etc/ppp/chap-secrets
etc/ppp/demonloginscript
etc/ppp/dialer
-#etc/ppp/eaptls-client
-#etc/ppp/eaptls-server
etc/ppp/ioptions
etc/ppp/ip-down
etc/ppp/ip-up
#usr/include/pppd/ccp.h
#usr/include/pppd/chap-new.h
#usr/include/pppd/chap_ms.h
-#usr/include/pppd/eap-tls.h
#usr/include/pppd/eap.h
#usr/include/pppd/ecp.h
#usr/include/pppd/eui64.h
#usr/include/pppd/magic.h
#usr/include/pppd/md4.h
#usr/include/pppd/md5.h
-#usr/include/pppd/mppe.h
#usr/include/pppd/patchlevel.h
#usr/include/pppd/pathnames.h
#usr/include/pppd/pppcrypt.h
#usr/include/pppd/tdb.h
#usr/include/pppd/upap.h
usr/lib/pppd
-usr/lib/pppd/2.4.9
-usr/lib/pppd/2.4.9/minconn.so
-usr/lib/pppd/2.4.9/openl2tp.so
-usr/lib/pppd/2.4.9/passprompt.so
-usr/lib/pppd/2.4.9/passwordfd.so
-usr/lib/pppd/2.4.9/pppoatm.so
-usr/lib/pppd/2.4.9/pppoe.so
-usr/lib/pppd/2.4.9/pppol2tp.so
-usr/lib/pppd/2.4.9/radattr.so
-usr/lib/pppd/2.4.9/radius.so
-usr/lib/pppd/2.4.9/radrealms.so
-usr/lib/pppd/2.4.9/rp-pppoe.so
-usr/lib/pppd/2.4.9/winbind.so
+usr/lib/pppd/2.4.8
+#usr/lib/pppd/2.4.8/minconn.so
+#usr/lib/pppd/2.4.8/openl2tp.so
+#usr/lib/pppd/2.4.8/passprompt.so
+#usr/lib/pppd/2.4.8/passwordfd.so
+#usr/lib/pppd/2.4.8/pppoatm.so
+#usr/lib/pppd/2.4.8/pppol2tp.so
+#usr/lib/pppd/2.4.8/radattr.so
+#usr/lib/pppd/2.4.8/radius.so
+#usr/lib/pppd/2.4.8/radrealms.so
+#usr/lib/pppd/2.4.8/rp-pppoe.so
+#usr/lib/pppd/2.4.8/winbind.so
usr/sbin/chat
usr/sbin/pppd
usr/sbin/pppdump
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 2.4.9
+VER = 2.4.8
THISAPP = ppp-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
-DIR_APP = $(DIR_SRC)/$(THISAPP)
+DIR_APP = $(DIR_SRC)/ppp-$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
CFLAGS += -fno-strict-aliasing
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = f605d021b586fc26e35c6a54fd84b65f
+$(DL_FILE)_MD5 = fa325e90e43975a1bd7e1012c8676123
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h
- cd $(DIR_APP) && ./configure --prefix=/usr --cc="gcc" --cflags="$(CFLAGS)" --disable-nls
- cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls
+ cd $(DIR_APP) && make $(MAKETUNING) CC="gcc" RPM_OPT_FLAGS="$(CFLAGS)"
cd $(DIR_APP) && make install
cd $(DIR_APP) && make install-etcppp
touch /var/log/connect-errors
--- /dev/null
+From d729b06f0ac7a5ebd3648ef60bef0499b59bf82d Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Fri, 4 Apr 2014 11:29:39 +0200
+Subject: [PATCH 03/25] build-sys: utilize compiler flags handed to us by
+ rpmbuild
+
+---
+ chat/Makefile.linux | 2 +-
+ pppd/Makefile.linux | 3 +--
+ pppd/plugins/Makefile.linux | 2 +-
+ pppd/plugins/pppoatm/Makefile.linux | 2 +-
+ pppd/plugins/radius/Makefile.linux | 2 +-
+ pppd/plugins/rp-pppoe/Makefile.linux | 2 +-
+ pppdump/Makefile.linux | 2 +-
+ pppstats/Makefile.linux | 2 +-
+ 8 files changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/chat/Makefile.linux b/chat/Makefile.linux
+index 1065ac5..848cd8d 100644
+--- a/chat/Makefile.linux
++++ b/chat/Makefile.linux
+@@ -10,7 +10,7 @@ CDEF3= -UNO_SLEEP # Use the usleep function
+ CDEF4= -DFNDELAY=O_NDELAY # Old name value
+ CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4)
+
+-COPTS= -O2 -g -pipe
++COPTS= $(RPM_OPT_FLAGS)
+ CFLAGS= $(COPTS) $(CDEFS)
+
+ INSTALL= install
+diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
+index 5a44d30..63872eb 100644
+--- a/pppd/Makefile.linux
++++ b/pppd/Makefile.linux
+@@ -32,8 +32,7 @@ endif
+
+ CC = gcc
+ #
+-COPTS = -O2 -pipe -Wall -g
+-LIBS =
++COPTS = -Wall $(RPM_OPT_FLAGS)
+
+ # Uncomment the next 2 lines to include support for Microsoft's
+ # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux.
+diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
+index 0a7ec7b..e09a369 100644
+--- a/pppd/plugins/Makefile.linux
++++ b/pppd/plugins/Makefile.linux
+@@ -1,5 +1,5 @@
+ #CC = gcc
+-COPTS = -O2 -g
++COPTS = $(RPM_OPT_FLAGS)
+ CFLAGS = $(COPTS) -I.. -I../../include -fPIC
+ LDFLAGS = -shared
+ INSTALL = install
+diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
+index 20f62e6..5a81447 100644
+--- a/pppd/plugins/pppoatm/Makefile.linux
++++ b/pppd/plugins/pppoatm/Makefile.linux
+@@ -1,5 +1,5 @@
+ #CC = gcc
+-COPTS = -O2 -g
++COPTS = $(RPM_OPT_FLAGS)
+ CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC
+ LDFLAGS = -shared
+ INSTALL = install
+diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux
+index 24ed3e5..45b3b8d 100644
+--- a/pppd/plugins/radius/Makefile.linux
++++ b/pppd/plugins/radius/Makefile.linux
+@@ -12,7 +12,7 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h)
+ INSTALL = install
+
+ PLUGIN=radius.so radattr.so radrealms.so
+-CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
++CFLAGS=-I. -I../.. -I../../../include $(RPM_OPT_FLAGS) -DRC_LOG_FACILITY=LOG_DAEMON
+
+ # Uncomment the next line to include support for Microsoft's
+ # MS-CHAP authentication protocol.
+diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
+index 5d7a271..352991a 100644
+--- a/pppd/plugins/rp-pppoe/Makefile.linux
++++ b/pppd/plugins/rp-pppoe/Makefile.linux
+@@ -25,7 +25,7 @@ INSTALL = install
+ # Version is set ONLY IN THE MAKEFILE! Don't delete this!
+ RP_VERSION=3.8p
+
+-COPTS=-O2 -g
++COPTS=$(RPM_OPT_FLAGS)
+ CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
+ all: rp-pppoe.so pppoe-discovery
+
+diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
+index ac028f6..d0a5032 100644
+--- a/pppdump/Makefile.linux
++++ b/pppdump/Makefile.linux
+@@ -2,7 +2,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@
+ BINDIR = $(DESTDIR)/sbin
+ MANDIR = $(DESTDIR)/share/man/man8
+
+-CFLAGS= -O -I../include/net
++CFLAGS= $(RPM_OPT_FLAGS) -I../include/net
+ OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
+
+ INSTALL= install
+diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux
+index cca6f0f..42aba73 100644
+--- a/pppstats/Makefile.linux
++++ b/pppstats/Makefile.linux
+@@ -10,7 +10,7 @@ PPPSTATSRCS = pppstats.c
+ PPPSTATOBJS = pppstats.o
+
+ #CC = gcc
+-COPTS = -O
++COPTS = $(RPM_OPT_FLAGS)
+ COMPILE_FLAGS = -I../include
+ LIBS =
+
+--
+1.8.3.1
+
free(path);
errno = err;
diff --git a/pppd/main.c b/pppd/main.c
-index 87a5d29..152e4a2 100644
+index 6d50d1b..4880377 100644
--- a/pppd/main.c
+++ b/pppd/main.c
-@@ -400,7 +400,7 @@ main(int argc, char *argv[])
+@@ -420,7 +420,7 @@ main(argc, argv)
die(0);
/* Make sure fds 0, 1, 2 are open to somewhere. */
if (fd_devnull < 0)
fatal("Couldn't open %s: %m", _PATH_DEVNULL);
while (fd_devnull <= 2) {
-@@ -1642,7 +1642,7 @@ device_script(char *program, int in, int out, int dont_wait)
+@@ -1679,7 +1679,7 @@ device_script(program, in, out, dont_wait)
if (log_to_fd >= 0)
errfd = log_to_fd;
else
-- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644);
-+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0644);
+- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600);
++ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0600);
++conn_running;
pid = safe_fork(in, out, errfd);
pppd/plugins/pppoatm/pppoatm.c | 2 +-
pppd/plugins/pppol2tp/openl2tp.c | 2 +-
pppd/plugins/pppol2tp/pppol2tp.c | 2 +-
- pppd/plugins/pppoe/if.c | 2 +-
- pppd/plugins/pppoe/plugin.c | 6 +++---
- pppd/plugins/pppoe/pppoe-discovery.c | 2 +-
+ pppd/plugins/rp-pppoe/if.c | 2 +-
+ pppd/plugins/rp-pppoe/plugin.c | 6 +++---
+ pppd/plugins/rp-pppoe/pppoe-discovery.c | 2 +-
pppd/sys-linux.c | 10 +++++-----
pppd/tty.c | 2 +-
8 files changed, 14 insertions(+), 14 deletions(-)
if (fd >= 0) {
memset (&ifr, '\0', sizeof (ifr));
strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
-diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c
+diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c
index 91e9a57..72aba41 100644
---- a/pppd/plugins/pppoe/if.c
-+++ b/pppd/plugins/pppoe/if.c
+--- a/pppd/plugins/rp-pppoe/if.c
++++ b/pppd/plugins/rp-pppoe/if.c
@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
stype = SOCK_PACKET;
#endif
/* Give a more helpful message for the common error case */
if (errno == EPERM) {
fatal("Cannot create raw socket -- pppoe must be run as root.");
-diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
+diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
index a8c2bb4..24bdf8f 100644
---- a/pppd/plugins/pppoe/plugin.c
-+++ b/pppd/plugins/pppoe/plugin.c
+--- a/pppd/plugins/rp-pppoe/plugin.c
++++ b/pppd/plugins/rp-pppoe/plugin.c
@@ -137,7 +137,7 @@ PPPOEConnectDevice(void)
/* server equipment). */
/* Opening this socket just before waitForPADS in the discovery() */
r = 0;
}
-diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pppoe-discovery.c
+diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
index 3d3bf4e..c0d927d 100644
---- a/pppd/plugins/pppoe/pppoe-discovery.c
-+++ b/pppd/plugins/pppoe/pppoe-discovery.c
+--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
++++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
stype = SOCK_PACKET;
#endif
if (s < 0)
return 0;
+@@ -2860,7 +2860,7 @@ ether_to_eui64(eui64_t *p_eui64)
+ int skfd;
+ const unsigned char *ptr;
+
+- skfd = socket(PF_INET6, SOCK_DGRAM, 0);
++ skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+ if(skfd == -1)
+ {
+ warn("could not open IPv6 socket");
diff --git a/pppd/tty.c b/pppd/tty.c
index bc96695..8e76a5d 100644
--- a/pppd/tty.c
-diff --git a/pppd/plugins/pppoe/pppoe.h b/pppd/plugins/pppoe/pppoe.h
+diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
index 9ab2eee..86762bd 100644
---- a/pppd/plugins/pppoe/pppoe.h
-+++ b/pppd/plugins/pppoe/pppoe.h
+--- a/pppd/plugins/rp-pppoe/pppoe.h
++++ b/pppd/plugins/rp-pppoe/pppoe.h
@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session;
#define STATE_TERMINATED 4
-diff -Naur ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c ppp-2.4.7/pppd/plugins/pppoe/plugin.c
---- ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c 2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7/pppd/plugins/pppoe/plugin.c 2017-02-09 08:45:12.567493723 +0100
+diff -Naur ppp-2.4.7.org/pppd/plugins/rp-pppoe/plugin.c ppp-2.4.7/pppd/plugins/rp-pppoe/plugin.c
+--- ppp-2.4.7.org/pppd/plugins/rp-pppoe/plugin.c 2014-08-09 14:31:39.000000000 +0200
++++ ppp-2.4.7/pppd/plugins/rp-pppoe/plugin.c 2017-02-09 08:45:12.567493723 +0100
@@ -49,6 +49,8 @@
#include <net/ethernet.h>
#include <net/if_arp.h>
--- /dev/null
+commit 8d7970b8f3db727fe798b65f3377fe6787575426
+Author: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon Feb 3 15:53:28 2020 +1100
+
+ pppd: Fix bounds check in EAP code
+
+ Given that we have just checked vallen < len, it can never be the case
+ that vallen >= len + sizeof(rhostname). This fixes the check so we
+ actually avoid overflowing the rhostname array.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f5..1b93db0 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
+++ /dev/null
---- ppp-2.4.9.orig/configure 2021-03-30 21:38:27.415735914 +0200
-+++ ppp-2.4.9/configure 2021-04-01 19:10:48.632314447 +0200
-@@ -121,9 +121,9 @@
- rm -f $2
- if [ -f $1 ]; then
- echo " $2 <= $1"
-- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \
-- -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \
-- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2
-+ sed -e "s#@DESTDIR@#$DESTDIR#g" -e "s#@SYSCONF@#$SYSCONF#g" \
-+ -e "s#@CROSS_COMPILE@#$CROSS_COMPILE#g" -e "s#@CC@#$CC#g" \
-+ -e "s#@CFLAGS@#$CFLAGS#g" $1 >$2
- fi
- }
-