Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in net-dialup/ppp |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: net-dialup/ppp Package Version: [cpe:/a:samba:ppp:2.4.6] Advisory: CVE-2018-11574 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2018-11574 CVSS severity score: 7.5/10.0 Confidence: high Description: Improper input validation together with an integer overflow in the EAP-TLS protocol implementation in PPPD may cause a crash, information disclosure, or authentication bypass. This implementation is distributed as a patch for PPPD 0.91, and includes the affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option are unaffected.
,
Aug 15
Potential remote code execution bug via malicious PPP servers, but IIUC requires user interaction (triggering a connection attempt) -> High severity We don't compile ppp with EAP TLS support though. The bug is in a patch that isn't part of the ppp source tree, and while our ebuild does have the eap-tls USE flag, we don't enable it -> Impact None We should probably still uprev ppp for good measure so we don't end up enabling eap-tls in the future and become vulnerable.
,
Aug 15
,
Aug 15
+ Ben, in case he's more clueful about PPP than I am (it wouldn't be hard). I can give a barely educated attempt at it if needed, but if someone else is more familiar, feel free. Also, IIUC the fix is not actually merged upstream anywhere.
,
Aug 16
Maybe I'm an idiot, but I don't really know what to do with this. 1. This is not an upstream functionality; it's something that various distros are carrying around as an extra patch 2. This patch is different for every distro, AFAICT. I don't know where they even come from originally. 3. Gentoo has no published update, AFAICT. 4. Taking the "new" patch as-is adds some significant unneeded delta, but it does build. 5. As noted, we don't even use the feature. I've uploaded the patch as-is, but I really have no desire to verify anything here for an unused feature: https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1176866 I would also be happy just blacklisting the USE flag somehow.
,
Aug 16
,
Aug 16
Actually, scratch that -- gentoo *did* publish an update. The patch tarballs just moved to someone else's directory, so I was confused. I'll see if an uprev isn't too hard.
,
Aug 16
Alternative: here's the uprev: https://chromium-review.googlesource.com/c/chromiumos/overlays/portage-stable/+/1178230 https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1178231 https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1178232
,
Aug 29
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/eef343e82a583515747c833dcbaaf4c122957917 commit eef343e82a583515747c833dcbaaf4c122957917 Author: Brian Norris <briannorris@chromium.org> Date: Wed Aug 29 23:08:52 2018 ppp-scripts: upgraded package to upstream Upgraded net-dialup/ppp-scripts to version 0 on amd64, arm This is getting split out of net-dialup/ppp. Note that we're still masking out 40-dns.sh in CL:1178231, which will land before we pull in this ebuild anywhere. BUG= chromium:874030 TEST=build; check `equery files` Change-Id: If2e184f44015a939bacf3a38765c1a6f71454b7f Reviewed-on: https://chromium-review.googlesource.com/1178230 Commit-Ready: Brian Norris <briannorris@chromium.org> Tested-by: Brian Norris <briannorris@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [add] https://crrev.com/eef343e82a583515747c833dcbaaf4c122957917/net-dialup/ppp-scripts/Manifest [add] https://crrev.com/eef343e82a583515747c833dcbaaf4c122957917/net-dialup/ppp-scripts/metadata.xml [add] https://crrev.com/eef343e82a583515747c833dcbaaf4c122957917/net-dialup/ppp-scripts/ppp-scripts-0.ebuild [add] https://crrev.com/eef343e82a583515747c833dcbaaf4c122957917/metadata/md5-cache/net-dialup/ppp-scripts-0
,
Aug 29
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/c576d919f858d5eaaa5cf4b01d7ab7b9994222ef commit c576d919f858d5eaaa5cf4b01d7ab7b9994222ef Author: Brian Norris <briannorris@chromium.org> Date: Wed Aug 29 23:08:51 2018 ppp-scripts: mask out /etc/ppp/ip-{up,down}.d/40-dns.sh We used to mask this out in our local copy of the ppp ebuild, but this is moving to a separate ppp-scripts ebuild, which we'll keep in portage-stable. Just do the minor modification here instead. BUG= chromium:874030 TEST=build ppp-scripts, see no 40-dns.sh Change-Id: Iaa55fe990472923c3b92e7c4a293de1763a32203 Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1178231 Reviewed-by: Ben Chan <benchan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [add] https://crrev.com/c576d919f858d5eaaa5cf4b01d7ab7b9994222ef/chromeos/config/env/net-dialup/ppp-scripts
,
Aug 29
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/0579faca4239865c6493b99e356bb76ebcd191e7 commit 0579faca4239865c6493b99e356bb76ebcd191e7 Author: Brian Norris <briannorris@chromium.org> Date: Wed Aug 29 23:08:53 2018 net-dialup/ppp: Uprev to 2.4.7 + latest EAP-TLS patch We don't enable EAP-TLS, but there are a few potential overflows: CVE-2018-11574 http://www.openwall.com/lists/oss-security/2018/06/11/1 Gentoo has updated its patch tarball to include a form of this fix, so let's uprev in case somebody turns on the USE flag someday accidentally. There are a few local patches that have since been integrated upstream, so drop them. The ebuild also moves to EAPI 6, so let's use eapply, and make our patches compatible with 'patch -p1' 'ip-up/down' scripts moved to the net-dialup/ppp-scripts package, and we've already performed the equivalent 40-dns.sh file masking there. CQ-DEPEND=CL:1178230 BUG= chromium:874030 TEST=`USE=eap-tls emerge-${BOARD} net-dialup/ppp` builds Change-Id: I2a442ae3a3dd4daeb1085f288b943bd3788680ae Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1178232 Reviewed-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> [modify] https://crrev.com/0579faca4239865c6493b99e356bb76ebcd191e7/net-dialup/ppp/metadata.xml [rename] https://crrev.com/0579faca4239865c6493b99e356bb76ebcd191e7/net-dialup/ppp/ppp-2.4.7-r6.ebuild [delete] https://crrev.com/c576d919f858d5eaaa5cf4b01d7ab7b9994222ef/net-dialup/ppp/files/ppp-2.4.6-options-fix.patch [delete] https://crrev.com/c576d919f858d5eaaa5cf4b01d7ab7b9994222ef/net-dialup/ppp/files/ppp-2.4.6-buffer-overflow-in-radius.patch [modify] https://crrev.com/0579faca4239865c6493b99e356bb76ebcd191e7/net-dialup/ppp/Manifest [modify] https://crrev.com/0579faca4239865c6493b99e356bb76ebcd191e7/net-dialup/ppp/files/ppp-remove-ttyname.patch
,
Aug 29
,
Aug 30
,
Dec 6
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by vapier@chromium.org
, Aug 14Components: OS>Systems>Network
Owner: briannorris@chromium.org