"Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system." CAN-2004-0564 ------- Additional Comments From dom 2004-10-04 00:59:59 ---- This affects all of our three distros, but not in default installs: [dom@jane dom]$ rpm -qplv /data/mirror/{fedora,redhat}/*/{os,updates}/i386/rp-pppoe*|grep ' /sbin/pppoe$' warning: /data/mirror/fedora/1/os/i386/rp-pppoe-3.5-8.i386.rpm: V3 DSA signature: NOKEY, key ID 4f2a6fd2 -rwxr-xr-x 1 root root 31008 Oct 29 2003 /sbin/pppoe warning: /data/mirror/redhat/7.2/os/i386/rp-pppoe-3.2-3.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e -rwxr-xr-x 1 root root 31212 Apr 14 2002 /sbin/pppoe -rwxr-xr-x 1 root root 35972 Aug 1 2002 /sbin/pppoe -rwxr-xr-x 1 root root 30944 Jan 24 2003 /sbin/pppoe ------- Additional Comments From rob.myers.edu 2004-10-07 04:56:47 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages to QA for FC1: the patch was taken from the debian security advisory, but without all the noise. please verify that i did not omit anything relevant. changelog: * Thu Oct 7 2004 Rob Myers <rob.myers.edu> 3.5-8.1.legacy - - add rp-pppoe-3.5-CAN-2004-0564.patch 0e9d4b67bdb0a8c27f6c232eb8e0c7111111b723 http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/rp-pppoe-3.5-8.1.legacy.src.rpm e8f104b025277ffe293237b97891401ce4347dce http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/rp-pppoe-3.5-8.1.legacy.i386.rpm 05792c1db44e3677df1b954df1d643fc12ccd897 http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/rp-pppoe-debuginfo-3.5-8.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBZVjjtU2XAt1OWnsRAuiDAKD2M4R37h6TpzD79688otuggCSICQCdFYDH +ZoVkubwlelFYknJxU86WG8= =6vJT -----END PGP SIGNATURE----- ------- Additional Comments From simon 2004-10-07 08:08:40 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test Packages build for Redhat 7.3. Patch is direct from debian for the 3.3 release. sha1sum: 89e53097c40def2f4b626a5d434329c357b5ae50 *rp-pppoe-3.3-8.7.x.legacy.i386.rpm 175c79dccdc892b4ace2507c7cb470946c06abd7 *rp-pppoe-3.3-8.7.x.legacy.src.rpm Available here: ftp://potelweller.com/fedora_legacy/testing/rp-pppoe-3.3-8.7.x.legacy.i386.rpm ftp://potelweller.com/fedora_legacy/testing/rp-pppoe-3.3-8.7.x.legacy.src.rpm - - Si -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBZYXgMLOCzgCQslsRAmv+AKCZBIQwz8FSiYm9VnOBC7NKIgiIRQCeNMcx pyq+qaT5jhnjhorCIoBmGxA= =YsaS -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-09 04:14:56 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the fc1 packages: 0e9d4b67bdb0a8c27f6c232eb8e0c7111111b723 rp-pppoe-3.5-8.1.legacy.src.rpm - - Source matches previous release - - Patch looks good - - Spec file changes look good - - Builds and installs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBZ/IWLMAs/0C4zNoRAoWCAJ4pZNka71yP/ksjelfJYshB8oszcgCfRp6Z 7cxpeNhNdldV7D0r6+20o6k= =BBU8 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-09 04:15:20 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the 7.3 packages: 89e53097c40def2f4b626a5d434329c357b5ae50 rp-pppoe-3.3-8.7.x.legacy.i386.rpm - - Source matches previous release - - Spec file changes look good Patch from Debian changes _way_ too many things. I'll post some updated 7.3 packages in a few minutes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBZ/J1LMAs/0C4zNoRAv1BAJ0caPbxLnJ/wRjTH3QL/FZhKXFrEACeJpX2 5M4ju1e0fqfywuC4GNM932o= =s/SX -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-09 04:20:26 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are some updated packages for 7.3 and 9 to QA: Changelog 7.3: * Sat Oct 09 2004 Marc Deslauriers <marcdeslauriers> 3.3.8-9.legacy - - added better patch for CAN-2004-0564 * Thu Oct 07 2004 Simon Weller <simon> 3.3.8-7.x.legacy - - added patch for CAN-2004-0564, setuid root file overwriting issue Changelog 9: * Sat Oct 09 2004 Marc Deslauriers <marcdeslauriers> 3.5-2.1.legacy - - add rp-pppoe-3.5-CAN-2004-0564.patch 7.3: 4a4af01349b4fc789b37c1d3064944c09b4557b1 rp-pppoe-3.3-9.legacy.i386.rpm 5a76802d06ed6b1226423de34ecc0e226c8d40a3 rp-pppoe-3.3-9.legacy.src.rpm 9: 6b4098d86ca0cbe48073de80afdab6c095a364a7 rp-pppoe-3.5-2.1.legacy.i386.rpm 522e2e16fc687afb8851a91b8951a5db12c59a6e rp-pppoe-3.5-2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/rp-pppoe-3.3-9.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/rp-pppoe-3.3-9.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/rp-pppoe-3.5-2.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/rp-pppoe-3.5-2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBZ/O+LMAs/0C4zNoRAoggAKCkhiNACBpo8efZHHVyvuV2owy5CwCgphnI Edq0JHGUN1a5JkdZCWlB15k= =YNyU -----END PGP SIGNATURE----- ------- Additional Comments From josh.kayse.edu 2004-10-11 03:49:11 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 Package: 0e9d4b67bdb0a8c27f6c232eb8e0c7111111b723 rp-pppoe-3.5-8.1.legacy.src.rpm - - Spec file looks good - - source identical to previous - - patch file looks good - - builds ok - - installs ok +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBao82wnUFCSDmt7ERApIrAJ90aXsu39DsS02NPR6oy0HcIPDUNwCfT14Y 1V/U8miV7qWh+FDXbGFZKt4= =SJ2A -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-15 05:13:42 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73 and RHL9 w/ rpm-build-compare.sh: - original tarballs etc. OK - spec changes OK - patch fixes the "problem" neatly (IMHO, we shouldn't even be needing to publish this update because setuid root pppoe is stupid) +PUBLISH RHL73,RHL9 4a4af01349b4fc789b37c1d3064944c09b4557b1 rp-pppoe-3.3-9.legacy.i386.rpm 5a76802d06ed6b1226423de34ecc0e226c8d40a3 rp-pppoe-3.3-9.legacy.src.rpm 6b4098d86ca0cbe48073de80afdab6c095a364a7 rp-pppoe-3.5-2.1.legacy.i386.rpm 522e2e16fc687afb8851a91b8951a5db12c59a6e rp-pppoe-3.5-2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBwFSIGHbTkzxSL7QRAioRAJ9bSuly+xK0nzbes//GKCl3R5+pSwCfbn48 0vEAC8hVJVpeYnhts4iC8rE= =Jzuo -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-09 16:17:26 ---- Packages were pushed to updates-testing. ------- Bug moved to this database by dkl 2005-03-30 18:27 ------- This bug previously known as bug 2116 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2116 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 7.3 RHL 7.3 Packages: rp-pppoe-3.3-10.legacy.i386.rpm Checksums and signatures verify okay. I installed the program without any problems. I ran some of the tools included, and got expected results. I did NOT test the exact security problem fixed in this update, no even the actual pppoe functionality since I don't use pppoe. I just tested that things appear to be okay in general (no install problems, etc). I uninstalled it without issue. Vote for release for RHL 7.3. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDNBu14jZRbknHoPIRAj8iAKCnY04UFcO49Fg0C9ftX5u5+/tRwwCgnn5F S8+zxSeHqlGU+TwHPd2UwQw= =c/UB -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 RHL 9 Packages: rp-pppoe-3.5-2.2.legacy.i386.rpm Checksums and signatures verify okay. I installed the program without any problems. Rebooted machine, still no problems. Other network activity unaffacted. Did not test functionality, only installation issues. No problems or side-effects seen. Yes, this is a very trivial QA evaluation, but at least it is an evaluation. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDNCm54jZRbknHoPIRAlywAJwIKZUCFzrfme+k38//2WwyrZ6U5ACgjyuM XDESpQ/xMFTFS4o/ElZ6zPI= =5GbR -----END PGP SIGNATURE-----
Thanks, timeout in 2 weeks.
Timeout over.
Packages were released.