diff --git a/backport-CVE-2024-58250.patch b/backport-CVE-2024-58250.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c9ae849310d6637d334436015d6d6764f541f3e --- /dev/null +++ b/backport-CVE-2024-58250.patch @@ -0,0 +1,190 @@ +From 0a66ad22e54c72690ec2a29a019767c55c5281fc Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Fri, 18 Oct 2024 20:22:57 +1100 +Subject: [PATCH] pppd: Remove passprompt plugin + +This is prompted by a number of factors: + +* It was more useful back in the dial-up days, but no-one uses dial-up + any more + +* In many cases there will be no terminal accessible to the prompter + program at the point where the prompter is run + +* The passwordfd plugin does much the same thing but does it more + cleanly and securely + +* The handling of privileges and file descriptors needs to be audited + thoroughly. + +Signed-off-by: Paul Mackerras +--- + pppd/plugins/Makefile.am | 6 +- + pppd/plugins/passprompt.c | 137 -------------------------------------- + 2 files changed, 1 insertion(+), 142 deletions(-) + delete mode 100644 pppd/plugins/passprompt.c + +diff --git a/pppd/plugins/Makefile.am b/pppd/plugins/Makefile.am +index 2826148c7..9480d51b4 100644 +--- a/pppd/plugins/Makefile.am ++++ b/pppd/plugins/Makefile.am +@@ -1,4 +1,4 @@ +-pppd_plugin_LTLIBRARIES = minconn.la passprompt.la passwordfd.la winbind.la ++pppd_plugin_LTLIBRARIES = minconn.la passwordfd.la winbind.la + pppd_plugindir = $(PPPD_PLUGIN_DIR) + + PLUGIN_CPPFLAGS = -I${top_srcdir} +@@ -8,10 +8,6 @@ minconn_la_CPPFLAGS = $(PLUGIN_CPPFLAGS) + minconn_la_LDFLAGS = $(PLUGIN_LDFLAGS) + minconn_la_SOURCES = minconn.c + +-passprompt_la_CPPFLAGS = $(PLUGIN_CPPFLAGS) +-passprompt_la_LDFLAGS = $(PLUGIN_LDFLAGS) +-passprompt_la_SOURCES = passprompt.c +- + passwordfd_la_CPPFLAGS = $(PLUGIN_CPPFLAGS) + passwordfd_la_LDFLAGS = $(PLUGIN_LDFLAGS) + passwordfd_la_SOURCES = passwordfd.c +diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c +deleted file mode 100644 +index 7779d511d..000000000 +--- a/pppd/plugins/passprompt.c ++++ /dev/null +@@ -1,137 +0,0 @@ +-/* +- * passprompt.c - pppd plugin to invoke an external PAP password prompter +- * +- * Copyright 1999 Paul Mackerras, Alan Curry. +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version +- * 2 of the License, or (at your option) any later version. +- */ +- +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-#include +-#include +-#include +-#include +- +-char pppd_version[] = PPPD_VERSION; +- +-static char promptprog[PATH_MAX+1]; +-static int promptprog_refused = 0; +- +-static struct option options[] = { +- { "promptprog", o_string, promptprog, +- "External PAP password prompting program", +- OPT_STATIC, NULL, PATH_MAX }, +- { NULL } +-}; +- +-static int promptpass(char *user, char *passwd) +-{ +- int p[2]; +- pid_t kid; +- int readgood, wstat, ret; +- ssize_t red; +- +- if (promptprog_refused || promptprog[0] == 0 || access(promptprog, X_OK) < 0) +- return -1; /* sorry, can't help */ +- +- if (!passwd) +- return 1; +- +- if (pipe(p)) { +- warn("Can't make a pipe for %s", promptprog); +- return 0; +- } +- if ((kid = fork()) == (pid_t) -1) { +- warn("Can't fork to run %s", promptprog); +- close(p[0]); +- close(p[1]); +- return 0; +- } +- if (!kid) { +- /* we are the child, exec the program */ +- char *argv[5], fdstr[32]; +- ppp_sys_close(); +- closelog(); +- close(p[0]); +- ret = seteuid(getuid()); +- if (ret != 0) { +- warn("Couldn't set effective user id"); +- } +- ret = setegid(getgid()); +- if (ret != 0) { +- warn("Couldn't set effective user id"); +- } +- sprintf(fdstr, "%d", p[1]); +- argv[0] = promptprog; +- argv[1] = strdup(user); +- argv[2] = strdup(ppp_remote_name()); +- argv[3] = fdstr; +- argv[4] = 0; +- execv(*argv, argv); +- _exit(127); +- } +- +- /* we are the parent, read the password from the pipe */ +- close(p[1]); +- readgood = 0; +- do { +- red = read(p[0], passwd + readgood, MAXSECRETLEN-1 - readgood); +- if (red == 0) +- break; +- if (red < 0) { +- if (errno == EINTR && !ppp_signaled(SIGTERM)) +- continue; +- error("Can't read secret from %s: %m", promptprog); +- readgood = -1; +- break; +- } +- readgood += red; +- } while (readgood < MAXSECRETLEN - 1); +- close(p[0]); +- +- /* now wait for child to exit */ +- while (waitpid(kid, &wstat, 0) < 0) { +- if (errno != EINTR || ppp_signaled(SIGTERM)) { +- warn("error waiting for %s: %m", promptprog); +- break; +- } +- } +- +- if (readgood < 0) +- return 0; +- passwd[readgood] = 0; +- if (!WIFEXITED(wstat)) +- warn("%s terminated abnormally", promptprog); +- if (WEXITSTATUS(wstat)) { +- warn("%s exited with code %d", promptprog, WEXITSTATUS(wstat)); +- /* code when cancel was hit in the prompt prog */ +- if (WEXITSTATUS(wstat) == 128) { +- promptprog_refused = 1; +- } +- return -1; +- } +- return 1; +-} +- +-void plugin_init(void) +-{ +- ppp_add_options(options); +- pap_passwd_hook = promptpass; +-#ifdef PPP_WITH_EAPTLS +- eaptls_passwd_hook = promptpass; +-#endif +-} diff --git a/ppp.spec b/ppp.spec index f62281f17d2e55328c1a29cab95e5684933fdf90..a4a63db5cb751398ca12956fb653df8c483c3343 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,6 +1,6 @@ Name: ppp Version: 2.5.0 -Release: 4 +Release: 5 Summary: The Point-to-Point Protocol License: BSD and LGPLv2+ and GPLv2+ and Public Domain @@ -38,6 +38,7 @@ Patch0009: refuse-pap-by-default-for-security.patch Patch0010: backport-Fixing-up-parsing-in-radiusclient.conf.patch Patch0011: backport-Add-configure-check-to-see-if-we-have-struct-sockaddr_ll.patch +Patch0012: backport-CVE-2024-58250.patch %description The Point-to-Point Protocol (PPP) provides a standard way to establish @@ -141,6 +142,12 @@ mkdir -p %{buildroot}%{_rundir}/pppd/lock %{_mandir}/man8/*.8.gz %changelog +* Tue Apr 29 2025 gaihuiying - 2.5.0-5 +- Type:CVE +- CVE:CVE-2024-58250 +- SUG:NA +- DESC:fix CVE-2024-58250 + * Fri Feb 14 2025 gaihuiying - 2.5.0-4 - Type:bugfix - CVE:NA