Summary: | <net-dialup/accel-ppp-1.12.0_p20200913: Buffer overflow in l2tp control packet (CVE-2020-15173) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak, pinkbyte |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/accel-ppp/accel-ppp/security/advisories/GHSA-rr68-fchr-69vf | ||
Whiteboard: | ?? [nogsla] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-09-11 02:38:31 UTC
Upstream say in the advisory: "Affected versions 1.12.0-92-g38b6104 Patched versions 1.12.0-95-g7c04c52b" But I don't see any use of patch releases there and I'm not sure these are right. Need to check the code. This doesn't look great either: https://github.com/xebd/accel-ppp/issues/131. Wondering if this is just treeclean material? (In reply to Sam James from comment #1) > > Wondering if this is just treeclean material? Not an option - unfortunately it is the only working and updating enterprise-grade solution for IPoE access for Linux. I should probably add snapshot release, covering all recent fixes - upstream somewhat lazy to make proper releases, official recommendation it to use latest version from git. commit 71fed557815206d7b1380326fdfbcc56a4105bd7 Author: Sergey Popov <pinkbyte@gentoo.org> Date: Mon Sep 14 15:19:46 2020 +0300 net-dialup/accel-ppp: version bump Add snapshot with upstream changes, fixing CVE-2020-15173 Gentoo-Bug: https://bugs.gentoo.org/741568 Package-Manager: Portage-3.0.4, Repoman-2.3.23 Signed-off-by: Sergey Popov <pinkbyte@gentoo.org> (In reply to Sergey Popov from comment #2) > (In reply to Sam James from comment #1) > > > > Wondering if this is just treeclean material? > > Not an option - unfortunately it is the only working and updating > enterprise-grade solution for IPoE access for Linux. > > I should probably add snapshot release, covering all recent fixes - upstream > somewhat lazy to make proper releases, official recommendation it to use > latest version from git. I understand, no problem, I just wanted to ask because upstream looked a bit odd! Thanks for the bump. Please cleanup when ready. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44040310ba621120a3d6eee12441f990e7ccaa1b commit 44040310ba621120a3d6eee12441f990e7ccaa1b Author: Sergey Popov <pinkbyte@gentoo.org> AuthorDate: 2020-09-21 08:31:08 +0000 Commit: Sergey Popov <pinkbyte@gentoo.org> CommitDate: 2020-09-21 08:31:34 +0000 net-dialup/accel-ppp: drop old version Bug: https://bugs.gentoo.org/741568 Package-Manager: Portage-3.0.4, Repoman-2.3.23 Signed-off-by: Sergey Popov <pinkbyte@gentoo.org> net-dialup/accel-ppp/Manifest | 1 - net-dialup/accel-ppp/accel-ppp-1.12.0-r1.ebuild | 108 -------- .../files/accel-ppp-1.12.0-kernel-5.2.patch | 282 --------------------- 3 files changed, 391 deletions(-) Unstable package so no GLSA, should be good to close now. Thanks pinkbyte. |