Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 563220 (CVE-2015-8011, CVE-2015-8012) - <net-misc/lldpd-0.9.1: lldpd crash in lldp_decode due large management address
Summary: <net-misc/lldpd-0.9.1: lldpd crash in lldp_decode due large management address
Status: RESOLVED FIXED
Alias: CVE-2015-8011, CVE-2015-8012
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-16 10:45 UTC by Agostino Sarubbo
Modified: 2021-01-13 19:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-16 10:45:11 UTC
From ${URL} :

Upstream commit:

<https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2>

If compiled with effective source fortification, the vulnerability is
just a crash and not exploitable for anything else, as a result of the
compiler-emitted length check for memcpy inside the PEEK_BYTES macro.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2015-10-27 08:33:38 UTC
There is also another fix, an improper assert leading to a daemon
crash:

https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
Comment 2 Patrick McLean gentoo-dev 2016-03-03 00:53:58 UTC
net-misc/lldpd-0.9.1 is now in the tree, sorry about the delay on this
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-10 21:07:26 UTC
GLSA Vote: No