Bug 152794 - privilege escalation with rp-pppoe in non-default configurations
Summary: privilege escalation with rp-pppoe in non-default configurations
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: rp-pppoe
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://www.debian.org/security/2004/d...
Whiteboard: 1, LEGACY, rh73, rh90
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-04 04:58 UTC by Dominic Hargreaves
Modified: 2007-03-27 04:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-11-15 00:53:55 UTC
Embargoed:


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:27:42 UTC
"Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver
from Roaring Penguin. When the program is running setuid root (which is not the
case in a default Debian installation), an attacker could overwrite any file on
the file system."

CAN-2004-0564



------- Additional Comments From dom 2004-10-04 00:59:59 ----

This affects all of our three distros, but not in default installs:

[dom@jane dom]$ rpm -qplv
/data/mirror/{fedora,redhat}/*/{os,updates}/i386/rp-pppoe*|grep ' /sbin/pppoe$'
warning: /data/mirror/fedora/1/os/i386/rp-pppoe-3.5-8.i386.rpm: V3 DSA
signature: NOKEY, key ID 4f2a6fd2
-rwxr-xr-x    1 root    root            31008 Oct 29  2003 /sbin/pppoe
warning: /data/mirror/redhat/7.2/os/i386/rp-pppoe-3.2-3.i386.rpm: V3 DSA
signature: NOKEY, key ID db42a60e
-rwxr-xr-x    1 root    root            31212 Apr 14  2002 /sbin/pppoe
-rwxr-xr-x    1 root    root            35972 Aug  1  2002 /sbin/pppoe
-rwxr-xr-x    1 root    root            30944 Jan 24  2003 /sbin/pppoe




------- Additional Comments From rob.myers.edu 2004-10-07 04:56:47 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Packages to QA for FC1:
 
the patch was taken from the debian security advisory, but without
all the noise.  please verify that i did not omit anything relevant.
  
changelog:
* Thu Oct  7 2004 Rob Myers <rob.myers.edu> 3.5-8.1.legacy
- - add rp-pppoe-3.5-CAN-2004-0564.patch
 
0e9d4b67bdb0a8c27f6c232eb8e0c7111111b723 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/rp-pppoe-3.5-8.1.legacy.src.rpm
e8f104b025277ffe293237b97891401ce4347dce 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/rp-pppoe-3.5-8.1.legacy.i386.rpm
05792c1db44e3677df1b954df1d643fc12ccd897 
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/rp-pppoe-debuginfo-3.5-8.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBZVjjtU2XAt1OWnsRAuiDAKD2M4R37h6TpzD79688otuggCSICQCdFYDH
+ZoVkubwlelFYknJxU86WG8=
=6vJT
-----END PGP SIGNATURE-----




------- Additional Comments From simon 2004-10-07 08:08:40 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Test Packages build for Redhat 7.3. 
 
Patch is direct from debian for the 3.3 release. 
 
sha1sum: 
 
89e53097c40def2f4b626a5d434329c357b5ae50 *rp-pppoe-3.3-8.7.x.legacy.i386.rpm 
175c79dccdc892b4ace2507c7cb470946c06abd7 *rp-pppoe-3.3-8.7.x.legacy.src.rpm 
 
Available here: 
 
ftp://potelweller.com/fedora_legacy/testing/rp-pppoe-3.3-8.7.x.legacy.i386.rpm 
ftp://potelweller.com/fedora_legacy/testing/rp-pppoe-3.3-8.7.x.legacy.src.rpm 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBZYXgMLOCzgCQslsRAmv+AKCZBIQwz8FSiYm9VnOBC7NKIgiIRQCeNMcx 
pyq+qaT5jhnjhorCIoBmGxA= 
=YsaS 
-----END PGP SIGNATURE----- 



------- Additional Comments From marcdeslauriers 2004-10-09 04:14:56 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the fc1 packages:

0e9d4b67bdb0a8c27f6c232eb8e0c7111111b723 rp-pppoe-3.5-8.1.legacy.src.rpm

- - Source matches previous release
- - Patch looks good
- - Spec file changes look good
- - Builds and installs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBZ/IWLMAs/0C4zNoRAoWCAJ4pZNka71yP/ksjelfJYshB8oszcgCfRp6Z
7cxpeNhNdldV7D0r6+20o6k=
=BBU8
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-09 04:15:20 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the 7.3 packages:

89e53097c40def2f4b626a5d434329c357b5ae50 rp-pppoe-3.3-8.7.x.legacy.i386.rpm

- - Source matches previous release
- - Spec file changes look good

Patch from Debian changes _way_ too many things. I'll post some updated 7.3
packages in a few minutes.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBZ/J1LMAs/0C4zNoRAv1BAJ0caPbxLnJ/wRjTH3QL/FZhKXFrEACeJpX2
5M4ju1e0fqfywuC4GNM932o=
=s/SX
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-09 04:20:26 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are some updated packages for 7.3 and 9 to QA:

Changelog 7.3:
* Sat Oct 09 2004 Marc Deslauriers <marcdeslauriers> 3.3.8-9.legacy
- - added better patch for CAN-2004-0564
 
* Thu Oct 07 2004 Simon Weller <simon> 3.3.8-7.x.legacy
- - added patch for CAN-2004-0564, setuid root file overwriting issue

Changelog 9:
* Sat Oct 09 2004 Marc Deslauriers <marcdeslauriers> 3.5-2.1.legacy
- - add rp-pppoe-3.5-CAN-2004-0564.patch

7.3:
4a4af01349b4fc789b37c1d3064944c09b4557b1  rp-pppoe-3.3-9.legacy.i386.rpm
5a76802d06ed6b1226423de34ecc0e226c8d40a3  rp-pppoe-3.3-9.legacy.src.rpm

9:
6b4098d86ca0cbe48073de80afdab6c095a364a7  rp-pppoe-3.5-2.1.legacy.i386.rpm
522e2e16fc687afb8851a91b8951a5db12c59a6e  rp-pppoe-3.5-2.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/rp-pppoe-3.3-9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/rp-pppoe-3.3-9.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/rp-pppoe-3.5-2.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/rp-pppoe-3.5-2.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBZ/O+LMAs/0C4zNoRAoggAKCkhiNACBpo8efZHHVyvuV2owy5CwCgphnI
Edq0JHGUN1a5JkdZCWlB15k=
=YNyU
-----END PGP SIGNATURE-----




------- Additional Comments From josh.kayse.edu 2004-10-11 03:49:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 Package:

0e9d4b67bdb0a8c27f6c232eb8e0c7111111b723  rp-pppoe-3.5-8.1.legacy.src.rpm

- - Spec file looks good
- - source identical to previous
- - patch file looks good
- - builds ok
- - installs ok

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBao82wnUFCSDmt7ERApIrAJ90aXsu39DsS02NPR6oy0HcIPDUNwCfT14Y
1V/U8miV7qWh+FDXbGFZKt4=
=SJ2A
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2004-12-15 05:13:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                
QA for RHL73 and RHL9 w/ rpm-build-compare.sh:
 - original tarballs etc. OK
 - spec changes OK
 - patch fixes the "problem" neatly (IMHO, we shouldn't even be needing to
   publish this update because setuid root pppoe is stupid)
                                                                               
                
+PUBLISH RHL73,RHL9
                                                                               
                
4a4af01349b4fc789b37c1d3064944c09b4557b1  rp-pppoe-3.3-9.legacy.i386.rpm
5a76802d06ed6b1226423de34ecc0e226c8d40a3  rp-pppoe-3.3-9.legacy.src.rpm
6b4098d86ca0cbe48073de80afdab6c095a364a7  rp-pppoe-3.5-2.1.legacy.i386.rpm
522e2e16fc687afb8851a91b8951a5db12c59a6e  rp-pppoe-3.5-2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                
iD8DBQFBwFSIGHbTkzxSL7QRAioRAJ9bSuly+xK0nzbes//GKCl3R5+pSwCfbn48
0vEAC8hVJVpeYnhts4iC8rE=
=Jzuo
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-02-09 16:17:26 ----

Packages were pushed to updates-testing.



------- Bug moved to this database by dkl 2005-03-30 18:27 -------

This bug previously known as bug 2116 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2116
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Eric Jon Rostetter 2005-09-23 15:14:19 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 7.3
 
RHL 7.3 Packages: rp-pppoe-3.3-10.legacy.i386.rpm
Checksums and signatures verify okay.
 
I installed the program without any problems.  I ran some of the tools
included, and got expected results.  I did NOT test the exact security
problem fixed in this update, no even the actual pppoe functionality
since I don't use pppoe.  I just tested that things appear to be okay
in general (no install problems, etc).  I uninstalled it without issue.
 
Vote for release for RHL 7.3. ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDNBu14jZRbknHoPIRAj8iAKCnY04UFcO49Fg0C9ftX5u5+/tRwwCgnn5F
S8+zxSeHqlGU+TwHPd2UwQw=
=c/UB
-----END PGP SIGNATURE-----


Comment 2 Eric Jon Rostetter 2005-09-23 16:14:54 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 9
 
RHL 9 Packages: rp-pppoe-3.5-2.2.legacy.i386.rpm
Checksums and signatures verify okay.
 
I installed the program without any problems.  Rebooted machine,
still no problems.  Other network activity unaffacted.  Did not
test functionality, only installation issues.  No problems or
side-effects seen.
 
Yes, this is a very trivial QA evaluation, but at least it is an
evaluation.
 
Vote for release for RHL 9. ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDNCm54jZRbknHoPIRAlywAJwIKZUCFzrfme+k38//2WwyrZ6U5ACgjyuM
XDESpQ/xMFTFS4o/ElZ6zPI=
=5GbR
-----END PGP SIGNATURE-----


Comment 3 Pekka Savola 2005-09-23 19:02:25 UTC
Thanks, timeout in 2 weeks.

Comment 4 Pekka Savola 2005-10-08 05:17:24 UTC
Timeout over.

Comment 5 Marc Deslauriers 2005-11-15 00:53:55 UTC
Packages were released.


Note You need to log in before you can comment on or make changes to this bug.