Bug 26217 - ppp new security issue CVE-2020-8597
Summary: ppp new security issue CVE-2020-8597
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-19 23:13 CET by David Walser
Modified: 2020-03-12 22:48 CET (History)
5 users (show)

See Also:
Source RPM: ppp-2.4.7-13.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-02-19 23:13:36 CET 
Debian-LTS has issued an advisory on February 9:
https://www.debian.org/lts/security/2020/dla-2097

Mageia 7 is also affected.
David Walser 2020-02-19 23:13:44 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-20 19:26:40 CET 
'ppp' has no evident maintainer, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-02-20 20:37:47 CET 
Ubuntu has issued an advisory for this today (February 20):
https://usn.ubuntu.com/4288-1/

Severity: critical => major

Comment 3 David GEIGER 2020-02-21 09:23:30 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2020-02-21 13:55:53 CET 
Advisory:
========================

Updated ppp packages fix security vulnerability:

Ilja Van Sprundel discovered a buffer overflow vulnerability in ppp. When
receiving an EAP Request message in client mode, an attacker was able to
overflow the rhostname array by providing a very long name (CVE-2020-8597).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8597
https://www.debian.org/lts/security/2020/dla-2097
========================

Updated packages in core/updates_testing:
========================
ppp-2.4.7-13.1.mga7
ppp-devel-2.4.7-13.1.mga7
ppp-pppoatm-2.4.7-13.1.mga7
ppp-pppoe-2.4.7-13.1.mga7
ppp-radius-2.4.7-13.1.mga7
ppp-dhcp-2.4.7-13.1.mga7

from ppp-2.4.7-13.1.mga7.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 5 Herman Viaene 2020-02-24 15:28:23 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Reading in MCC "ppp daemon" and seeing an executable pppd, made me try:
# systemctl -l status pppd
Unit pppd.service could not be found.
So tried at CLI
# pppd
~�}#�!}!}!} }4}"}&} } } } }%}&%7�b}'}"}(}"L�~~�}#�!}!}!} }4}"}&} } } }
and more of this stuff
Ref bug 15714 did not bring me further, sine the kppp package referred there does not seem to exist anymore.
Googling brought me either to "posterior pelvic pain provocation" or Porsche....
If TJ approves, I will OK on clean install.

CC: (none) => herman.viaene

Thomas Backlund 2020-03-06 22:57:43 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Thomas Andrews 2020-03-12 13:55:42 CET 
Sorry I didn't look in on this before now, Herman. As always, thank you for your efforts.

Since tmb uploaded the advisory without comment, I'm going to assume he has no objection to a clean install OK. I find that reassuring.

So, I'll go ahead and add the OK, and validate so this can go on it's way.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2020-03-12 22:48:03 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0139.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.