2 files changed, 186 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
new file mode 100644
index 0000000000..b07d28253f
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
@@ -0,0 +1,185 @@
+From 0a66ad22e54c72690ec2a29a019767c55c5281fc Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Fri, 18 Oct 2024 20:22:57 +1100
+Subject: [PATCH] pppd: Remove passprompt plugin
+This is prompted by a number of factors:
+* It was more useful back in the dial-up days, but no-one uses dial-up
+  any more
+* In many cases there will be no terminal accessible to the prompter
+  program at the point where the prompter is run
+* The passwordfd plugin does much the same thing but does it more
+  cleanly and securely
+* The handling of privileges and file descriptors needs to be audited
+  thoroughly.
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+CVE: CVE-2024-58250
+Upstream-Status: Backport [https://github.com/ppp-project/ppp/commit/0a66ad22e54c72690ec2a29a019767c55c5281fc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pppd/plugins/Makefile.linux |   2 +-
+ pppd/plugins/Makefile.sol2  |   6 --
+ pppd/plugins/passprompt.c   | 119 ------------------------------------
+ 3 files changed, 1 insertion(+), 126 deletions(-)
+ delete mode 100644 pppd/plugins/passprompt.c
+diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
+index 6403e3d..fcc36e4 100644
+--- a/pppd/plugins/Makefile.linux
+++ b/pppd/plugins/Makefile.linux
+@@ -17,7 +17,7 @@ CFLAGS += -DUSE_EAPTLS=1
+ SUBDIRS := pppoe pppoatm pppol2tp
+ # Uncomment the next line to include the radius authentication plugin
+ SUBDIRS += radius
+-PLUGINS := minconn.so passprompt.so passwordfd.so winbind.so
+PLUGINS := minconn.so passwordfd.so winbind.so
+ 
+ # This setting should match the one in ../Makefile.linux
+ MPPE=y
+diff --git a/pppd/plugins/Makefile.sol2 b/pppd/plugins/Makefile.sol2
+index bc7d85d..f77ea1d 100644
+--- a/pppd/plugins/Makefile.sol2
+++ b/pppd/plugins/Makefile.sol2
+@@ -17,11 +17,5 @@ minconn.so: minconn.o
+ minconn.o: minconn.c
+        $(CC) $(CFLAGS) -c $? 
+ 
+-passprompt.so: passprompt.o
+-       ld -o $@ $(LDFLAGS) -h $@ passprompt.o
+-
+-passprompt.o: passprompt.c
+-       $(CC) $(CFLAGS) -c $?
+-
+ clean:
+        rm -f *.o *.so
+diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
+deleted file mode 100644
+index 7779d51..0000000
+--- a/pppd/plugins/passprompt.c
+++ /dev/null
+@@ -1,119 +0,0 @@
+-/*
+- * passprompt.c - pppd plugin to invoke an external PAP password prompter
+- *
+- * Copyright 1999 Paul Mackerras, Alan Curry.
+- *
+- *  This program is free software; you can redistribute it and/or
+- *  modify it under the terms of the GNU General Public License
+- *  as published by the Free Software Foundation; either version
+- *  2 of the License, or (at your option) any later version.
+- */
+-#include <errno.h>
+-#include <unistd.h>
+-#include <sys/wait.h>
+-#include <syslog.h>
+-#include "pppd.h"
+-
+-char pppd_version[] = VERSION;
+-
+-static char promptprog[PATH_MAX+1];
+-static int promptprog_refused = 0;
+-
+-static option_t options[] = {
+-    { "promptprog", o_string, promptprog,
+-      "External PAP password prompting program",
+-      OPT_STATIC, NULL, PATH_MAX },
+-    { NULL }
+-};
+-
+-static int promptpass(char *user, char *passwd)
+-{
+-    int p[2];
+-    pid_t kid;
+-    int readgood, wstat;
+-    ssize_t red;
+-
+-    if (promptprog_refused || promptprog[0] == 0 || access(promptprog, X_OK) < 0)
+-       return -1;      /* sorry, can't help */
+-
+-    if (!passwd)
+-       return 1;
+-
+-    if (pipe(p)) {
+-       warn("Can't make a pipe for %s", promptprog);
+-       return 0;
+-    }
+-    if ((kid = fork()) == (pid_t) -1) {
+-       warn("Can't fork to run %s", promptprog);
+-       close(p[0]);
+-       close(p[1]);
+-       return 0;
+-    }
+-    if (!kid) {
+-       /* we are the child, exec the program */
+-       char *argv[5], fdstr[32];
+-       sys_close();
+-       closelog();
+-       close(p[0]);
+-       seteuid(getuid());
+-       setegid(getgid());
+-       argv[0] = promptprog;
+-       argv[1] = user;
+-       argv[2] = remote_name;
+-       sprintf(fdstr, "%d", p[1]);
+-       argv[3] = fdstr;
+-       argv[4] = 0;
+-       execv(*argv, argv);
+-       _exit(127);
+-    }
+-
+-    /* we are the parent, read the password from the pipe */
+-    close(p[1]);
+-    readgood = 0;
+-    do {
+-       red = read(p[0], passwd + readgood, MAXSECRETLEN-1 - readgood);
+-       if (red == 0)
+-           break;
+-       if (red < 0) {
+-           if (errno == EINTR && !got_sigterm)
+-               continue;
+-           error("Can't read secret from %s: %m", promptprog);
+-           readgood = -1;
+-           break;
+-       }
+-       readgood += red;
+-    } while (readgood < MAXSECRETLEN - 1);
+-    close(p[0]);
+-
+-    /* now wait for child to exit */
+-    while (waitpid(kid, &wstat, 0) < 0) {
+-       if (errno != EINTR || got_sigterm) {
+-           warn("error waiting for %s: %m", promptprog);
+-           break;
+-       }
+-    }
+-
+-    if (readgood < 0)
+-       return 0;
+-    passwd[readgood] = 0;
+-    if (!WIFEXITED(wstat))
+-       warn("%s terminated abnormally", promptprog);
+-    if (WEXITSTATUS(wstat)) {
+-           warn("%s exited with code %d", promptprog, WEXITSTATUS(wstat));
+-           /* code when cancel was hit in the prompt prog */
+-           if (WEXITSTATUS(wstat) == 128) {
+-               promptprog_refused = 1;
+-           }
+-           return -1;
+-    }
+-    return 1;
+-}
+-
+-void plugin_init(void)
+-{
+-    add_options(options);
+-    pap_passwd_hook = promptpass;
+-#ifdef USE_EAPTLS
+-    eaptls_passwd_hook = promptpass;
+-#endif
+-}
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb
index b7f71b673d..e25929febf 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb
@@ -7,7 +7,6 @@ BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
 DEPENDS = "libpcap openssl virtual/crypt"
 LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD"
 LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
-                    file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
                    file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
                    file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
@@ -26,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
           file://ppp@.service \
           file://0001-ppp-fix-build-against-5.15-headers.patch \
           file://CVE-2022-4603.patch \
+           file://CVE-2024-58250.patch \
           "
 SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d"

diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch new file mode 100644 index 0000000000..b07d28253f --- /dev/null +++ b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
@@ -0,0 +1,185 @@
		1	From 0a66ad22e54c72690ec2a29a019767c55c5281fc Mon Sep 17 00:00:00 2001
		2	From: Paul Mackerras <paulus@ozlabs.org>
		3	Date: Fri, 18 Oct 2024 20:22:57 +1100
		4	Subject: [PATCH] pppd: Remove passprompt plugin
		5
		6	This is prompted by a number of factors:
		7
		8	* It was more useful back in the dial-up days, but no-one uses dial-up
		9	any more
		10
		11	* In many cases there will be no terminal accessible to the prompter
		12	program at the point where the prompter is run
		13
		14	* The passwordfd plugin does much the same thing but does it more
		15	cleanly and securely
		16
		17	* The handling of privileges and file descriptors needs to be audited
		18	thoroughly.
		19
		20	Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
		21
		22	CVE: CVE-2024-58250
		23	Upstream-Status: Backport [https://github.com/ppp-project/ppp/commit/0a66ad22e54c72690ec2a29a019767c55c5281fc]
		24	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		25	---
		26	pppd/plugins/Makefile.linux \| 2 +-
		27	pppd/plugins/Makefile.sol2 \| 6 --
		28	pppd/plugins/passprompt.c \| 119 ------------------------------------
		29	3 files changed, 1 insertion(+), 126 deletions(-)
		30	delete mode 100644 pppd/plugins/passprompt.c
		31
		32	diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
		33	index 6403e3d..fcc36e4 100644
		34	--- a/pppd/plugins/Makefile.linux
		35	+++ b/pppd/plugins/Makefile.linux
		36	@@ -17,7 +17,7 @@ CFLAGS += -DUSE_EAPTLS=1
		37	SUBDIRS := pppoe pppoatm pppol2tp
		38	# Uncomment the next line to include the radius authentication plugin
		39	SUBDIRS += radius
		40	-PLUGINS := minconn.so passprompt.so passwordfd.so winbind.so
		41	+PLUGINS := minconn.so passwordfd.so winbind.so
		42
		43	# This setting should match the one in ../Makefile.linux
		44	MPPE=y
		45	diff --git a/pppd/plugins/Makefile.sol2 b/pppd/plugins/Makefile.sol2
		46	index bc7d85d..f77ea1d 100644
		47	--- a/pppd/plugins/Makefile.sol2
		48	+++ b/pppd/plugins/Makefile.sol2
		49	@@ -17,11 +17,5 @@ minconn.so: minconn.o
		50	minconn.o: minconn.c
		51	$(CC) $(CFLAGS) -c $?
		52
		53	-passprompt.so: passprompt.o
		54	- ld -o $@ $(LDFLAGS) -h $@ passprompt.o
		55	-
		56	-passprompt.o: passprompt.c
		57	- $(CC) $(CFLAGS) -c $?
		58	-
		59	clean:
		60	rm -f .o .so
		61	diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
		62	deleted file mode 100644
		63	index 7779d51..0000000
		64	--- a/pppd/plugins/passprompt.c
		65	+++ /dev/null
		66	@@ -1,119 +0,0 @@
		67	-/*
		68	- * passprompt.c - pppd plugin to invoke an external PAP password prompter
		69	- *
		70	- * Copyright 1999 Paul Mackerras, Alan Curry.
		71	- *
		72	- * This program is free software; you can redistribute it and/or
		73	- * modify it under the terms of the GNU General Public License
		74	- * as published by the Free Software Foundation; either version
		75	- * 2 of the License, or (at your option) any later version.
		76	- */
		77	-#include <errno.h>
		78	-#include <unistd.h>
		79	-#include <sys/wait.h>
		80	-#include <syslog.h>
		81	-#include "pppd.h"
		82	-
		83	-char pppd_version[] = VERSION;
		84	-
		85	-static char promptprog[PATH_MAX+1];
		86	-static int promptprog_refused = 0;
		87	-
		88	-static option_t options[] = {
		89	- { "promptprog", o_string, promptprog,
		90	- "External PAP password prompting program",
		91	- OPT_STATIC, NULL, PATH_MAX },
		92	- { NULL }
		93	-};
		94	-
		95	-static int promptpass(char user, char passwd)
		96	-{
		97	- int p[2];
		98	- pid_t kid;
		99	- int readgood, wstat;
		100	- ssize_t red;
		101	-
		102	- if (promptprog_refused \|\| promptprog[0] == 0 \|\| access(promptprog, X_OK) < 0)
		103	- return -1; /* sorry, can't help */
		104	-
		105	- if (!passwd)
		106	- return 1;
		107	-
		108	- if (pipe(p)) {
		109	- warn("Can't make a pipe for %s", promptprog);
		110	- return 0;
		111	- }
		112	- if ((kid = fork()) == (pid_t) -1) {
		113	- warn("Can't fork to run %s", promptprog);
		114	- close(p[0]);
		115	- close(p[1]);
		116	- return 0;
		117	- }
		118	- if (!kid) {
		119	- /* we are the child, exec the program */
		120	- char *argv[5], fdstr[32];
		121	- sys_close();
		122	- closelog();
		123	- close(p[0]);
		124	- seteuid(getuid());
		125	- setegid(getgid());
		126	- argv[0] = promptprog;
		127	- argv[1] = user;
		128	- argv[2] = remote_name;
		129	- sprintf(fdstr, "%d", p[1]);
		130	- argv[3] = fdstr;
		131	- argv[4] = 0;
		132	- execv(*argv, argv);
		133	- _exit(127);
		134	- }
		135	-
		136	- /* we are the parent, read the password from the pipe */
		137	- close(p[1]);
		138	- readgood = 0;
		139	- do {
		140	- red = read(p[0], passwd + readgood, MAXSECRETLEN-1 - readgood);
		141	- if (red == 0)
		142	- break;
		143	- if (red < 0) {
		144	- if (errno == EINTR && !got_sigterm)
		145	- continue;
		146	- error("Can't read secret from %s: %m", promptprog);
		147	- readgood = -1;
		148	- break;
		149	- }
		150	- readgood += red;
		151	- } while (readgood < MAXSECRETLEN - 1);
		152	- close(p[0]);
		153	-
		154	- /* now wait for child to exit */
		155	- while (waitpid(kid, &wstat, 0) < 0) {
		156	- if (errno != EINTR \|\| got_sigterm) {
		157	- warn("error waiting for %s: %m", promptprog);
		158	- break;
		159	- }
		160	- }
		161	-
		162	- if (readgood < 0)
		163	- return 0;
		164	- passwd[readgood] = 0;
		165	- if (!WIFEXITED(wstat))
		166	- warn("%s terminated abnormally", promptprog);
		167	- if (WEXITSTATUS(wstat)) {
		168	- warn("%s exited with code %d", promptprog, WEXITSTATUS(wstat));
		169	- /* code when cancel was hit in the prompt prog */
		170	- if (WEXITSTATUS(wstat) == 128) {
		171	- promptprog_refused = 1;
		172	- }
		173	- return -1;
		174	- }
		175	- return 1;
		176	-}
		177	-
		178	-void plugin_init(void)
		179	-{
		180	- add_options(options);
		181	- pap_passwd_hook = promptpass;
		182	-#ifdef USE_EAPTLS
		183	- eaptls_passwd_hook = promptpass;
		184	-#endif
		185	-}


diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb index b7f71b673d..e25929febf 100644 --- a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb +++ b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb
@@ -7,7 +7,6 @@ BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
7	DEPENDS = "libpcap openssl virtual/crypt"	7	DEPENDS = "libpcap openssl virtual/crypt"
8	LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD"	8	LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD"
9	LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \	9	LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
10	file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
11	file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \	10	file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
12	file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"	11	file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
13		12
@@ -26,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
26	file://ppp@.service \	25	file://ppp@.service \
27	file://0001-ppp-fix-build-against-5.15-headers.patch \	26	file://0001-ppp-fix-build-against-5.15-headers.patch \
28	file://CVE-2022-4603.patch \	27	file://CVE-2022-4603.patch \
		28	file://CVE-2024-58250.patch \
29	"	29	"
30		30
31	SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d"	31	SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d"