fix CVE-2022-4603
(cherry picked from commit 3b10003a78afbdbedfa3dc57a451a118b7963083)
This commit is contained in:
eaglegai
openeuler-sync-bot
parent
c9b8a72d34
commit
679bf6b663
45
backport-CVE-2022-4603.patch
Normal file
45
backport-CVE-2022-4603.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From a75fb7b198eed50d769c80c36629f38346882cbf Mon Sep 17 00:00:00 2001
|
||||
From: Paul Mackerras <paulus@ozlabs.org>
|
||||
Date: Thu, 4 Aug 2022 12:23:08 +1000
|
||||
Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer
|
||||
|
||||
This fixes a potential vulnerability where data is written to spkt.buf
|
||||
and rpkt.buf without a check on the array index. To fix this, we
|
||||
check the array index (pkt->cnt) before storing the byte or
|
||||
incrementing the count. This also means we no longer have a potential
|
||||
signed integer overflow on the increment of pkt->cnt.
|
||||
|
||||
Fortunately, pppdump is not used in the normal process of setting up a
|
||||
PPP connection, is not installed setuid-root, and is not invoked
|
||||
automatically in any scenario that I am aware of.
|
||||
|
||||
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
|
||||
---
|
||||
pppdump/pppdump.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
|
||||
index 2b815fc9..b85a8627 100644
|
||||
--- a/pppdump/pppdump.c
|
||||
+++ b/pppdump/pppdump.c
|
||||
@@ -297,6 +297,10 @@ dumpppp(f)
|
||||
printf("%s aborted packet:\n ", dir);
|
||||
q = " ";
|
||||
}
|
||||
+ if (pkt->cnt >= sizeof(pkt->buf)) {
|
||||
+ printf("%s over-long packet truncated:\n ", dir);
|
||||
+ q = " ";
|
||||
+ }
|
||||
nb = pkt->cnt;
|
||||
p = pkt->buf;
|
||||
pkt->cnt = 0;
|
||||
@@ -400,7 +404,8 @@ dumpppp(f)
|
||||
c ^= 0x20;
|
||||
pkt->esc = 0;
|
||||
}
|
||||
- pkt->buf[pkt->cnt++] = c;
|
||||
+ if (pkt->cnt < sizeof(pkt->buf))
|
||||
+ pkt->buf[pkt->cnt++] = c;
|
||||
break;
|
||||
}
|
||||
}
|
||||
9
ppp.spec
9
ppp.spec
@ -1,6 +1,6 @@
|
||||
Name: ppp
|
||||
Version: 2.4.8
|
||||
Release: 3
|
||||
Release: 4
|
||||
Summary: The Point-to-Point Protocol
|
||||
|
||||
License: BSD and LGPLv2+ and GPLv2+ and Public Domain
|
||||
@ -58,6 +58,7 @@ Patch0026: ppp-2.4.8-eaptls-mppe-1.102.patch
|
||||
Patch0027: ppp-CVE-2015-3310.patch
|
||||
Patch0028: ppp-CVE-2020-8597.patch
|
||||
Patch0029: backport-pppd-Negotiate-IP-address-when-only-peer-addresses-are-provided.patch
|
||||
Patch0030: backport-CVE-2022-4603.patch
|
||||
|
||||
%description
|
||||
The Point-to-Point Protocol (PPP) provides a standard way to establish
|
||||
@ -154,6 +155,12 @@ mkdir -p %{buildroot}%{_rundir}/lock/ppp
|
||||
%{_mandir}/man8/*.8.gz
|
||||
|
||||
%changelog
|
||||
* Thu Dec 29 2022 gaihuiying <eaglegai@163.com> - 2.4.8-4
|
||||
- Type:cves
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2022-4603
|
||||
|
||||
* Wed Oct 19 2022 gaihuiying <eaglegai@163.com> - 2.4.8-3
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user