Bug 1896536 (CVE-2015-8011)
| Summary: | CVE-2015-8011 lldpd: buffer overflow in the lldp_decode function in daemon/protocols/lldp.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aconole, apevec, askrabec, bbennett, bmontgom, chrisw, ctrautma, dbecker, dblechte, dfediuck, eedri, eparis, fleitner, i.maximets, james.hogarth, jburrell, jhsiao, jjoyce, jokerman, jschluet, lhh, lpeer, mburman, mburns, mgoldboi, michal.skrivanek, nlevy, nstielau, ovs-team, ralongi, rhos-maint, rkhan, sbonazzo, sclewis, sherold, slinaber, sponnaga, srevivo, tgraf, tredaelli, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | lldpd 0.8.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A buffer overflow was found in the lldp_decode function in daemon/protocols/lldp.c in lldpd. This flaw allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries. This threatens the system's confidentiality, integrity, and availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-17 09:56:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1896940, 1896941, 1896944, 1896946, 1896947, 1896948, 1896949, 1896950, 1896951, 1896954, 1897477, 1897478, 1897479, 1897480, 1899303, 1899304, 1899305, 1907535, 1907536, 1907537, 1907538, 1907539, 1907540 | ||
| Bug Blocks: | 1892460 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-11-10 20:07:24 UTC
Flaw summary: The `addr_str_buffer` can be overflowed during a call to `memcpy(value, pos, bytes)`, where `bytes` is passed `addr_str_length` and `value` is passed `addr_str_buffer` if a remote device advertises a management address that is too large. This results in an out-of-bounds write which could lead to denial of service. While it could theoretically lead to code execution in other cases, in Red Hat Enterprise Linux the openvswitch package is built with __FORTIFY_SOURCE enabled which mitigates this[1]. 1. https://access.redhat.com/blogs/766093/posts/3606481 The openvswitch2.13 package was first shipped in OCP from version 4.3. OCP 4.2 and earlier did not ship an openvswitch package. The rhosp-openvswitch package was only shipped in OCP 4.3, which is now out of support scope. Created openvswitch tracking bugs for this issue: Affects: fedora-all [bug 1899303] Affects: openstack-rdo [bug 1899304] Created rdo-openvswitch tracking bugs for this issue: Affects: openstack-rdo [bug 1899305] External References: http://www.openwall.com/lists/oss-security/2015/10/16/2 http://www.openwall.com/lists/oss-security/2015/10/30/2 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2020:5611 https://access.redhat.com/errata/RHSA-2020:5611 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-8011 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:5615 https://access.redhat.com/errata/RHSA-2020:5615 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Red Hat Virtualization Engine 4.3 Via RHSA-2021:0028 https://access.redhat.com/errata/RHSA-2021:0028 Mitigation: When the lldpd source is compiled with source fortification enabled, the flaw becomes unexploitable and will just cause a crash. Statement: The lldpd package as shipped with Red Hat Enterprise Linux 8 is not affected by this flaw because it has already received the patch. The flaw affects versions before 0.8.0 and the shipped version is 1.0.1+. In addition, Red Hat Virtualization 4.3 manager appliance is out of support scope and therefore no fix for it will be delivered. This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2021:0931 https://access.redhat.com/errata/RHSA-2021:0931 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:0988 https://access.redhat.com/errata/RHSA-2021:0988 This issue has been addressed in the following products: Fast Datapath for Red Hat Enterprise Linux 7 Via RHSA-2021:2077 https://access.redhat.com/errata/RHSA-2021:2077 This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2021:2205 https://access.redhat.com/errata/RHSA-2021:2205 |