Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root,an attacker could overwrite any file on the file system. CVE ID: CAN-2004-0564 Reproducible: Sometimes Steps to Reproduce: 1. 2. 3.
net-dialup, please comment... I suppose we're vulnerable to this, since upstream wasn't patched. With which owner/group/suid/sgid do we install pppoe ? I suppose we should do like Debian did and patch it.
adding comment to above url. Ifind it a lot easier when we can click on a given url. http://www.debian.org/security/2004/dsa-557
Created attachment 41151 [details, diff] rp-pppoe-3.5-r2.patch Created r2 ebuild which includes the significant part of Debian patch.
Created attachment 41152 [details, diff] files/rp-pppoe-3.5-dsa-557.patch Significant part of Debian patch for DSA 557
Alin, Please tell me with which owner/group/suid/sgid do we install rp-pppoe ? What are the packages affected by this ? both rp-pppoe and pppoe ? Or just rp-pppoe ?
alin root # ls -l /usr/sbin/pppoe* -rwxr-xr-x 1 root root 30108 Oct 6 00:06 /usr/sbin/pppoe -rwxr-xr-x 1 root root 26964 Oct 6 00:06 /usr/sbin/pppoe-relay -rwxr-xr-x 1 root root 40704 Oct 6 00:06 /usr/sbin/pppoe-server -rwxr-xr-x 1 root root 14044 Oct 6 00:06 /usr/sbin/pppoe-sniff -rwsr-xr-x 1 root root 6736 Oct 6 00:06 /usr/sbin/pppoe-wrapper alin root # ls -l /usr/sbin/adsl-* -rwxr-xr-x 1 root root 9239 Oct 6 00:06 /usr/sbin/adsl-connect -rwxr-xr-x 1 root root 9549 Oct 6 00:06 /usr/sbin/adsl-setup -rwxr-xr-x 1 root root 5862 Oct 6 00:06 /usr/sbin/adsl-start -rwxr-xr-x 1 root root 2457 Oct 6 00:06 /usr/sbin/adsl-status -rwxr-xr-x 1 root root 2407 Oct 6 00:06 /usr/sbin/adsl-stop However, I don't see any reason why would proceed any different than cases before this. If it is a setuid/seteuid problem (like the cdrecord problem not so long ago), we should act as if we install these programs as suid-ed to root. It does not count that we install the cdrecord without suid attribute; we should consider the case when user set this attribute on its own.
cdrecord was a controversy amongst the security team. The only reason why we issued a GLSA about it is that it's very common practice to change it to SUID root (front-end programs do it routinely and even cdrecord itself asks for it with intimidating warning messages). If there is no point in having it SUID or if the rp-pppoe docs don't ask that the user do it, we won't issue a GLSA. If the rp-pppoe docs (or ebuild) explicitely ask the user to set in SUID root for extra functionality, then we will. I'm not a rp-pppoe user, so please enlighten me. We just can't issue GLSAs for vulnerabilities where the only way to be vulnerable is to manually change a program to SUID root where there is no point in doing so. Users can walk over themselves in a thousand other easier ways.
/usr/sbin/pppoe-wrapper is the only suided file.
OK, I've made a mistake. /usr/sbin/pppoe-wrapper does not belong to rp-pppoe. There is no suided/sgided executables installed by rp-pppoe-3.5-r1.ebuild
Since rp-pppoe is not installed SUID root and there is no compelling reason to set it on Gentoo (use the rp-pppoe daemon, Luke), we won't issue a GLSA on this. This should nevertheless be fixed.
added -r2 to portage
Thx Alin and Heinrich :) Arches, please mark net-dialup/rp-pppoe-3.5-r2 stable
stable amd64
Stable on alpha.
arm/hppa stable
sparc stable.
ppc stable
Closed without GLSA
Stable on mips.
