CVE-2023-41910: An issue was discovered in lldpd before 1.0.17. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. This occurs in cdp_decode in daemon/protocols/cdp.c. Please stabilize 1.0.17.
It seems 1.0.16 is not stable, cleaning the old version would be enough then, I think
(In reply to Pacho Ramos from comment #1) > It seems 1.0.16 is not stable, cleaning the old version would be enough > then, I think Yes, I've adjusted the whiteboard status accordingly (for a package without any stable versions).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84cd129314ac47a9631049caae75f8f45c550366 commit 84cd129314ac47a9631049caae75f8f45c550366 Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2024-07-17 18:04:52 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2024-07-17 18:04:52 +0000 net-misc/lldpd: drop 1.0.16-r2, 1.0.17 Bug: https://bugs.gentoo.org/918552 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> net-misc/lldpd/Manifest | 2 - .../files/lldpd-1.0.16-configure-clang16.patch | 23 ----- net-misc/lldpd/lldpd-1.0.16-r2.ebuild | 114 --------------------- net-misc/lldpd/lldpd-1.0.17.ebuild | 111 -------------------- 4 files changed, 250 deletions(-)
