Apply by doing:

Apply by doing:
cd /usr/src
patch -p0 < 009_ppp.patch

And then rebuild and install ppp:
cd usr.sbin/ppp
make clean
make obj
make depend
make
make install

Index: usr.sbin/ppp/ppp/command.c
===================================================================
RCS file: /cvs/src/usr.sbin/ppp/ppp/command.c,v
retrieving revision 1.91
diff -u -p -r1.91 command.c
--- usr.sbin/ppp/ppp/command.c 21 Sep 2005 16:28:47 -0000 1.91
+++ usr.sbin/ppp/ppp/command.c 7 Mar 2008 12:41:31 -0000
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $OpenBSD: command.c,v 1.91 2005/09/21 16:28:47 brad Exp $
+ * $OpenBSD: command.c,v 1.92 2008/03/02 18:46:32 miod Exp $
*/

#include <sys/param.h>
@@ -1130,7 +1130,10 @@ command_Expand_Interpret(char *buff, int
{
char buff2[LINE_LEN-offset];

- InterpretArg(buff, buff2);
+ if (InterpretArg(buff, buff2, sizeof buff2) == NULL) {
+ log_Printf(LogWARN, "Failed to expand command '%s': too long for the destination buffer\n", buff);
+ return -1;
+ }
strncpy(buff, buff2, LINE_LEN - offset - 1);
buff[LINE_LEN - offset - 1] = '\0';

Index: usr.sbin/ppp/ppp/systems.c
===================================================================
RCS file: /cvs/src/usr.sbin/ppp/ppp/systems.c,v
retrieving revision 1.18
diff -u -p -r1.18 systems.c
--- usr.sbin/ppp/ppp/systems.c 16 May 2002 01:13:39 -0000 1.18
+++ usr.sbin/ppp/ppp/systems.c 7 Mar 2008 12:41:31 -0000
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $OpenBSD: systems.c,v 1.18 2002/05/16 01:13:39 brian Exp $
+ * $OpenBSD: systems.c,v 1.20 2008/03/02 19:31:43 deraadt Exp $
*/

#include <sys/param.h>
@@ -64,9 +64,12 @@ CloseSecret(FILE *fp)
fclose(fp);
}

-/* Move string from ``from'' to ``to'', interpreting ``~'' and $.... */
+/*
+ * Move string from ``from'' to ``to'', interpreting ``~'' and $....
+ * Returns NULL if string expansion failed due to lack of buffer space.
+ */
const char *
-InterpretArg(const char *from, char *to)
+InterpretArg(const char *from, char *to, size_t tosiz)
{
char *ptr, *startto, *endto;
struct passwd *pwd;
@@ -75,12 +78,14 @@ InterpretArg(const char *from, char *to)

instring = 0;
startto = to;
- endto = to + LINE_LEN - 1;
+ endto = to + tosiz - 1;

while(issep(*from))
from++;

while (*from != '\0') {
+ if (to >= endto)
+ return NULL;
switch (*from) {
case '"':
instring = !instring;
@@ -96,6 +101,8 @@ InterpretArg(const char *from, char *to)
*to++ = '\\'; /* Pass the escapes on, maybe skipping \# */
break;
}
+ if (to >= endto)
+ return NULL;
*to++ = *from++;
break;
case '$':
@@ -106,8 +113,8 @@ InterpretArg(const char *from, char *to)
ptr = strchr(from+2, '}');
if (ptr) {
len = ptr - from - 2;
- if (endto - to < len )
- len = endto - to;
+ if (endto - to < len)
+ return NULL;
if (len) {
strncpy(to, from+2, len);
to[len] = '\0';
@@ -126,9 +133,13 @@ InterpretArg(const char *from, char *to)
*ptr++ = *from;
*ptr = '\0';
}
+ if (to >= endto)
+ return NULL;
if (*to == '\0')
*to++ = '$';
else if ((env = getenv(to)) != NULL) {
+ if (endto - to < strlen(env))
+ return NULL;
strncpy(to, env, endto - to);
*endto = '\0';
to += strlen(to);
@@ -141,19 +152,24 @@ InterpretArg(const char *from, char *to)
if (len == 0)
pwd = getpwuid(ID0realuid());
else {
+ if (endto - to < len)
+ return NULL;
strncpy(to, from, len);
to[len] = '\0';
pwd = getpwnam(to);
}
+ if (to >= endto)
+ return NULL;
if (pwd == NULL)
*to++ = '~';
else {
+ if (endto - to < strlen(pwd->pw_dir))
+ return NULL;
strncpy(to, pwd->pw_dir, endto - to);
*endto = '\0';
to += strlen(to);
from += len;
}
- endpwent();
break;

default:
@@ -178,12 +194,16 @@ InterpretArg(const char *from, char *to)
#define CTRL_INCLUDE (1)

static int
-DecodeCtrlCommand(char *line, char *arg)
+DecodeCtrlCommand(char *line, char *arg, size_t argsiz)
{
const char *end;

if (!strncasecmp(line, "include", 7) && issep(line[7])) {
- end = InterpretArg(line+8, arg);
+ end = InterpretArg(line+8, arg, argsiz);
+ if (end == NULL) {
+ log_Printf(LogWARN, "Failed to expand command '%s': too long for the destination buffer\n", line);
+ return CTRL_UNKNOWN;
+ }
if (*end && *end != '#')
log_Printf(LogWARN, "usage: !include filename\n");
else
@@ -217,7 +237,6 @@ AllowUsers(struct cmdargs const *arg)
userok = 1;
break;
}
- endpwent();

return 0;
}
@@ -352,7 +371,7 @@ ReadSystem(struct bundle *bundle, const
break;

case '!':
- switch (DecodeCtrlCommand(cp+1, arg)) {
+ switch (DecodeCtrlCommand(cp+1, arg, LINE_LEN)) {
case CTRL_INCLUDE:
log_Printf(LogCOMMAND, "%s: Including \"%s\"\n", filename, arg);
n = ReadSystem(bundle, name, arg, prompt, cx, how);
Index: usr.sbin/ppp/ppp/systems.h
===================================================================
RCS file: /cvs/src/usr.sbin/ppp/ppp/systems.h,v
retrieving revision 1.7
diff -u -p -r1.7 systems.h
--- usr.sbin/ppp/ppp/systems.h 23 Nov 2001 11:17:03 -0000 1.7
+++ usr.sbin/ppp/ppp/systems.h 7 Mar 2008 12:41:31 -0000
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $OpenBSD: systems.h,v 1.7 2001/11/23 11:17:03 brian Exp $
+ * $OpenBSD: systems.h,v 1.8 2008/03/02 18:46:33 miod Exp $
*/

struct prompt;
@@ -40,4 +40,4 @@ extern FILE *OpenSecret(const char *);
extern void CloseSecret(FILE *);
extern int AllowUsers(struct cmdargs const *);
extern int AllowModes(struct cmdargs const *);
-extern const char *InterpretArg(const char *, char *);
+extern const char *InterpretArg(const char *, char *, size_t);