pool/ppp
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- CVE-2020-8597, bsc#1162610: rhostname buffer overflow in the

Browse Source 
eap_request and eap_response functions.

OBS-URL: https://build.opensuse.org/package/show/network/ppp?expand=0&rev=49
This commit is contained in:
Reinhard Max 2020-02-07 14:48:55 +00:00 committed by Git OBS Bridge
parent 47136598ad
commit 22ec66be50
3 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
ppp-CVE-2020-8597.patch Normal file
View File

@ -0,0 +1,35 @@
From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@ozlabs.org>
Date: Mon, 3 Feb 2020 15:53:28 +1100
Subject: [PATCH] pppd: Fix bounds check in EAP code
Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname). This fixes the check so we
actually avoid overflowing the rhostname array.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---
pppd/eap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- pppd/eap.c.orig
+++ pppd/eap.c
@@ -1421,7 +1421,7 @@ int len;
}
/* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= sizeof (rhostname)) {
dbglog("EAP: trimming really long peer name down");
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1847,7 +1847,7 @@ int len;
}
/* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= sizeof (rhostname)) {
dbglog("EAP: trimming really long peer name down");
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';

6
ppp.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Feb 7 14:30:35 UTC 2020 - Reinhard Max <max@suse.com>
- CVE-2020-8597, bsc#1162610: rhostname buffer overflow in the
eap_request and eap_response functions.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 4 15:18:10 UTC 2018 - schwab@suse.de Thu Oct 4 15:18:10 UTC 2018 - schwab@suse.de

4
ppp.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package ppp # spec file for package ppp
# #
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2020 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -75,6 +75,7 @@ Patch23: ppp-send-padt.patch
Patch24: ppp-CVE-2015-3310.patch Patch24: ppp-CVE-2015-3310.patch
Patch25: fix-header-conflict.patch Patch25: fix-header-conflict.patch
Patch26: ppp-2.4.7-DES-openssl.patch Patch26: ppp-2.4.7-DES-openssl.patch
Patch27: ppp-CVE-2020-8597.patch
BuildRequires: libpcap-devel BuildRequires: libpcap-devel
BuildRequires: linux-atm-devel BuildRequires: linux-atm-devel
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -146,6 +147,7 @@ you can disable unnecessary or disable everything.
%patch24 %patch24
%patch25 -p1 %patch25 -p1
%patch26 -p1 %patch26 -p1
%patch27
sed -i -e '1s/local\///' scripts/secure-card sed -i -e '1s/local\///' scripts/secure-card
find scripts -type f | xargs chmod a-x find scripts -type f | xargs chmod a-x
find -type f -name '*.orig' | xargs rm -f find -type f -name '*.orig' | xargs rm -f