From 20dcd29a7704f81c27922eb5528fdfb23a6e993d Mon Sep 17 00:00:00 2001 From: Paul Mackerras Date: Tue, 19 May 2026 12:29:40 +1000 Subject: [PATCH 1/3] pppd/plugins: Add const qualifiers to eliminate warnings Signed-off-by: Paul Mackerras --- pppd/plugins/radius/radrealms.c | 2 +- pppd/plugins/winbind.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pppd/plugins/radius/radrealms.c b/pppd/plugins/radius/radrealms.c index 2702a40b..88428817 100644 --- a/pppd/plugins/radius/radrealms.c +++ b/pppd/plugins/radius/radrealms.c @@ -46,7 +46,7 @@ lookup_realm(char const *user, SERVER **authserver, SERVER **acctserver) { - char *realm; + const char *realm; FILE *fd; SERVER *accts, *auths, *s; char buffer[512], *p; diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c index 7af6ed1a..31cee8ee 100644 --- a/pppd/plugins/winbind.c +++ b/pppd/plugins/winbind.c @@ -168,7 +168,7 @@ size_t strhex_to_str(unsigned char *p, size_t len, const char *strhex) size_t num_chars = 0; unsigned char lonybble, hinybble; const char *hexchars = "0123456789ABCDEF"; - char *p1 = NULL, *p2 = NULL; + const char *p1 = NULL, *p2 = NULL; for (i = 0; i < len && strhex[i] != 0; i++) { if (strncmp(hexchars, "0x", 2) == 0) { From 69d4a849d16d5d1ea4e64d228ae75169936ff530 Mon Sep 17 00:00:00 2001 From: Paul Mackerras Date: Tue, 19 May 2026 12:31:13 +1000 Subject: [PATCH 2/3] configure.ac: Print warning if CBCP is enabled Print a warning at the end of the configure script if the user selects CBCP, in order to try to work out if anyone is still using it. Signed-off-by: Paul Mackerras --- configure.ac | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configure.ac b/configure.ac index e98263d1..1d6d87f8 100644 --- a/configure.ac +++ b/configure.ac @@ -362,3 +362,6 @@ Features enabled EAP-TLS..............: ${enable_eaptls:-yes} systemd notifications: ${enable_systemd:-no} " + +AM_COND_IF([PPP_WITH_CBCP], + AC_MSG_WARN([CBCP support is likely to be removed in future])) From 65f19b5263eb1b272a308dba6526d2b1eeeb8df4 Mon Sep 17 00:00:00 2001 From: Paul Mackerras Date: Tue, 19 May 2026 12:32:53 +1000 Subject: [PATCH 3/3] README: Update for v2.5.3 Signed-off-by: Paul Mackerras --- README | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/README b/README index 67e6abb4..d9eda6ca 100644 --- a/README +++ b/README @@ -67,9 +67,62 @@ use any IP address. (This only applies where the peer is authenticating itself to you, of course.) -What's new in ppp-2.5.2 +What's new in ppp-2.5.3 *********************** +* Several security improvements: + - Some options are now privileged: 'set', 'unset', + 'defaultroute', and 'defaultroute6'. If a non-root user + running a setuid-root pppd needs to use these options, + the system administrator will have to make a 'call' file + in /etc/ppp/peers containing the required option(s) for + the user's use. + + - Scripts, privileged options files and secrets files now are + subject to a path check, which checks that the file and each + directory in the real path to the file are owned by root and + not writable by non-root. + + - If pppd is installed setuid-root and run by a non-root user, + the peer will be required to authenticate itself; previously + this requirement only applied if the system had a default + IPv4 route. + +* Default route handling has changed; pppd no longer checks for + an existing default route before adding its default route. The + defaultroute and defaultroute6 options are now privileged, and + if used, the default route will always be added. The metric of + the default route can be controlled with new defaultroute-metric + and defaultroute6-metric options, which are privileged. + The replacedefaultroute and noreplacedefaultroute options + are no longer functional, and just cause an error message to + be printed. + +* There is now a dhcpv6relay plugin, which provides a DHCPv6 + relay for the local system inside pppd. + +* VRF (Virtual Routing and Forwarding) support has been added + to pppd on Linux. There is now a 'vrf' option which tells + pppd to bind the PPP interface to a specific VRF, so that + routes are installed in the VRF's routing table rather than + the main routing table. + +* The pppoe (PPP over ethernet) plugin now supports maximum + packet sizes greater than 1492 bytes if configured to do so + and the server agrees. + +* CBCP (Callback control protocol) support can still be selected + at configuration time, but now a warning message will be + printed, warning that CBCP support will be removed in a + future version. If you use CBCP in pppd, let the maintainer + know. + +* Various other bug fixes and minor enhancements. + + +What was new in ppp-2.5.2 +************************* + * Some old and probably unused code has been removed, notably the pppgetpass program and the passprompt plugin, and some of the files in the sample and scripts directories.