Accepting request 344305 from network

1

OBS-URL: https://build.opensuse.org/request/show/344305
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ppp?expand=0&rev=32

ppp-CVE-2015-3310.patch

@@ -0,0 +1,13 @@
+--- pppd/plugins/radius/util.c
++++ pppd/plugins/radius/util.c
+@@ -77,7 +77,7 @@ rc_mksid (void)
+   static unsigned short int cnt = 0;
+   sprintf (buf, "%08lX%04X%02hX",
+ 	   (unsigned long int) time (NULL),
+-	   (unsigned int) getpid (),
++	   (unsigned int) getpid () % 65535,
+ 	   cnt & 0xFF);
+   cnt++;
+   return buf;
+
+

ppp.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Nov 13 15:26:03 UTC 2015 - max@suse.com
+
+- Added ppp-CVE-2015-3310.patch:
+  Fix for bnc#927841, CVE-2015-3310: Fix buffer overflow in radius
+  plug-in's rc_mksid().
+
 -------------------------------------------------------------------
 Wed Nov 19 03:11:00 UTC 2014 - Led <ledest@gmail.com>
 

ppp.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ppp
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -69,6 +69,8 @@ Patch19:        ppp-2.4.4-strncatfix.patch
 Patch21:        ppp-2.4.6-lib64.patch
 Patch22:        ppp-2.4.4-var_run_resolv_conf.patch
 Patch23:        ppp-send-padt.patch
+# PATCH-FIX-UPSTREAM -- Patch for CVE-2015-3310
+Patch24:        ppp-CVE-2015-3310.patch
 
 %description
 The ppp package contains the PPP (Point-to-Point Protocol) daemon,
@@ -109,6 +111,7 @@ plugins for the pppd.
 %endif
 %patch22
 %patch23 -p1
+%patch24
 sed -i -e '1s/local\///' scripts/secure-card
 find scripts -type f | xargs chmod a-x
 find -type f -name '*.orig' | xargs rm -f