Bug 1800727 (CVE-2020-8597)

Summary: CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dmoppert, huzaifas, jaskalnik, jskarvad, jsynacek, msekleta, than, thozza, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the ppp package in versions 2.4.2 through 2.4.8. The bounds check for the rhostname was improperly constructed in the EAP request and response functions which could allow a buffer overflow to occur. Data confidentiality and integrity, as well as system availability, are all at risk with this vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-27 15:49:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1800734, 1806412, 1806413, 1806414, 1806415, 1806416, 1806417, 1825905    
Bug Blocks: 1800732    

Description Pedro Sampaio 2020-02-07 20:03:57 UTC 
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.

Upstream patch:

https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426
Comment 1 Pedro Sampaio 2020-02-07 20:08:18 UTC 
Created ppp tracking bugs for this issue:

Affects: fedora-all [bug 1800734]
Comment 5 Huzaifa S. Sidhpurwala 2020-02-24 07:09:10 UTC 
Statement:

The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The "Stack Smashing Protection" may help mitigate code execution attacks for this flaw and limit its impact to crash only.
Comment 8 Jaroslav Škarvada 2020-02-25 10:44:26 UTC 
What's the impact to set in the errata field?
Comment 9 Jaroslav Škarvada 2020-02-25 14:57:10 UTC 
(In reply to Jaroslav Škarvada from comment #8)
> What's the impact to set in the errata field?

I got the information from one of the cloned bugzillas: Important.
Comment 11 errata-xmlrpc 2020-02-27 15:21:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0630 https://access.redhat.com/errata/RHSA-2020:0630
Comment 12 errata-xmlrpc 2020-02-27 15:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0634 https://access.redhat.com/errata/RHSA-2020:0634
Comment 13 errata-xmlrpc 2020-02-27 15:40:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0633 https://access.redhat.com/errata/RHSA-2020:0633
Comment 14 errata-xmlrpc 2020-02-27 15:42:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0631 https://access.redhat.com/errata/RHSA-2020:0631
Comment 15 Product Security DevOps Team 2020-02-27 15:49:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8597
Comment 16 Huzaifa S. Sidhpurwala 2020-03-03 03:42:44 UTC 
Mitigation:

Red Hat is working on providing updates packages which patches this flaw. This flaw can only be mitigated by updating to these package versions. The "Stack Smashing Protection" may help mitigate code execution attacks for this flaw and limit its impact to crash only.