diff --git a/srcpkgs/ppp/patches/CVE-2015-3310.patch b/srcpkgs/ppp/patches/CVE-2015-3310.patch new file mode 100644 index 00000000000..e60751a032b --- /dev/null +++ b/srcpkgs/ppp/patches/CVE-2015-3310.patch @@ -0,0 +1,18 @@ +Fix buffer overflow in rc_mksid() + +rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. +If the process id is bigger than 65535 (FFFF), its hex representation will be +longer than 4 characters, resulting in a buffer overflow. + +The bug can be exploited to cause a remote DoS. +--- pppd/plugins/radius/util.c ++++ pppd/plugins/radius/util.c +@@ -77,7 +77,7 @@ rc_mksid (void) + static unsigned short int cnt = 0; + sprintf (buf, "%08lX%04X%02hX", + (unsigned long int) time (NULL), +- (unsigned int) getpid (), ++ (unsigned int) getpid () & 0xFFFF, + cnt & 0xFF); + cnt++; + return buf; diff --git a/srcpkgs/ppp/patches/netinet_in_h_fix.patch b/srcpkgs/ppp/patches/netinet_in_h_fix.patch new file mode 100644 index 00000000000..ac69c98caaf --- /dev/null +++ b/srcpkgs/ppp/patches/netinet_in_h_fix.patch @@ -0,0 +1,38 @@ +From 50a2997b256e0e0ef7a46fae133f56f60fce539c Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Mon, 9 Jan 2017 13:34:23 +0000 +Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h + +This fixes builds with newer kernels. Basically, needs to be +included before otherwise the earlier, unaware of the latter, +tries to redefine symbols and structures. Also, doesn't work +alone anymore, since it pulls the headers in the wrong order, so we better +include early. +--- + pppd/plugins/rp-pppoe/pppoe.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h +index 9ab2eee3..c4aaa6e6 100644 +--- pppd/plugins/rp-pppoe/pppoe.h ++++ pppd/plugins/rp-pppoe/pppoe.h +@@ -47,6 +47,10 @@ + #include + #endif + ++/* This has to be included before Linux 4.8's linux/in.h ++ * gets dragged in. */ ++#include ++ + /* Ugly header files on some Linux boxes... */ + #if defined(HAVE_LINUX_IF_H) + #include +@@ -84,8 +88,6 @@ typedef unsigned long UINT32_t; + #include + #endif + +-#include +- + + /* Ethernet frame types according to RFC 2516 */ + #define ETH_PPPOE_DISCOVERY 0x8863 diff --git a/srcpkgs/ppp/patches/openssl_DES.patch b/srcpkgs/ppp/patches/openssl_DES.patch new file mode 100644 index 00000000000..c631039446e --- /dev/null +++ b/srcpkgs/ppp/patches/openssl_DES.patch @@ -0,0 +1,110 @@ +From 3c7b86229f7bd2600d74db14b1fe5b3896be3875 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= +Date: Fri, 6 Apr 2018 14:27:18 +0200 +Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped +libcrypt. The libxcrypt standalone package can be used instead, but +it dropped the old setkey/encrypt API which ppp uses for DES. There +is support for using openssl in pppcrypt.c, but it contains typos +preventing it from compiling and seems to be written for an ancient +openssl version. + +This updates the code to use current openssl. + +[paulus@ozlabs.org - wrote the commit description, fixed comment in + Makefile.linux.] + +Signed-off-by: Jaroslav Škarvada +Signed-off-by: Paul Mackerras +--- + pppd/Makefile.linux | 7 ++++--- + pppd/pppcrypt.c | 18 +++++++++--------- + 2 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 36d2b036..8d5ce99d 100644 +--- pppd/Makefile.linux ++++ pppd/Makefile.linux +@@ -35,10 +35,10 @@ endif + COPTS = -O2 -pipe -Wall -g + LIBS = + +-# Uncomment the next 2 lines to include support for Microsoft's ++# Uncomment the next line to include support for Microsoft's + # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. + CHAPMS=y +-USE_CRYPT=y ++#USE_CRYPT=y + # Don't use MSLANMAN unless you really know what you're doing. + #MSLANMAN=y + # Uncomment the next line to include support for MPPE. CHAPMS (above) must +@@ -137,7 +137,8 @@ endif + + ifdef NEEDDES + ifndef USE_CRYPT +-LIBS += -ldes $(LIBS) ++#CFLAGS += -I/usr/include/openssl ++LIBS += -lcrypto + else + CFLAGS += -DUSE_CRYPT=1 + endif +diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c +index 8b85b132..6b35375e 100644 +--- pppd/pppcrypt.c ++++ pppd/pppcrypt.c +@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */ + des_key[7] = Get7Bits(key, 49); + + #ifndef USE_CRYPT +- des_set_odd_parity((des_cblock *)des_key); ++ DES_set_odd_parity((DES_cblock *)des_key); + #endif + } + +@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */ + } + + #else /* USE_CRYPT */ +-static des_key_schedule key_schedule; ++static DES_key_schedule key_schedule; + + bool + DesSetkey(key) + u_char *key; + { +- des_cblock des_key; ++ DES_cblock des_key; + MakeKey(key, des_key); +- des_set_key(&des_key, key_schedule); ++ DES_set_key(&des_key, &key_schedule); + return (1); + } + + bool +-DesEncrypt(clear, key, cipher) ++DesEncrypt(clear, cipher) + u_char *clear; /* IN 8 octets */ + u_char *cipher; /* OUT 8 octets */ + { +- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, +- key_schedule, 1); ++ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, ++ &key_schedule, 1); + return (1); + } + +@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear) + u_char *cipher; /* IN 8 octets */ + u_char *clear; /* OUT 8 octets */ + { +- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear, +- key_schedule, 0); ++ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear, ++ &key_schedule, 0); + return (1); + } + diff --git a/srcpkgs/ppp/patches/openssl_include.patch b/srcpkgs/ppp/patches/openssl_include.patch new file mode 100644 index 00000000000..11284e42ecf --- /dev/null +++ b/srcpkgs/ppp/patches/openssl_include.patch @@ -0,0 +1,11 @@ +--- pppd/pppcrypt.h.orig ++++ pppd/pppcrypt.h +@@ -38,7 +38,7 @@ + #endif + + #ifndef USE_CRYPT +-#include ++#include + #endif + + extern bool DesSetkey __P((u_char *)); diff --git a/srcpkgs/ppp/template b/srcpkgs/ppp/template index 83941e73d58..8ecab946bc4 100644 --- a/srcpkgs/ppp/template +++ b/srcpkgs/ppp/template @@ -2,28 +2,27 @@ pkgname=ppp version=2.4.7 revision=8 -makedepends="libpcap-devel" +makedepends="libpcap-devel libressl-devel" short_desc="PPP (Point-to-Point Protocol) daemon" homepage="https://ppp.samba.org/" license="BSD-3-Clause, LGPL-2.0-or-later, GPL-2.0-or-later, Public Domain" maintainer="Juan RP " distfiles="https://ftp.samba.org/pub/ppp/ppp-$version.tar.gz" checksum=02e0a3dd3e4799e33103f70ec7df75348c8540966ee7c948e4ed8a42bbccfb30 -make_dirs="/etc/ppp/ipv6-down.d 0755 root root +make_dirs=" + /etc/ppp/ipv6-down.d 0755 root root /etc/ppp/peers 0755 root root" conf_files=" - /etc/ppp/ip-up - /etc/ppp/ip-down - /etc/ppp/ipv6-up - /etc/ppp/ipv6-down - /etc/ppp/options - /etc/ppp/chap-secrets - /etc/ppp/pap-secrets" + /etc/ppp/ip-up + /etc/ppp/ip-down + /etc/ppp/ipv6-up + /etc/ppp/ipv6-down + /etc/ppp/options + /etc/ppp/chap-secrets + /etc/ppp/pap-secrets" CFLAGS="-D_GNU_SOURCE" -broken="/builddir/ppp-2.4.7/pppd/pppcrypt.c:153: undefined reference to encrypt" - do_configure() { # Custom CFLAGS. find -name "Makefile.linux" -exec sed -i "{}" \