Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-74-1 ppp

Debian Security Advisory

DLA-74-1 ppp -- LTS security update

Date Reported:

21 Oct 2014

Affected Packages:

ppp

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 762789.
In Mitre's CVE dictionary: CVE-2014-3158.

More information:

This updates fixes a potential integer overflow in option parsing.

A user in the group dip could provide a specially crafted configuration file of more than 2G and generate an integer overflow. This may enable an attacker to overwrite the heap and thereby corrupt security-relevant variables.

See details in the upstream commit: https://github.com/paulusmack/ppp/commit/7658e8257183f062dc01f87969c140707c7e52cb

For Debian 6 Squeeze, these issues have been fixed in ppp version 2.4.5-4+deb6u1