diff options
author | Milan P. Stanić <mps@arvanta.net> | 2020-03-06 14:19:05 +0100 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-03-10 16:30:16 -0300 |
commit | b875b192e39183f31005976ae4f6def0cfb1cec7 (patch) | |
tree | c447dff88f96cfc3fdf1a38ef6fc2b00846f36a0 | |
parent | 0301b076d7141df079a9815a6fc9e7cde6b9cc31 (diff) | |
download | alpine_aports-b875b192e39183f31005976ae4f6def0cfb1cec7.tar.bz2 alpine_aports-b875b192e39183f31005976ae4f6def0cfb1cec7.tar.xz alpine_aports-b875b192e39183f31005976ae4f6def0cfb1cec7.zip |
main/ppp: secfix for radius and EAP
backported security fixes from upstream:
radius: Prevent buffer overflow in rc_mksid()
pppd: Ignore received EAP messages when not doing EAP
fix APKBUILD 'secfixes' to correct ppp version
-rw-r--r-- | main/ppp/APKBUILD | 8 | ||||
-rw-r--r-- | main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch | 64 | ||||
-rw-r--r-- | main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch | 33 |
3 files changed, 103 insertions, 2 deletions
diff --git a/main/ppp/APKBUILD b/main/ppp/APKBUILD index c0c55de701..d364a52967 100644 --- a/main/ppp/APKBUILD +++ b/main/ppp/APKBUILD | |||
@@ -1,7 +1,7 @@ | |||
1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
2 | pkgname=ppp | 2 | pkgname=ppp |
3 | pkgver=2.4.7 | 3 | pkgver=2.4.7 |
4 | pkgrel=7 | 4 | pkgrel=8 |
5 | pkgdesc="A daemon which implements the PPP protocol for dial-up networking" | 5 | pkgdesc="A daemon which implements the PPP protocol for dial-up networking" |
6 | url="http://www.samba.org/ppp/" | 6 | url="http://www.samba.org/ppp/" |
7 | arch="all" | 7 | arch="all" |
@@ -26,7 +26,9 @@ source="https://ftp.samba.org/pub/ppp/ppp-$pkgver.tar.gz | |||
26 | musl-fix-headers.patch | 26 | musl-fix-headers.patch |
27 | fix-paths.patch | 27 | fix-paths.patch |
28 | 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch | 28 | 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch |
29 | radius-Prevent-buffer-overflow-in-rc_mksid.patch | ||
29 | fix-bound-check-eap.patch | 30 | fix-bound-check-eap.patch |
31 | pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch | ||
30 | ip-down | 32 | ip-down |
31 | ip-up | 33 | ip-up |
32 | pppd.initd" | 34 | pppd.initd" |
@@ -34,7 +36,7 @@ source="https://ftp.samba.org/pub/ppp/ppp-$pkgver.tar.gz | |||
34 | _builddir="$srcdir"/$pkgname-$pkgver | 36 | _builddir="$srcdir"/$pkgname-$pkgver |
35 | 37 | ||
36 | # secfixes: | 38 | # secfixes: |
37 | # 2.4.8-r1: | 39 | # 2.4.7-r7: |
38 | # - CVE-2020-8597 | 40 | # - CVE-2020-8597 |
39 | 41 | ||
40 | prepare() { | 42 | prepare() { |
@@ -183,7 +185,9 @@ fccc7a6809ae4a617796ccf1d2132de8edb1cc0c71d76a95393585a5970b92be2a54da558702db35 | |||
183 | 2f071ea9db15e4abf1bed6cce8130dc81b710a31bfef5fa8f9370c353f845dbc47674b1551b8e040478e5156add6f98d480530206125e8bb308f0f4288d1eec6 musl-fix-headers.patch | 185 | 2f071ea9db15e4abf1bed6cce8130dc81b710a31bfef5fa8f9370c353f845dbc47674b1551b8e040478e5156add6f98d480530206125e8bb308f0f4288d1eec6 musl-fix-headers.patch |
184 | 8384afb992a98a7f97b484866e6aa1b1de51e901d7837f84f7ce2beba6815591450fab43957f03b65804424c4940c59640a9cd878979240a171aa77427e9c4ff fix-paths.patch | 186 | 8384afb992a98a7f97b484866e6aa1b1de51e901d7837f84f7ce2beba6815591450fab43957f03b65804424c4940c59640a9cd878979240a171aa77427e9c4ff fix-paths.patch |
185 | b490971d03fef4de66b61123f80a0087270bcb88466ae8ed98ea9a08b35d4c7c46b2dadd304e2970a4206bb5760a14370d7e3873de6240119d88e927ecef840c 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch | 187 | b490971d03fef4de66b61123f80a0087270bcb88466ae8ed98ea9a08b35d4c7c46b2dadd304e2970a4206bb5760a14370d7e3873de6240119d88e927ecef840c 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch |
188 | d175085eaa93ccf8ade7be4f9818efe353017da7cec41d9312ad2c6685e3763834aff76d673e9d2bb0b44336f926537569ddb86a6035ec33ab8b6a7de2340132 radius-Prevent-buffer-overflow-in-rc_mksid.patch | ||
186 | ba0c062f93400008ddf47897ac2ab6a2f5017bc7f4167d1a93dd3a5c04068a922490eb4082b0da80f0c3aea6c87fdfbca3568548724a0abc148588ab86a6df32 fix-bound-check-eap.patch | 189 | ba0c062f93400008ddf47897ac2ab6a2f5017bc7f4167d1a93dd3a5c04068a922490eb4082b0da80f0c3aea6c87fdfbca3568548724a0abc148588ab86a6df32 fix-bound-check-eap.patch |
190 | ce1bf3298f3f99a7de643bd070cb0e7e7b1dd9621926637ffc93fd2ef552781424ce9a68c88de6eb25dc2593d543e8e329eccc2d00982bde2493e8efb7903051 pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch | ||
187 | 160260bd2a788beaac395eadb38efbfd1e0e1a458fe151555acacf2c4f3a12381d644672c664f9793db6e3459a4f05a54e3ff6d407b0d37e8014b15bd0f11bcc ip-down | 191 | 160260bd2a788beaac395eadb38efbfd1e0e1a458fe151555acacf2c4f3a12381d644672c664f9793db6e3459a4f05a54e3ff6d407b0d37e8014b15bd0f11bcc ip-down |
188 | 8258c95a6b6e8e94d6001b5cd3a99bd3270f29ba0f2e5050a26c8d5f1b67eead8d039e71ce86a784d45e620047b0a2bb14b258d80a9ea62084ba588a4c2e2d84 ip-up | 192 | 8258c95a6b6e8e94d6001b5cd3a99bd3270f29ba0f2e5050a26c8d5f1b67eead8d039e71ce86a784d45e620047b0a2bb14b258d80a9ea62084ba588a4c2e2d84 ip-up |
189 | bd6f43588b037367ffdb57f5e331492dcaa5969003e219c2dc8b90e6be1aa407282ff6114b91d1379ebeff766983fa0622456520cc0ac592b4f0b1496acf21bf pppd.initd" | 193 | bd6f43588b037367ffdb57f5e331492dcaa5969003e219c2dc8b90e6be1aa407282ff6114b91d1379ebeff766983fa0622456520cc0ac592b4f0b1496acf21bf pppd.initd" |
diff --git a/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch b/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch new file mode 100644 index 0000000000..e5442079ef --- /dev/null +++ b/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 8d45443bb5c9372b4c6a362ba2f443d41c5636af Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Mackerras <paulus@ozlabs.org> | ||
3 | Date: Mon, 3 Feb 2020 16:31:42 +1100 | ||
4 | Subject: [PATCH] pppd: Ignore received EAP messages when not doing EAP | ||
5 | |||
6 | This adds some basic checks to the subroutines of eap_input to check | ||
7 | that we have requested or agreed to doing EAP authentication before | ||
8 | doing any processing on the received packet. The motivation is to | ||
9 | make it harder for a malicious peer to disrupt the operation of pppd | ||
10 | by sending unsolicited EAP packets. Note that eap_success() already | ||
11 | has a check that the EAP client state is reasonable, and does nothing | ||
12 | (apart from possibly printing a debug message) if not. | ||
13 | |||
14 | Signed-off-by: Paul Mackerras <paulus@ozlabs.org> | ||
15 | --- | ||
16 | pppd/eap.c | 18 ++++++++++++++++++ | ||
17 | 1 file changed, 18 insertions(+) | ||
18 | |||
19 | diff --git a/pppd/eap.c b/pppd/eap.c | ||
20 | index 1b93db0..082e953 100644 | ||
21 | --- a/pppd/eap.c | ||
22 | +++ b/pppd/eap.c | ||
23 | @@ -1328,6 +1328,12 @@ int len; | ||
24 | int fd; | ||
25 | #endif /* USE_SRP */ | ||
26 | |||
27 | + /* | ||
28 | + * Ignore requests if we're not open | ||
29 | + */ | ||
30 | + if (esp->es_client.ea_state <= eapClosed) | ||
31 | + return; | ||
32 | + | ||
33 | /* | ||
34 | * Note: we update es_client.ea_id *only if* a Response | ||
35 | * message is being generated. Otherwise, we leave it the | ||
36 | @@ -1736,6 +1742,12 @@ int len; | ||
37 | u_char dig[SHA_DIGESTSIZE]; | ||
38 | #endif /* USE_SRP */ | ||
39 | |||
40 | + /* | ||
41 | + * Ignore responses if we're not open | ||
42 | + */ | ||
43 | + if (esp->es_server.ea_state <= eapClosed) | ||
44 | + return; | ||
45 | + | ||
46 | if (esp->es_server.ea_id != id) { | ||
47 | dbglog("EAP: discarding Response %d; expected ID %d", id, | ||
48 | esp->es_server.ea_id); | ||
49 | @@ -2047,6 +2059,12 @@ u_char *inp; | ||
50 | int id; | ||
51 | int len; | ||
52 | { | ||
53 | + /* | ||
54 | + * Ignore failure messages if we're not open | ||
55 | + */ | ||
56 | + if (esp->es_client.ea_state <= eapClosed) | ||
57 | + return; | ||
58 | + | ||
59 | if (!eap_client_active(esp)) { | ||
60 | dbglog("EAP unexpected failure message in state %s (%d)", | ||
61 | eap_state_name(esp->es_client.ea_state), | ||
62 | -- | ||
63 | 2.24.1 | ||
64 | |||
diff --git a/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch b/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch new file mode 100644 index 0000000000..112b259802 --- /dev/null +++ b/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Mackerras <paulus@ozlabs.org> | ||
3 | Date: Sat, 4 Jan 2020 12:01:32 +1100 | ||
4 | Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid() | ||
5 | |||
6 | On some systems getpid() can return a value greater than 65535. | ||
7 | Increase the size of buf[] to allow for this, and use slprintf() | ||
8 | to make sure we never overflow it. | ||
9 | |||
10 | Signed-off-by: Paul Mackerras <paulus@ozlabs.org> | ||
11 | --- | ||
12 | pppd/plugins/radius/util.c | 4 ++-- | ||
13 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
14 | |||
15 | diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c | ||
16 | index 6f976a7..740131e 100644 | ||
17 | --- a/pppd/plugins/radius/util.c | ||
18 | +++ b/pppd/plugins/radius/util.c | ||
19 | @@ -73,9 +73,9 @@ void rc_mdelay(int msecs) | ||
20 | char * | ||
21 | rc_mksid (void) | ||
22 | { | ||
23 | - static char buf[15]; | ||
24 | + static char buf[32]; | ||
25 | static unsigned short int cnt = 0; | ||
26 | - sprintf (buf, "%08lX%04X%02hX", | ||
27 | + slprintf(buf, sizeof(buf), "%08lX%04X%02hX", | ||
28 | (unsigned long int) time (NULL), | ||
29 | (unsigned int) getpid (), | ||
30 | cnt & 0xFF); | ||
31 | -- | ||
32 | 2.24.1 | ||
33 | |||