main/ppp: mitigate CVE-2022-4603

2026-05-05 20:36:40 +02:00 · 2023-01-15 12:52:55 +00:00 · 2023-01-15 12:52:55 +00:00 · b3ee7103ed
commit b3ee7103ed
parent 6adf4b4a15
2 changed files with 60 additions and 8 deletions
--- a/main/ppp/APKBUILD
+++ b/main/ppp/APKBUILD
@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ppp
 pkgver=2.4.9
-pkgrel=0
+pkgrel=1
 pkgdesc="A daemon which implements the PPP protocol for dial-up networking"
 url="https://ppp.samba.org/"
 arch="all"
@ -22,17 +22,21 @@ depends="$pkgname-chat $pkgname-radius
 	    "

 source="https://github.com/paulusmack/ppp/archive/ppp-$pkgver.tar.gz
-	musl-fix-headers.patch
-	fix-paths.patch
 	0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch
+	fix-paths.patch
 	fix-pppd-magic.h.patch
+	musl-fix-headers.patch
+	CVE-2022-4603.patch
 	ip-down
 	ip-up
-	pppd.initd"
+	pppd.initd
+	"

 builddir="$srcdir"/$pkgname-$pkgname-$pkgver

 # secfixes:
+#   2.4.9-r1:
+#     - CVE-2022-4603
 #   2.4.8-r1:
 #     - CVE-2020-8597

@ -166,11 +170,14 @@ daemon() {
 	mv "$pkgdir"/* "$subpkgdir"/
 }

-sha512sums="c309f8f69f534c05547cd2f66dade0e0f198ea4c2928a7e899e660280786b3e965437a67b8c5bb81c59d0fa1818b4eb7b701d2dce015a420d380422d2bca4e1a  ppp-2.4.9.tar.gz
-29fe71a64d1370aa9a939767261a5d3b69c35e56e2fba0598477cf4986ad6dc4aff3dfa12562e8acf38272bad5b3773c8a5104599da872f7dd995bf2e64bfb58  musl-fix-headers.patch
-7b84e2085c5e399a8f9e0cb928a7b4d5077f42755efa8961c848e287a8b8b78f3a123b59fbac76610ce8fe1f81fa103188b2e3ad4ffd82d14cb82243e2edeb91  fix-paths.patch
+sha512sums="
+c309f8f69f534c05547cd2f66dade0e0f198ea4c2928a7e899e660280786b3e965437a67b8c5bb81c59d0fa1818b4eb7b701d2dce015a420d380422d2bca4e1a  ppp-2.4.9.tar.gz
 b490971d03fef4de66b61123f80a0087270bcb88466ae8ed98ea9a08b35d4c7c46b2dadd304e2970a4206bb5760a14370d7e3873de6240119d88e927ecef840c  0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch
+7b84e2085c5e399a8f9e0cb928a7b4d5077f42755efa8961c848e287a8b8b78f3a123b59fbac76610ce8fe1f81fa103188b2e3ad4ffd82d14cb82243e2edeb91  fix-paths.patch
 d1067defff79d6c9f67121a9214e41a1bcca1e3b8a345ad905d223fdb8835142bad7cc3b556a3eca509ddf51cf808741773f31f4dca74e834b612a15854a5e6b  fix-pppd-magic.h.patch
+29fe71a64d1370aa9a939767261a5d3b69c35e56e2fba0598477cf4986ad6dc4aff3dfa12562e8acf38272bad5b3773c8a5104599da872f7dd995bf2e64bfb58  musl-fix-headers.patch
+a82a7292bccef0690c82fcdf7d976fe831dd0d2c03f0aa49531777853fd1925f5a5c2ef49509bea6e012ab1d694a0ab2a6d13743219dcdb21beccd42a9a5caab  CVE-2022-4603.patch
 160260bd2a788beaac395eadb38efbfd1e0e1a458fe151555acacf2c4f3a12381d644672c664f9793db6e3459a4f05a54e3ff6d407b0d37e8014b15bd0f11bcc  ip-down
 8258c95a6b6e8e94d6001b5cd3a99bd3270f29ba0f2e5050a26c8d5f1b67eead8d039e71ce86a784d45e620047b0a2bb14b258d80a9ea62084ba588a4c2e2d84  ip-up
-bd6f43588b037367ffdb57f5e331492dcaa5969003e219c2dc8b90e6be1aa407282ff6114b91d1379ebeff766983fa0622456520cc0ac592b4f0b1496acf21bf  pppd.initd"
+bd6f43588b037367ffdb57f5e331492dcaa5969003e219c2dc8b90e6be1aa407282ff6114b91d1379ebeff766983fa0622456520cc0ac592b4f0b1496acf21bf  pppd.initd
+"
--- a/main/ppp/CVE-2022-4603.patch
+++ b/main/ppp/CVE-2022-4603.patch
@ -0,0 +1,45 @@
+From a75fb7b198eed50d769c80c36629f38346882cbf Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 4 Aug 2022 12:23:08 +1000
+Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer
+
+This fixes a potential vulnerability where data is written to spkt.buf
+and rpkt.buf without a check on the array index.  To fix this, we
+check the array index (pkt->cnt) before storing the byte or
+incrementing the count.  This also means we no longer have a potential
+signed integer overflow on the increment of pkt->cnt.
+
+Fortunately, pppdump is not used in the normal process of setting up a
+PPP connection, is not installed setuid-root, and is not invoked
+automatically in any scenario that I am aware of.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppdump/pppdump.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
+index 2b815fc9..b85a8627 100644
+--- a/pppdump/pppdump.c
+++ b/pppdump/pppdump.c
+@@ -297,6 +297,10 @@ dumpppp(f)
+ 			    printf("%s aborted packet:\n     ", dir);
+ 			    q = "    ";
+ 			}
+			if (pkt->cnt >= sizeof(pkt->buf)) {
+			    printf("%s over-long packet truncated:\n     ", dir);
+			    q = "    ";
+			}
+ 			nb = pkt->cnt;
+ 			p = pkt->buf;
+ 			pkt->cnt = 0;
+@@ -400,7 +404,8 @@ dumpppp(f)
+ 			c ^= 0x20;
+ 			pkt->esc = 0;
+ 		    }
+-		    pkt->buf[pkt->cnt++] = c;
+		    if (pkt->cnt < sizeof(pkt->buf))
+			pkt->buf[pkt->cnt++] = c;
+ 		    break;
+ 		}
+ 	    }