[ASA-202003-3] ppp: arbitrary code execution
foxboron at archlinux.org
Thu Mar 12 18:31:04 UTC 2020
Arch Linux Security Advisory ASA-202003-3
Date : 2020-03-07
CVE-ID : CVE-2020-8597
Package : ppp
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1101
The package ppp before version 2.4.7-7 is vulnerable to arbitrary code
Upgrade to 2.4.7-7.
# pacman -Syu "ppp>=2.4.7-7"
The problem has been fixed upstream but no release is available yet.
A buffer overflow flaw was found in the ppp package in versions 2.4.2
through 2.4.8. The bounds check for the rhostname was improperly
constructed in the EAP request and response functions which could allow
a buffer overflow to occur. Data confidentiality and integrity, as well
as system availability, are all at risk with this vulnerability.
A remote unauthenticated user can crash or possibly execute code on the
host by sending malicious authentication data.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security