAn3iK4bQJkOY4WhT3dNob8GHRLTxvBd8C
XVaY8nvhOSb/Mooj6dwz94xRJwmvJHaW6R2G2qV1qTwHMR1+ux3H9rxirFZh/v0I
i+4LMUthmyCew4SJEG0H42XyKryTvDA6iMrAedQDrStMSzHVwixhEYUQJGYRbBCk
7giCd+lNka+O5A93XfxAN9jLoZhC2RnEIvP1gdPls5DHvK55MrluZJEcjL3P1Eim
FND1+oT7h50Gq0JswJ0VYkIptPm/n2UPtSv3l8WHSVExX2i0MUUqS0gRatjRswhD
w3qIOAHYU3nZcSJyN3OGtPE2OKmvrNMIVuebRKZBK5/uqJFNutdFXmhAM5uanBge
aHe3x12ADDFAyKsTlYHGZ6gIY0J/sKhhwOzgo4WTZFU/I0vVrY1OgEgMZbdQQL66
uDs8xf+gOu4vECVxZrbfFPbhbxir27jtebB6xMktLsJuIXEzUy0LxhJo9cUCVvGQ
pMDrBm0DV3c3OmeZXE0r
=skXJ
-----END PGP SIGNATURE-----

Message #69 received at 782450@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <debian@bootc.net>

To: Emanuele Rocca <ema@linux.it>

Cc: 782450@bugs.debian.org

Subject: Re: Bug#782450: ppp: Buffer overflow in radius plugin

Date: Tue, 12 May 2015 20:43:57 +0100

On 12/04/15 13:20, Emanuele Rocca wrote:
> On systems with more than 65535 processes running, pppd aborts when
> sending a "start" accounting message to the RADIUS server because of a
> buffer overflow in rc_mksid.
> 
> The process id is used in rc_mksid to generate a pseudo-unique string,
> assuming that the hex representation of the pid will be at most 4
> characters (FFFF). __sprintf_chk(), used when compiling with
> optimization levels greater than 0 and FORTIFY_SOURCE, detects the
> buffer overflow and makes pppd crash.
> 
> The following patch fixes the problem.
> 
> --- ppp-2.4.6.orig/pppd/plugins/radius/util.c
> +++ ppp-2.4.6/pppd/plugins/radius/util.c
> @@ -77,7 +77,7 @@ rc_mksid (void)
>    static unsigned short int cnt = 0;
>    sprintf (buf, "%08lX%04X%02hX",
>  	   (unsigned long int) time (NULL),
> -	   (unsigned int) getpid (),
> +	   (unsigned int) getpid () % 65535,
>  	   cnt & 0xFF);
>    cnt++;
>    return buf;

Hi Emanuele,

Did you send your patch upstream? If not, would you mind if I did so?
Would you be able to provide a "Signed-off-by" line as required by upstream?

Thanks,
Chris

-- 
Chris Boot
debian@bootc.net
GPG: 8467 53CB 1921 3142 C56D  C918 F5C8 3C05 D9CE EEEE

Send a report that this bug log contains spam.