mirror of
git://slackware.nl/current.git
synced 2025-01-10 05:25:51 +01:00
cb1ee501ca
a/sdparm-1.10-x86_64-3.txz: Rebuilt. Recompiled against sg3_utils-1.45. a/udisks-1.0.5-x86_64-5.txz: Rebuilt. Recompiled against sg3_utils-1.45. d/cmake-3.16.5-x86_64-1.txz: Upgraded. l/libgpod-0.8.3-x86_64-6.txz: Rebuilt. Recompiled against sg3_utils-1.45. n/curl-7.69.0-x86_64-1.txz: Upgraded. n/cyrus-sasl-2.1.27-x86_64-3.txz: Rebuilt. Added SQL support via MariaDB. Thanks to niksoggia. n/ntp-4.2.8p14-x86_64-1.txz: Upgraded. n/ppp-2.4.8-x86_64-1.txz: Upgraded. This update fixes a security issue: By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8597 (* Security fix *) testing/packages/PAM/cyrus-sasl-2.1.27-x86_64-3_pam.txz: Rebuilt. Added SQL support via MariaDB. Thanks to niksoggia. testing/packages/PAM/ppp-2.4.8-x86_64-1_pam.txz: Upgraded. This update fixes a security issue: By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8597 (* Security fix *)
37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
|
|
From: Paul Mackerras <paulus@ozlabs.org>
|
|
Date: Mon, 3 Feb 2020 15:53:28 +1100
|
|
Subject: [PATCH] pppd: Fix bounds check in EAP code
|
|
|
|
Given that we have just checked vallen < len, it can never be the case
|
|
that vallen >= len + sizeof(rhostname). This fixes the check so we
|
|
actually avoid overflowing the rhostname array.
|
|
|
|
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
|
|
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
|
|
---
|
|
pppd/eap.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/pppd/eap.c b/pppd/eap.c
|
|
index 94407f56..1b93db01 100644
|
|
--- a/pppd/eap.c
|
|
+++ b/pppd/eap.c
|
|
@@ -1420,7 +1420,7 @@ int len;
|
|
}
|
|
|
|
/* Not so likely to happen. */
|
|
- if (vallen >= len + sizeof (rhostname)) {
|
|
+ if (len - vallen >= sizeof (rhostname)) {
|
|
dbglog("EAP: trimming really long peer name down");
|
|
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
|
|
rhostname[sizeof (rhostname) - 1] = '\0';
|
|
@@ -1846,7 +1846,7 @@ int len;
|
|
}
|
|
|
|
/* Not so likely to happen. */
|
|
- if (vallen >= len + sizeof (rhostname)) {
|
|
+ if (len - vallen >= sizeof (rhostname)) {
|
|
dbglog("EAP: trimming really long peer name down");
|
|
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
|
|
rhostname[sizeof (rhostname) - 1] = '\0';
|