From cb62590561a7c89ae9d1b361cb0811a8794457d8 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Wed, 30 Apr 2025 11:02:27 +0800 Subject: [PATCH] fix CVE-2024-58250 --- backport-CVE-2024-58250.patch | 160 ++++++++++++++++++++++++++++++++++ ppp.spec | 9 +- 2 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-58250.patch diff --git a/backport-CVE-2024-58250.patch b/backport-CVE-2024-58250.patch new file mode 100644 index 0000000..b98dbe8 --- /dev/null +++ b/backport-CVE-2024-58250.patch @@ -0,0 +1,160 @@ +From 0a66ad22e54c72690ec2a29a019767c55c5281fc Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Fri, 18 Oct 2024 20:22:57 +1100 +Subject: [PATCH] pppd: Remove passprompt plugin + +This is prompted by a number of factors: + +* It was more useful back in the dial-up days, but no-one uses dial-up + any more + +* In many cases there will be no terminal accessible to the prompter + program at the point where the prompter is run + +* The passwordfd plugin does much the same thing but does it more + cleanly and securely + +* The handling of privileges and file descriptors needs to be audited + thoroughly. + +Signed-off-by: Paul Mackerras +--- + pppd/plugins/Makefile.linux | 2 +- + pppd/plugins/passprompt.c | 113 ------------------------------------ + 2 files changed, 1 insertion(+), 114 deletions(-) + delete mode 100644 pppd/plugins/passprompt.c + +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index cf73fa9..6382c03 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -15,7 +15,7 @@ LIBDIR = $(DESTDIR)/lib/$(shell $(CC) -print-multi-os-directory 2> /dev/null)/pp + SUBDIRS := rp-pppoe pppoatm pppol2tp + # Uncomment the next line to include the radius authentication plugin + SUBDIRS += radius +-PLUGINS := minconn.so passprompt.so passwordfd.so winbind.so ++PLUGINS := minconn.so passwordfd.so winbind.so + + # This setting should match the one in ../Makefile.linux + MPPE=y +diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c +deleted file mode 100644 +index 6ba73ca..0000000 +--- a/pppd/plugins/passprompt.c ++++ /dev/null +@@ -1,113 +0,0 @@ +-/* +- * passprompt.c - pppd plugin to invoke an external PAP password prompter +- * +- * Copyright 1999 Paul Mackerras, Alan Curry. +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version +- * 2 of the License, or (at your option) any later version. +- */ +-#include +-#include +-#include +-#include +-#include "pppd.h" +- +-char pppd_version[] = VERSION; +- +-static char promptprog[PATH_MAX+1]; +- +-static option_t options[] = { +- { "promptprog", o_string, promptprog, +- "External PAP password prompting program", +- OPT_STATIC, NULL, PATH_MAX }, +- { NULL } +-}; +- +-static int promptpass(char *user, char *passwd) +-{ +- int p[2]; +- pid_t kid; +- int readgood, wstat; +- ssize_t red; +- +- if (promptprog[0] == 0 || access(promptprog, X_OK) < 0) +- return -1; /* sorry, can't help */ +- +- if (!passwd) +- return 1; +- +- if (pipe(p)) { +- warn("Can't make a pipe for %s", promptprog); +- return 0; +- } +- if ((kid = fork()) == (pid_t) -1) { +- warn("Can't fork to run %s", promptprog); +- close(p[0]); +- close(p[1]); +- return 0; +- } +- if (!kid) { +- /* we are the child, exec the program */ +- char *argv[5], fdstr[32]; +- sys_close(); +- closelog(); +- close(p[0]); +- seteuid(getuid()); +- setegid(getgid()); +- argv[0] = promptprog; +- argv[1] = user; +- argv[2] = remote_name; +- sprintf(fdstr, "%d", p[1]); +- argv[3] = fdstr; +- argv[4] = 0; +- execv(*argv, argv); +- _exit(127); +- } +- +- /* we are the parent, read the password from the pipe */ +- close(p[1]); +- readgood = 0; +- do { +- red = read(p[0], passwd + readgood, MAXSECRETLEN-1 - readgood); +- if (red == 0) +- break; +- if (red < 0) { +- if (errno == EINTR) +- continue; +- error("Can't read secret from %s: %m", promptprog); +- readgood = -1; +- break; +- } +- readgood += red; +- } while (readgood < MAXSECRETLEN - 1); +- close(p[0]); +- +- /* now wait for child to exit */ +- while (waitpid(kid, &wstat, 0) < 0) { +- if (errno != EINTR) { +- warn("error waiting for %s: %m", promptprog); +- break; +- } +- } +- +- if (readgood < 0) +- return 0; +- passwd[readgood] = 0; +- if (!WIFEXITED(wstat)) +- warn("%s terminated abnormally", promptprog); +- if (WEXITSTATUS(wstat)) +- warn("%s exited with code %d", promptprog, WEXITSTATUS(status)); +- +- return 1; +-} +- +-void plugin_init(void) +-{ +- add_options(options); +- pap_passwd_hook = promptpass; +-#ifdef USE_EAPTLS +- eaptls_passwd_hook = promptpass; +-#endif +-} +-- +2.27.0 diff --git a/ppp.spec b/ppp.spec index 13952f7..467afa3 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,6 +1,6 @@ Name: ppp Version: 2.4.8 -Release: 7 +Release: 8 Summary: The Point-to-Point Protocol License: BSD and LGPLv2+ and GPLv2+ and Public Domain @@ -62,6 +62,7 @@ Patch0030: backport-CVE-2022-4603.patch Patch0031: backport-add-fclose-operation-to-fix-file-pointer-not-closed.patch Patch0032: backport-Fixing-up-parsing-in-radiusclient.conf.patch +Patch0033: backport-CVE-2024-58250.patch %description The Point-to-Point Protocol (PPP) provides a standard way to establish @@ -158,6 +159,12 @@ mkdir -p %{buildroot}%{_rundir}/lock/ppp %{_mandir}/man8/*.8.gz %changelog +* Tue Apr 29 2025 gaihuiying - 2.4.8-8 +- Type:CVE +- CVE:CVE-2024-58250 +- SUG:NA +- DESC:fix CVE-2024-58250 + * Fri Feb 14 2025 gaihuiying - 2.4.8-7 - Type:bugfix - CVE:NA -- Gitee