!22 [sync] PR-19: fix CVE-2022-4603
From: @openeuler-sync-bot Reviewed-by: @seuzw Signed-off-by: @seuzw
This commit is contained in:
openeuler-ci-bot
Gitee
commit
b0471ae0b3
45
backport-CVE-2022-4603.patch
Normal file
45
backport-CVE-2022-4603.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From a75fb7b198eed50d769c80c36629f38346882cbf Mon Sep 17 00:00:00 2001
|
||||
From: Paul Mackerras <paulus@ozlabs.org>
|
||||
Date: Thu, 4 Aug 2022 12:23:08 +1000
|
||||
Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer
|
||||
|
||||
This fixes a potential vulnerability where data is written to spkt.buf
|
||||
and rpkt.buf without a check on the array index. To fix this, we
|
||||
check the array index (pkt->cnt) before storing the byte or
|
||||
incrementing the count. This also means we no longer have a potential
|
||||
signed integer overflow on the increment of pkt->cnt.
|
||||
|
||||
Fortunately, pppdump is not used in the normal process of setting up a
|
||||
PPP connection, is not installed setuid-root, and is not invoked
|
||||
automatically in any scenario that I am aware of.
|
||||
|
||||
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
|
||||
---
|
||||
pppdump/pppdump.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
|
||||
index 2b815fc9..b85a8627 100644
|
||||
--- a/pppdump/pppdump.c
|
||||
+++ b/pppdump/pppdump.c
|
||||
@@ -297,6 +297,10 @@ dumpppp(f)
|
||||
printf("%s aborted packet:\n ", dir);
|
||||
q = " ";
|
||||
}
|
||||
+ if (pkt->cnt >= sizeof(pkt->buf)) {
|
||||
+ printf("%s over-long packet truncated:\n ", dir);
|
||||
+ q = " ";
|
||||
+ }
|
||||
nb = pkt->cnt;
|
||||
p = pkt->buf;
|
||||
pkt->cnt = 0;
|
||||
@@ -400,7 +404,8 @@ dumpppp(f)
|
||||
c ^= 0x20;
|
||||
pkt->esc = 0;
|
||||
}
|
||||
- pkt->buf[pkt->cnt++] = c;
|
||||
+ if (pkt->cnt < sizeof(pkt->buf))
|
||||
+ pkt->buf[pkt->cnt++] = c;
|
||||
break;
|
||||
}
|
||||
}
|
||||
9
ppp.spec
9
ppp.spec
@ -1,6 +1,6 @@
|
||||
Name: ppp
|
||||
Version: 2.4.9
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: The Point-to-Point Protocol
|
||||
|
||||
License: BSD and LGPLv2+ and GPLv2+ and Public Domain
|
||||
@ -47,6 +47,7 @@ Patch0016: backport-ppp-2.4.9-configure-cflags-allow-commas.patch
|
||||
Patch0017: backport-0027-Set-LIBDIR-for-RISCV.patch
|
||||
%endif
|
||||
Patch0018: backport-pppd-Negotiate-IP-address-when-only-peer-addresses-are-provided.patch
|
||||
Patch0019: backport-CVE-2022-4603.patch
|
||||
|
||||
%description
|
||||
The Point-to-Point Protocol (PPP) provides a standard way to establish
|
||||
@ -142,6 +143,12 @@ mkdir -p %{buildroot}%{_rundir}/lock/ppp
|
||||
%{_mandir}/man8/*.8.gz
|
||||
|
||||
%changelog
|
||||
* Thu Dec 29 2022 gaihuiying <eaglegai@163.com> - 2.4.9-3
|
||||
- Type:cves
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2022-4603
|
||||
|
||||
* Wed Oct 19 2022 gaihuiying <eaglegai@163.com> - 2.4.9-2
|
||||
- Type:bufix
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user