A CVE has been assigned for a buffer overflow which can lead to DoS in ppp: http://openwall.com/lists/oss-security/2015/04/16/7 Debian has issued an advisory for this today (April 16): https://lists.debian.org/debian-security-announce/2015/msg00116.html The DSA will be posted here: https://www.debian.org/security/2015/dsa-3228 Mageia 4 and Mageia 5 are affected. Patch checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated ppp packages fix security vulnerability: Emanuele Rocca discovered that ppp was subject to a buffer overflow when communicating with a RADIUS server. This would allow unauthenticated users to cause a denial-of-service by crashing the daemon (CVE-2015-3310). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3310 https://www.debian.org/security/2015/dsa-3228 ======================== Updated packages in core/updates_testing: ======================== ppp-2.4.5-17.2.mga4 ppp-devel-2.4.5-17.2.mga4 ppp-pppoatm-2.4.5-17.2.mga4 ppp-pppoe-2.4.5-17.2.mga4 ppp-radius-2.4.5-17.2.mga4 ppp-dhcp-2.4.5-17.2.mga4 from ppp-2.4.5-17.2.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Last time we updated this we didn't find anyone with a modem to test it (and finding someone who could test it with a RADIUS server will probably be even more difficult). Maybe a quick rpmdiff check and verify that it upgrades cleanly should do.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: ppp kppp default install of ppp & Kppp [root@localhost wilcal]# urpmi ppp Package ppp-2.4.5-17.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi kppp Package kppp-4.12.5-1.mga4.i586 is already installed Installed cleanly None of the code from https://bugs.mageia.org/show_bug.cgi?id=13996#c1 seemed to work. Or I don't understand how it's supposed to work. install ppp & kppp from updates_testing [root@localhost wilcal]# urpmi ppp Package ppp-2.4.5-17.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi kppp Package kppp-4.12.5-1.mga4.i586 is already installed Installed cleanly Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
(In reply to William Kenney from comment #3) > None of the code from https://bugs.mageia.org/show_bug.cgi?id=13996#c1 > seemed to work. Or I don't understand how it's supposed to work. What do you mean? What did you do and what was the result? She just ran a simple strace to verify that kppp was able to access the pppd binary. There's no reason that should give any problems assuming you have strace, kppp, and ppp installed.
In VirtualBox, M4, KDE, 64-bit Package(s) under test: ppp kppp default install of ppp & Kppp [root@localhost wilcal]# urpmi ppp Package ppp-2.4.5-17.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi kppp Package kppp-4.12.5-1.mga4.x86_64 is already installed Installed cleanly None of the code from https://bugs.mageia.org/show_bug.cgi?id=13996#c1 seemed to work. Or I don't understand how it's supposed to work. install ppp & kppp from updates_testing [root@localhost wilcal]# urpmi ppp Package ppp-2.4.5-17.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi kppp Package kppp-4.12.5-1.mga4.x86_64 is already installed Installed cleanly Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
> (In reply to William Kenney from comment #3) > What do you mean? What did you do and what was the result? [root@localhost wilcal]# strace -o strace.txt kppp kppp(3444)/kdeui (kdelibs): Session bus not found To circumvent this problem try the following command (with Linux and bash) export $(dbus-launch) KCrash: Application 'kppp' crashing... KCrash: Attempting to start /usr/lib64/kde4/libexec/drkonqi from kdeinit sock_file=/root/.kde4/socket-localhost/kdeinit4__0 Warning: connect() failed: : No such file or directory KCrash: Attempting to start /usr/lib64/kde4/libexec/drkonqi directly drkonqi(3447)/kdeui (kdelibs): Session bus not found To circumvent this problem try the following command (with Linux and bash) export $(dbus-launch)
So kppp is crashing for you. That's not good :o( Unless we have a user that uses pppd and is willing to help test this package, all we can realistically do is ensure that it updates OK and validate it. For kppp crashing, William, could you please file a bug for that? Thanks.
Launch it as a normal user rather than root Bill. Works fine here mga4 64 $ strace -o strace.txt kppp $ grep -v kppp strace.txt | grep ppp access("/sbin/pppd", F_OK) = 0 read(10, "pppd version 2.4.5\n", 4096) = 19 stat("/sbin/pppd", {st_mode=S_IFREG|S_ISUID|S_ISVTX|0755, st_size=357752, ...}) = 0
Whiteboard: (none) => has_procedure mga4-64-ok
Yes i was answer same thing as i tested it myself with normal user works fine here.
CC: (none) => ozkyster
(In reply to claire robinson from comment #8) > Launch it as a normal user rather than root Bill. wilcal@localhost ~]$ uname -a Linux localhost 3.14.32-desktop-1.mga4 #1 SMP Sat Feb 7 00:41:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [wilcal@localhost ~]$ strace -o strace.txt kppp strace: Can't fopen 'strace.txt': Permission denied
You've used 'su' rather than 'su -' and created a root owned file in /home/wilcal delete it as root or just use another filename to continue
In VirtualBox, M4, KDE, 64-bit Thanks claire. There we go: [wilcal@localhost ~]$ strace -o strace.txt kppp [wilcal@localhost ~]$ grep -v kppp strace.txt | grep ppp access("/sbin/pppd", F_OK) = 0 read(10, "pppd version 2.4.5\n", 4096) = 19 stat("/sbin/pppd", {st_mode=S_IFREG|S_ISUID|S_ISVTX|0755, st_size=357752, ...}) = 0
In VirtualBox, M4, KDE, 32-bit [wilcal@localhost ~]$ strace -o strace.txt kppp [wilcal@localhost ~]$ grep -v kppp strace.txt | grep ppp access("/sbin/pppd", F_OK) = 0 read(10, "pppd version 2.4.5\n", 4096) = 19 stat64("/sbin/pppd", {st_mode=S_IFREG|S_ISUID|S_ISVTX|0755, st_size=330268, ...}) = 0
For me this update updates fine. Lets get this outta here. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0173.html
Status: NEW => RESOLVEDResolution: (none) => FIXED