Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 69152 - net-dialup/ppp: Remote DoS
Summary: net-dialup/ppp: Remote DoS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] lewk
Depends on:
Reported: 2004-10-27 08:27 UTC by Dan Margolis (RETIRED)
Modified: 2004-11-05 03:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

cbcp-dosfix.patch (cbcp-dosfix.patch,3.31 KB, patch)
2004-10-28 12:38 UTC, Luke Macken (RETIRED)
no flags Details | Diff
Patch failure on sparc (cbcp-dosfix.patch-30852.out,2.42 KB, text/plain)
2004-10-30 06:22 UTC, Gustavo Zacarias (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Margolis (RETIRED) gentoo-dev 2004-10-27 08:27:31 UTC
Reporter claims a bad pointer dereference in pppd that could cause an attacker to crash the pppd process. This could lead to a DoS, but he assures that RCE is not possible. Tested on an earlier version than that which is masked in portage. Unconfirmed on the ~ masked version.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-28 12:38:43 UTC
Created attachment 42796 [details, diff]

The diff of cbcp.c from CVS, which fixes DoS vulnerabilities.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-28 12:40:48 UTC

the attached file is the diff of cbcp.c from their CVS tree.  This version fixes DoS vulnerabilities mentioned above.

Please verify patch, and make sure it doesn't break anything (they changed the way they output debug info).
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-10-29 05:51:40 UTC
I spoke with upstream regarding this issue.

By default, pppd is not vulnerable to this attack because the line "CBCP=y" is commented out in pppd/Makefile.linux, but our ebuild turns this on, making us vulnerable.

2.4.3 should be getting released hopefully within the next week, and upstream confirmed that applying the cbcp.c diff should work just fine too.
Comment 4 Alin Năstac (RETIRED) gentoo-dev 2004-10-30 01:18:41 UTC
I verified the patch against ppp-2.4.2-r6. src_unpack & src_compile end up successfully.

I cannot do more than that since I don't have dev status yet (see bug #63588). 
Comment 5 Daniel Black (RETIRED) gentoo-dev 2004-10-30 05:38:43 UTC
ppp-2.4.2-r7 added with patch. Sorry for the delay.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-10-30 05:59:03 UTC
Thx Daniel.

Arches please mark ppp-2.4.2-r7 stable.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-30 06:22:06 UTC
Created attachment 42906 [details]
Patch failure on sparc
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-30 06:22:36 UTC
Patch fails miserably...
Comment 9 Alin Năstac (RETIRED) gentoo-dev 2004-10-30 06:59:35 UTC
All I had to do was to copy this patch to files/2.4.2 directory and add at the end of src_unpack the following line:
        epatch ${FILESDIR}/2.4.2/cbcp-dosfix.patch

The result:
alin ppp # ebuild ppp-2.4.2-r6.ebuild unpack
>>> md5 src_uri ;-) ppp-2.4.2.tar.gz
>>> md5 src_uri ;-) ppp-2.4.2-mppe-mppc-1.1.patch.gz
>>> md5 src_uri ;-) ppp-dhcpc.tgz
>>> Unpacking source...
>>> Unpacking ppp-2.4.2.tar.gz to /var/tmp/portage/ppp-2.4.2-r6/work
>>> Unpacking ppp-2.4.2-mppe-mppc-1.1.patch.gz to /var/tmp/portage/ppp-2.4.2-r6/work
>>> Unpacking ppp-dhcpc.tgz to /var/tmp/portage/ppp-2.4.2-r6/work
 * Applying mpls.patch.gz ...                                                                                 [ ok ]
 * Applying killaddr-smarter.patch.gz ...                                                                     [ ok ]
 * Applying cflags.patch ...                                                                                  [ ok ]
 * Applying control_c.patch ...                                                                               [ ok ]
 * Disabling active-filter
 * Enabling PAM
 * Enabling CBCP
 * Enabling radius
 * Applying cbcp-dosfix.patch ...                                                                             [ ok ]
>>> Source unpacked.

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-10-30 07:09:27 UTC
Arches please test. Dragonheart just fixed the patch in cvs.
Comment 11 Daniel Black (RETIRED) gentoo-dev 2004-10-30 07:11:27 UTC
Until you commit the patch to cvs and the act of commiting it changes the patch line:
#define RCSID   "$Id: cbcp.c,v 1.15 2003/01/17 07:23:35 fcusack Exp $"
#define RCSID   "$Id: cbcp-dosfix.patch,v 1.2 2004/10/30 13:49:28 dragonheart Exp $"
causing the foresaid misable failure.

Patch modified to not change the first hunk (being the above line). Arch marking may resume.
Comment 12 Simon Stelling (RETIRED) gentoo-dev 2004-10-30 09:58:32 UTC
stable on amd64
Comment 13 Jason Wever (RETIRED) gentoo-dev 2004-10-30 10:05:14 UTC
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-30 14:26:51 UTC
Stable on alpha.
Comment 15 SpanKY gentoo-dev 2004-10-30 22:46:51 UTC
arm/hppa/ia64 stable
Comment 16 Jochen Maes (RETIRED) gentoo-dev 2004-10-31 03:58:46 UTC
stable on ppc
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-10-31 08:36:06 UTC
Ready, security please vote on GLSA need
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-10-31 10:14:33 UTC
I vote for a GLSA on this one.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2004-11-01 02:31:40 UTC
I agree, we need one.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-01 10:09:20 UTC
GLSA 200411-01

lewk you might be fast with drafting but closing.....:-)
Comment 21 Hardave Riar (RETIRED) gentoo-dev 2004-11-05 03:51:09 UTC
Stable on mips.