[dunfell,06/18] ppp: fix CVE-2022-4603

Message ID	57e3ee40799614463480437f6abf082a49b75334.1672594796.git.steve@sakoman.com
State	Accepted, archived
Commit	7f33a49f7aaae67288389eacbe8b13318694e07c
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.45, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 06/18] ppp: fix CVE-2022-4603 Date: Sun, 1 Jan 2023 07:42:22 -1000 Message-Id: <57e3ee40799614463480437f6abf082a49b75334.1672594796.git.steve@sakoman.com> In-Reply-To: <cover.1672594796.git.steve@sakoman.com> References: <cover.1672594796.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/18] grub2: CVE-2022-28735 shim_lock verifier allows non-kernel files to be loaded \| expand [dunfell,01/18] grub2: CVE-2022-28735 shim_lock verifier allows non-kernel files to be loaded [dunfell,02/18] go: fix CVE-2022-41717 Excessive memory use in got server [dunfell,03/18] rsync: fix CVE-2022-29154 remote arbitrary files write inside the directories of co… [dunfell,04/18] libx11: fix CVE-2022-3555 memory leak in _XFreeX11XCBStructure() of xcb_disp.c [dunfell,05/18] qemu: fix CVE-2021-3507 fdc heap buffer overflow in DMA read data transfers [dunfell,06/18] ppp: fix CVE-2022-4603 [dunfell,07/18] cairo: update patch for CVE-2019-6461 with upstream solution [dunfell,08/18] linux-yocto/5.4: update to v5.4.221 [dunfell,09/18] linux-yocto/5.4: update to v5.4.224 [dunfell,10/18] linux-yocto/5.4: update to v5.4.225 [dunfell,11/18] linux-yocto/5.4: update to v5.4.228 [dunfell,12/18] tzdata: update 2022d -> 2022g [dunfell,13/18] sudo: Use specific BSD license variant [dunfell,14/18] bc: extend to nativesdk [dunfell,15/18] lib/buildstats: fix parsing of trees with reduced_proc_pressure directories [dunfell,16/18] externalsrc: fix lookup for .gitmodules [dunfell,17/18] go-crosssdk: avoid host contamination by GOCACHE [dunfell,18/18] qemuboot.bbclass: make sure runqemu boots bundled initramfs kernel image

Message ID

57e3ee40799614463480437f6abf082a49b75334.1672594796.git.steve@sakoman.com

State

Accepted, archived

Commit

7f33a49f7aaae67288389eacbe8b13318694e07c

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 06/18] ppp: fix CVE-2022-4603
Date: Sun,  1 Jan 2023 07:42:22 -1000
Message-Id: 
 <57e3ee40799614463480437f6abf082a49b75334.1672594796.git.steve@sakoman.com>
In-Reply-To: <cover.1672594796.git.steve@sakoman.com>
References: <cover.1672594796.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/18] grub2: CVE-2022-28735 shim_lock verifier allows non-kernel files to be loaded | expand

Commit Message

Steve Sakoman Jan. 1, 2023, 5:42 p.m. UTC

From: Minjae Kim <flowergom@gmail.com>

<CVE-2022-4603>
Avoid out-of-range access to packet buffer
Upstream-Status: Backport[https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf]

Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ppp/ppp/CVE-2022-4603.patch               | 50 +++++++++++++++++++
 meta/recipes-connectivity/ppp/ppp_2.4.7.bb    |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch

diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
new file mode 100644
index 0000000000..27b8863a4e
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
@@ -0,0 +1,50 @@ 
+From 2aeb41a9a3a43b11b1e46628d0bf98197ff9f141 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 29 Dec 2022 18:00:20 +0100
+Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer
+
+This fixes a potential vulnerability where data is written to spkt.buf
+and rpkt.buf without a check on the array index.  To fix this, we
+check the array index (pkt->cnt) before storing the byte or
+incrementing the count.  This also means we no longer have a potential
+signed integer overflow on the increment of pkt->cnt.
+
+Fortunately, pppdump is not used in the normal process of setting up a
+PPP connection, is not installed setuid-root, and is not invoked
+automatically in any scenario that I am aware of.
+
+Ustream-Status: Backport [https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf]
+CVE: CVE-2022-4603
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ pppdump/pppdump.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
+index 87c2e8f..dec4def 100644
+--- a/pppdump/pppdump.c
++++ b/pppdump/pppdump.c
+@@ -296,6 +296,10 @@ dumpppp(f)
+ 			    printf("%s aborted packet:\n     ", dir);
+ 			    q = "    ";
+ 			}
++			if (pkt->cnt >= sizeof(pkt->buf)) {
++			    printf("%s over-long packet truncated:\n     ", dir);
++			    q = "    ";
++			}
+ 			nb = pkt->cnt;
+ 			p = pkt->buf;
+ 			pkt->cnt = 0;
+@@ -399,7 +403,8 @@ dumpppp(f)
+ 			c ^= 0x20;
+ 			pkt->esc = 0;
+ 		    }
+-		    pkt->buf[pkt->cnt++] = c;
++		    if (pkt->cnt < sizeof(pkt->buf))
++			    pkt->buf[pkt->cnt++] = c;
+ 		    break;
+ 		}
+ 	    }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
index 76c1cc62a7..51ec25e660 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
@@ -34,6 +34,7 @@  SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
            file://0001-ppp-Remove-unneeded-include.patch \
            file://ppp-2.4.7-DES-openssl.patch \
            file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
+           file://CVE-2022-4603.patch \
 "
 
 SRC_URI_append_libc-musl = "\

[dunfell,06/18] ppp: fix CVE-2022-4603

Commit Message

Patch