FS#44607 : [ppp] CVE-2015-3310: denial of service in ppp radius plugin

FS#44607 - [ppp] CVE-2015-3310: denial of service in ppp radius plugin

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Thursday, 16 April 2015, 07:52 GMT
Last edited by Allan McRae (Allan) - Monday, 27 July 2015, 05:39 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Thomas Bächler (brain0) Allan McRae (Allan)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Hello,

A security issue has been reported [0] in the radius plugin of ppp, a buffer overflow leading to denial of service. I doesn't seem that this issue has been corrected upstream, as it's still present in the trunk [1]. I believe we should backport the fix included in Debian [2].

[0]: http://www.openwall.com/lists/oss-security/2015/04/13/4
[1]: https://github.com/paulusmack/ppp/blob/master/pppd/plugins/radius/util.c
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782450#37

This task depends upon

Closed by Allan McRae (Allan)
Monday, 27 July 2015, 05:39 GMT
Reason for closing: Fixed
Additional comments about closing: ppp-2.4.7-2 in [testing]

Comment by Levente Polyak (anthraxx) - Monday, 27 July 2015, 01:10 GMT

Find the attached patch file for the CVE and the PKGBUILD:

- adding patch for CVE-2015-3310
- switched upstream download url (FTP is not reachable and obsolete: https://github.com/paulusmack/ppp/issues/36)
- added missing validpgpkeys

cheers

CVE-2015-3310.patch (0.6 KiB)

PKGBUILD.patch (1.7 KiB)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#44607 - [ppp] CVE-2015-3310: denial of service in ppp radius plugin

Details

Loading...