Bug 27756 - libndpi securty issue CVE-2020-15475
Summary: libndpi securty issue CVE-2020-15475
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Stig-Ørjan Smelror
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-06 02:54 CET by Zombie Ryushu
Modified: 2021-07-01 18:25 CEST (History)
2 users (show)

See Also:
Source RPM: libndpi-2.6-2.mga8.src.rpm
CVE: CVE-2020-15475
Status comment: Fixed upstream in 3.4, updating would require updating ntopng

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2020-12-06 02:54:02 CET 
In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_main.c omits certain reinitialization, leading to a use-after-free.
Zombie Ryushu 2020-12-06 02:54:35 CET

CVE: (none) => CVE-2020-15475

Comment 1 David Walser 2020-12-06 03:21:33 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15475

Source RPM: ndpi-1.4.0-0.1.svn7329.3.mga5.src => libndpi-2.6-2.mga8.src.rpm
Whiteboard: (none) => MGA7TOO

Comment 2 Aurelien Oudelet 2020-12-07 10:26:10 CET 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => smelror

Comment 3 Nicolas Lécureuil 2020-12-26 10:36:05 CET 
updating to latest version to fix this CVE in cauldron.

can we do the update on mageia 7 ?

CC: (none) => mageia
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 David Walser 2020-12-26 16:59:48 CET 
libndpi-3.4-1.mga8 is the updated version in Cauldron.

It's only used by ntopng, so as long as the updated version works with that in Mageia 7, then we're good.  It looks like 3.4 updates the library major, so we'd have to rebuild ntopng if we updated it.

Summary: ndpi securty issue CVE-2020-15475 => libndpi securty issue CVE-2020-15475

David Walser 2020-12-28 19:14:18 CET

Status comment: (none) => Fixed upstream in 3.4, updating would require updating ntopng

Comment 5 David Walser 2021-07-01 18:25:48 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.