From patchwork Fri Mar  6 01:04:28 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chris Packham <judge.packham@gmail.com>
X-Patchwork-Id: 1249955
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=busybox.net (client-ip=140.211.166.136;
	helo=silver.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.a=rsa-sha256 header.s=20161025 header.b=U2kg1WgX;
	dkim-atps=neutral
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48YTt710VMz9sPK
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Fri,  6 Mar 2020 12:04:45 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id 0A97F22177;
	Fri,  6 Mar 2020 01:04:43 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Fq1PBgdAk-6e; Fri,  6 Mar 2020 01:04:42 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id 3A8DB22253;
	Fri,  6 Mar 2020 01:04:42 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id 4E5AD1BF2C9
	for <buildroot@lists.busybox.net>;
	Fri,  6 Mar 2020 01:04:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 4B5B287EB5
	for <buildroot@lists.busybox.net>;
	Fri,  6 Mar 2020 01:04:41 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ob3U1-5OY5JW for <buildroot@lists.busybox.net>;
	Fri,  6 Mar 2020 01:04:40 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-pg1-f193.google.com (mail-pg1-f193.google.com
	[209.85.215.193])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 9A0D587F9C
	for <buildroot@buildroot.org>; Fri,  6 Mar 2020 01:04:40 +0000 (UTC)
Received: by mail-pg1-f193.google.com with SMTP id z12so268982pgl.4
	for <buildroot@buildroot.org>; Thu, 05 Mar 2020 17:04:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=RpWMk1OoIfzjveHI2mI1L+sxjRdpv3hkofEBL2Ojbpk=;
	b=U2kg1WgXxlhqCfUQpXgLAn+9wRB82t/Ur8H11nLSfNEgahShM4aezFfvVrg6hp6Ye9
	FeEfIG0QzLIWgaZScGUFJfcZQ+Gdm9xYuIA0MXXPwAiLx0cBDUwmlsCCh76mkfPEbWKP
	TZALIOpy0nO4LDuIYqbqf6r1tFrs50ZTnkzg0qKS8XMCC2IUiCiqqlz5cS0YgFwslcda
	gI4I2Uv8EEuYJSe4qI4stD7T1d7z25mvmz3KcaTEJB2MHsw9Rxk0e6kDAVwkP2MWFryk
	VpAxE9ndv8kXDxVFGBGU2DMTEa/NJeG/fhLdJpPpub53URe4xriQYnInCVTW1mh9Hykr
	BEQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=RpWMk1OoIfzjveHI2mI1L+sxjRdpv3hkofEBL2Ojbpk=;
	b=FCksaCymbr16jRXi/R6+V//psgjdYhOc49W+IoM3R/9gQhw73YNT2o8ajekCyaNWYV
	lWCIC+umisnqXUZh1JgStYihORxMLCD3TlHmBiqoQ0DFoMwyQZlraVwNX6pyWtd/9EfB
	D4rohzJzlKIsANwUyN3/xq3RicsKTjMME2y87flizQJktDVk89wa2gJJIbX9kfaHCZed
	2+i48SeYwXHlW2yAHkf7tQt2SornxS4qdnG9jCDxTa6nBQE4DY8fWEXBUZBY52fK06pB
	25H/TnmfgPvJoKkfuDsu6QNL3prLhV5TZLTiLx+X2PY1PaA+tHS8czt3nVcp04JWisNV
	bRvQ==
X-Gm-Message-State: ANhLgQ0HTX+PGcV0w2/1bwBtkL7uq0Znmcv7p7UMXK2c/1sCUEXNqw+5
	ekkN1MXW1uPLuMuE6MnR0tKQIpwt
X-Google-Smtp-Source: 
 ADFU+vsJzcoAJM3GuS3QZlqxtwxCqnEWpzeNDFBuMl+DwEIPWr9wSWWX0v8NEAZO/VqgM6ak920OiQ==
X-Received: by 2002:a62:1d06:: with SMTP id d6mr1154290pfd.112.1583456679778;
	Thu, 05 Mar 2020 17:04:39 -0800 (PST)
Received: from chrisp-dl.atlnz.lc ([2001:df5:b000:22:54b0:1a75:b58a:3c7a])
	by smtp.gmail.com with ESMTPSA id
	s21sm24733215pfm.186.2020.03.05.17.04.37
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Thu, 05 Mar 2020 17:04:39 -0800 (PST)
From: Chris Packham <judge.packham@gmail.com>
To: buildroot@buildroot.org
Date: Fri,  6 Mar 2020 14:04:28 +1300
Message-Id: <20200306010428.16410-1-judge.packham@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH] pppd: Add upstream fix for CVE-2020-8597
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Chris Packham <judge.packham@gmail.com>, fontaine.fabrice@gmail.com
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Apply patch from upstream and set PPPD_INGORE_CVES appropriately.

Signed-off-by: Chris Packham <judge.packham@gmail.com>
---
 package/pppd/0001-pppd-Fix-bounds-check.patch | 37 +++++++++++++++++++
 package/pppd/pppd.mk                          |  3 ++
 2 files changed, 40 insertions(+)
 create mode 100644 package/pppd/0001-pppd-Fix-bounds-check.patch

diff --git a/package/pppd/0001-pppd-Fix-bounds-check.patch b/package/pppd/0001-pppd-Fix-bounds-check.patch
new file mode 100644
index 0000000000..5d7c51bcac
--- /dev/null
+++ b/package/pppd/0001-pppd-Fix-bounds-check.patch
@@ -0,0 +1,37 @@
+From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 15:53:28 +1100
+Subject: [PATCH] pppd: Fix bounds check in EAP code
+
+Given that we have just checked vallen < len, it can never be the case
+that vallen >= len + sizeof(rhostname).  This fixes the check so we
+actually avoid overflowing the rhostname array.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/eap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f56..1b93db01 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ 		}
+ 
+ 		/* Not so likely to happen. */
+-		if (vallen >= len + sizeof (rhostname)) {
++		if (len - vallen >= sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ 		}
+ 
+ 		/* Not so likely to happen. */
+-		if (vallen >= len + sizeof (rhostname)) {
++		if (len - vallen >= sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] = '\0';
diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk
index 4784fe79f8..685666a200 100644
--- a/package/pppd/pppd.mk
+++ b/package/pppd/pppd.mk
@@ -11,6 +11,9 @@ PPPD_LICENSE_FILES = \
 	pppd/tdb.c pppd/plugins/pppoatm/COPYING \
 	pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c
 
+# 0001-pppd-Fix-bounds-check.patch
+PPPD_IGNORE_CVES += CVE-2020-8597
+
 PPPD_MAKE_OPTS = HAVE_INET6=y
 ifeq ($(BR2_TOOLCHAIN_USES_GLIBC),y)
 PPPD_DEPENDENCIES += openssl