CVE-2023-45239 (https://github.com/facebook/tac_plus/pull/41): A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server. I guess there's not a real release for this, so we need a snapshot or a backport of the patch.
No maintainer and no reverse dependencies: my vote is to treeclean this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=638f3acca94fa5c15711f9db23c2fb6fcc04a196 commit 638f3acca94fa5c15711f9db23c2fb6fcc04a196 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-01-07 00:24:47 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-07 00:25:55 +0000 profiles: mask tac_plus Bug: https://bugs.gentoo.org/918536 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41d224b667bf1d1894a4565348b519a2e01842ba commit 41d224b667bf1d1894a4565348b519a2e01842ba Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2024-02-10 12:05:41 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2024-02-10 12:05:41 +0000 net-nds/tac_plus: treeclean Closes: https://bugs.gentoo.org/921304 Closes: https://bugs.gentoo.org/884501 Closes: https://bugs.gentoo.org/849440 Bug: https://bugs.gentoo.org/918536 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> net-nds/tac_plus/Manifest | 1 - .../files/tac_plus-4.0.4.19-deansification.patch | 10 ---- .../files/tac_plus-4.0.4.27a-parallelmake.patch | 11 ---- net-nds/tac_plus/files/tac_plus.conf | 11 ---- net-nds/tac_plus/files/tac_plus.conf2 | 41 ------------- net-nds/tac_plus/files/tac_plus.confd | 7 --- net-nds/tac_plus/files/tac_plus.confd2 | 6 -- net-nds/tac_plus/files/tac_plus.init | 22 ------- net-nds/tac_plus/files/tac_plus.init2 | 20 ------- net-nds/tac_plus/metadata.xml | 9 --- net-nds/tac_plus/tac_plus-4.0.4.27a-r3.ebuild | 68 ---------------------- profiles/package.mask | 5 -- 12 files changed, 211 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=8dd863e03c2b4d483bf8805109c3ae6598a855e5 commit 8dd863e03c2b4d483bf8805109c3ae6598a855e5 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-18 07:32:10 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-18 07:32:51 +0000 [ GLSA 202402-13 ] TACACS+: Remote Code Execution Bug: https://bugs.gentoo.org/918536 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-13.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+)