Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#44607 - [ppp] CVE-2015-3310: denial of service in ppp radius plugin

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Thursday, 16 April 2015, 07:52 GMT
Last edited by Allan McRae (Allan) - Monday, 27 July 2015, 05:39 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Thomas B├Ąchler (brain0)
Allan McRae (Allan)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Hello,

A security issue has been reported [0] in the radius plugin of ppp, a buffer overflow leading to denial of service. I doesn't seem that this issue has been corrected upstream, as it's still present in the trunk [1]. I believe we should backport the fix included in Debian [2].

[0]: http://www.openwall.com/lists/oss-security/2015/04/13/4
[1]: https://github.com/paulusmack/ppp/blob/master/pppd/plugins/radius/util.c
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782450#37
This task depends upon

Closed by  Allan McRae (Allan)
Monday, 27 July 2015, 05:39 GMT
Reason for closing:  Fixed
Additional comments about closing:  ppp-2.4.7-2 in [testing]
Comment by Levente Polyak (anthraxx) - Monday, 27 July 2015, 01:10 GMT
Find the attached patch file for the CVE and the PKGBUILD:

- adding patch for CVE-2015-3310
- switched upstream download url (FTP is not reachable and obsolete: https://github.com/paulusmack/ppp/issues/36)
- added missing validpgpkeys

cheers

Loading...