diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch')
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch b/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch new file mode 100644 index 000000000..c5a0be86f --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch @@ -0,0 +1,30 @@ +ppp: Buffer overflow in radius plugin + +From: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=782450 + +Upstream-Status: Backport +CVE: CVE-2015-3310 + +On systems with more than 65535 processes running, pppd aborts when +sending a "start" accounting message to the RADIUS server because of a +buffer overflow in rc_mksid. + +The process id is used in rc_mksid to generate a pseudo-unique string, +assuming that the hex representation of the pid will be at most 4 +characters (FFFF). __sprintf_chk(), used when compiling with +optimization levels greater than 0 and FORTIFY_SOURCE, detects the +buffer overflow and makes pppd crash. + +The following patch fixes the problem. + +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c ++++ ppp-2.4.6/pppd/plugins/radius/util.c +@@ -77,7 +77,7 @@ rc_mksid (void) + static unsigned short int cnt = 0; + sprintf (buf, "%08lX%04X%02hX", + (unsigned long int) time (NULL), +- (unsigned int) getpid (), ++ (unsigned int) getpid () % 65535, + cnt & 0xFF); + cnt++; + return buf; |