lldptool can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal. Upstream patch: https://github.com/intel/openlldp/pull/7 References: https://bugzilla.redhat.com/show_bug.cgi?id=1551623
Acknowledgments: Name: Aaron Conole (Red Hat)
Statement: Red Hat Product Security has rated this issue as having a security impact of Low, and a future update may address this flaw.
Created lldpad tracking bugs for this issue: Affects: fedora-all [bug 1614932]
The pull request was not originally referenced to this BZ, also the original pull request did not call out the security implications clearly. As I wasn't added to this BZ, I wasn't aware until just now of this BZ. Anyway, the PR was merged 2 days ago: https://github.com/intel/openlldp/commit/41feb359a9d0082b0bcf68b1f2b37227f02af4f1 We did not perform security QA on this PR however, so I'd like to have a developer take another look at our merge and ensure that openlldp (with the merged commit) looks good, and we'll perform more validation with the patch integrated. I'll try to get the version bumped as well so we can request that openlldp gets updated in RHEL 7.6 and RHEL 8.
In reply to comment 6: > The pull request was not originally referenced to this BZ, also the original > pull request did not call out the security implications clearly. As I wasn't > added to this BZ, I wasn't aware until just now of this BZ. Anyway, the PR > was merged 2 days ago: > https://github.com/intel/openlldp/commit/ > 41feb359a9d0082b0bcf68b1f2b37227f02af4f1 > > We did not perform security QA on this PR however, so I'd like to have a > developer take another look at our merge and ensure that openlldp (with the > merged commit) looks good, and we'll perform more validation with the patch > integrated. > > I'll try to get the version bumped as well so we can request that openlldp > gets updated in RHEL 7.6 and RHEL 8. Apologies, I believe this should have gone through Intel as they are the correct CNA. Completely slipped my mind. Let us know if you want the CVE rejected so Intel can assign instead. Regards.
This affects versions up to upstream v1.0.1. The fix is committed upstream, and the next release may include this fix.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3673 https://access.redhat.com/errata/RHSA-2019:3673
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-10932