Bug 741568 (CVE-2020-15173)

Summary:	<net-dialup/accel-ppp-1.12.0_p20200913: Buffer overflow in l2tp control packet (CVE-2020-15173)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ajak, pinkbyte
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/accel-ppp/accel-ppp/security/advisories/GHSA-rr68-fchr-69vf
Whiteboard:	?? [nogsla]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-09-11 02:38:31 UTC

Description:
"In ACCEL-PPP (an implementation of PPTP/PPPoE/L2TP/SSTP), there is a buffer overflow when receiving an l2tp control packet ith an AVP which type is a string and no hidden flags, length set to less than 6. If your application is used in open networks or there are untrusted nodes in the network it is highly recommended to apply the patch. The problem was patched with commit 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b As a workaround changes of commit 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b can be applied to older versions."

Comment 1 Sam James archtester

2020-09-11 02:46:00 UTC

Upstream say in the advisory:
"Affected versions
    1.12.0-92-g38b6104 

Patched versions
    1.12.0-95-g7c04c52b"

But I don't see any use of patch releases there and I'm not sure these are right. Need to check the code.

This doesn't look great either: https://github.com/xebd/accel-ppp/issues/131.

Wondering if this is just treeclean material?

Comment 2 Sergey Popov gentoo-dev

2020-09-11 11:16:17 UTC

(In reply to Sam James from comment #1)
> 
> Wondering if this is just treeclean material?

Not an option - unfortunately it is the only working and updating enterprise-grade solution for IPoE access for Linux.

I should probably add snapshot release, covering all recent fixes - upstream somewhat lazy to make proper releases, official recommendation it to use latest version from git.

Comment 3 Sergey Popov gentoo-dev

2020-09-14 12:26:16 UTC

commit 71fed557815206d7b1380326fdfbcc56a4105bd7
Author: Sergey Popov <pinkbyte@gentoo.org>
Date:   Mon Sep 14 15:19:46 2020 +0300

    net-dialup/accel-ppp: version bump

    Add snapshot with upstream changes,
    fixing CVE-2020-15173

    Gentoo-Bug: https://bugs.gentoo.org/741568
    Package-Manager: Portage-3.0.4, Repoman-2.3.23
    Signed-off-by: Sergey Popov <pinkbyte@gentoo.org>

Comment 4 Sam James archtester

2020-09-14 14:35:42 UTC

(In reply to Sergey Popov from comment #2)
> (In reply to Sam James from comment #1)
> > 
> > Wondering if this is just treeclean material?
> 
> Not an option - unfortunately it is the only working and updating
> enterprise-grade solution for IPoE access for Linux.
> 
> I should probably add snapshot release, covering all recent fixes - upstream
> somewhat lazy to make proper releases, official recommendation it to use
> latest version from git.

I understand, no problem, I just wanted to ask because upstream looked a bit odd!

Thanks for the bump. Please cleanup when ready.

Comment 5 Larry the Git Cow gentoo-dev

2020-09-21 08:31:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44040310ba621120a3d6eee12441f990e7ccaa1b

commit 44040310ba621120a3d6eee12441f990e7ccaa1b
Author:     Sergey Popov <pinkbyte@gentoo.org>
AuthorDate: 2020-09-21 08:31:08 +0000
Commit:     Sergey Popov <pinkbyte@gentoo.org>
CommitDate: 2020-09-21 08:31:34 +0000

    net-dialup/accel-ppp: drop old version
    
    Bug: https://bugs.gentoo.org/741568
    Package-Manager: Portage-3.0.4, Repoman-2.3.23
    Signed-off-by: Sergey Popov <pinkbyte@gentoo.org>

 net-dialup/accel-ppp/Manifest                      |   1 -
 net-dialup/accel-ppp/accel-ppp-1.12.0-r1.ebuild    | 108 --------
 .../files/accel-ppp-1.12.0-kernel-5.2.patch        | 282 ---------------------
 3 files changed, 391 deletions(-)

Comment 6 John Helmert III archtester

2020-09-21 21:10:13 UTC

Unstable package so no GLSA, should be good to close now. Thanks pinkbyte.