GLSA: pptpd (200304-08) - gentoo-announce - Gentoo Mailing List Archives

From:	Daniel Ahlberg <aliz@g.o>
To:	gentoo-announce@g.o
Subject:	GLSA: pptpd (200304-08)
Date:	Mon, 28 Apr 2003 10:06:39
Message-Id:	`20030428092252.A61F1338E6@mail1.tamperd.net`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - ---------------------------------------------------------------------

5

GENTOO LINUX SECURITY ANNOUNCEMENT 200304-08

6

- - - ---------------------------------------------------------------------

7

8

          PACKAGE : pptpd

9

          SUMMARY : buffer overflow

10

             DATE : 2003-04-28 09:22 UTC

11

          EXPLOIT : remote

12

VERSIONS AFFECTED : <pptpd-1.1.3.20030429

13

    FIXED VERSION : >=pptpd-1.1.3.20030429

14

              CVE : CAN-2003-0213

15

16

- - - ---------------------------------------------------------------------

17

18

- - From advisory:

19

20

"PPTP packet header contain 16bit length which specifies the full size of

21

the packet:

22

23

        bytes_this = read(clientFd, packet + bytes_ttl, 2 - bytes_ttl);

24

        // ...

25

        bytes_ttl += bytes_this;

26

        // ...

27

        length = htons(*(u_int16_t *) packet);

28

        if (length > PPTP_MAX_CTRL_PCKT_SIZE) {

29

          // abort

30

}

31

32

Looks good so far, except:

33

34

        bytes_this = read(clientFd, packet + bytes_ttl, length - bytes_ttl);

35

36

If given length was 0 or 1, the "length - bytes_ttl" result is -1 or -2,

37

which means that it reads unlimited amount of data from client into

38

"packet", which is a buffer located in stack.

39

40

The exploitability only depends on if libc allows the size parameter to be

41

larger than SSIZE_MAX bytes. GLIBC does, Solaris and *BSD don't."

42

43

Read the full advisory at:

44

http://marc.theaimsgroup.com/?l=bugtraq&m=104994375011406&w=2

45

46

SOLUTION

47

48

It is recommended that all Gentoo Linux users who are running

49

net-dialup/pptpd upgrade to pptpd-1.1.3.20030409 as follows:

50

51

emerge sync

52

emerge pptpd

53

emerge clean

54

55

- - - ---------------------------------------------------------------------

56

aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz

57

- - - ---------------------------------------------------------------------

58

-----BEGIN PGP SIGNATURE-----

59

Version: GnuPG v1.2.1 (GNU/Linux)

60

61

iD8DBQE+rPLrfT7nyhUpoZMRAjKOAJ9Ztnuvpr6luyiBl+CD2PzlOHBKKgCfWlT+

62

A6YGzE9MLzvOleHHY9u1ivA=

63

=hi8d

64

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - ---------------------------------------------------------------------
5	GENTOO LINUX SECURITY ANNOUNCEMENT 200304-08
6	- - - ---------------------------------------------------------------------
7
8	PACKAGE : pptpd
9	SUMMARY : buffer overflow
10	DATE : 2003-04-28 09:22 UTC
11	EXPLOIT : remote
12	VERSIONS AFFECTED : <pptpd-1.1.3.20030429
13	FIXED VERSION : >=pptpd-1.1.3.20030429
14	CVE : CAN-2003-0213
15
16	- - - ---------------------------------------------------------------------
17
18	- - From advisory:
19
20	"PPTP packet header contain 16bit length which specifies the full size of
21	the packet:
22
23	bytes_this = read(clientFd, packet + bytes_ttl, 2 - bytes_ttl);
24	// ...
25	bytes_ttl += bytes_this;
26	// ...
27	length = htons((u_int16_t ) packet);
28	if (length > PPTP_MAX_CTRL_PCKT_SIZE) {
29	// abort
30	}
31
32	Looks good so far, except:
33
34	bytes_this = read(clientFd, packet + bytes_ttl, length - bytes_ttl);
35
36	If given length was 0 or 1, the "length - bytes_ttl" result is -1 or -2,
37	which means that it reads unlimited amount of data from client into
38	"packet", which is a buffer located in stack.
39
40	The exploitability only depends on if libc allows the size parameter to be
41	larger than SSIZE_MAX bytes. GLIBC does, Solaris and *BSD don't."
42
43	Read the full advisory at:
44	http://marc.theaimsgroup.com/?l=bugtraq&m=104994375011406&w=2
45
46	SOLUTION
47
48	It is recommended that all Gentoo Linux users who are running
49	net-dialup/pptpd upgrade to pptpd-1.1.3.20030409 as follows:
50
51	emerge sync
52	emerge pptpd
53	emerge clean
54
55	- - - ---------------------------------------------------------------------
56	aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
57	- - - ---------------------------------------------------------------------
58	-----BEGIN PGP SIGNATURE-----
59	Version: GnuPG v1.2.1 (GNU/Linux)
60
61	iD8DBQE+rPLrfT7nyhUpoZMRAjKOAJ9Ztnuvpr6luyiBl+CD2PzlOHBKKgCfWlT+
62	A6YGzE9MLzvOleHHY9u1ivA=
63	=hi8d
64	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce