[ASA-202003-3] ppp: arbitrary code execution
Arch Linux Security Advisory ASA-202003-3 ========================================= Severity: Medium Date : 2020-03-07 CVE-ID : CVE-2020-8597 Package : ppp Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1101 Summary ======= The package ppp before version 2.4.7-7 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.4.7-7. # pacman -Syu "ppp>=2.4.7-7" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A buffer overflow flaw was found in the ppp package in versions 2.4.2 through 2.4.8. The bounds check for the rhostname was improperly constructed in the EAP request and response functions which could allow a buffer overflow to occur. Data confidentiality and integrity, as well as system availability, are all at risk with this vulnerability. Impact ====== A remote unauthenticated user can crash or possibly execute code on the host by sending malicious authentication data. References ========== https://lists.debian.org/debian-lts-announce/2020/02/msg00005.html https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe67875... https://seclists.org/fulldisclosure/2020/Mar/6 https://security.archlinux.org/CVE-2020-8597
participants (1)
-
Morten Linderud