Debian Security Advisory

DLA-74-1 ppp -- LTS security update

Date Reported:
21 Oct 2014
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 762789.
In Mitre's CVE dictionary: CVE-2014-3158.
More information:

This updates fixes a potential integer overflow in option parsing.

A user in the group dip could provide a specially crafted configuration file of more than 2G and generate an integer overflow. This may enable an attacker to overwrite the heap and thereby corrupt security-relevant variables.

See details in the upstream commit:

For Debian 6 Squeeze, these issues have been fixed in ppp version 2.4.5-4+deb6u1