Bug 1614896 (CVE-2018-10932) - CVE-2018-10932 lldptool: improper sanitization of shell-escape codes
Summary: CVE-2018-10932 lldptool: improper sanitization of shell-escape codes
Keywords:
Status: NEW
Alias: CVE-2018-10932
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1614933 1614931 1614932
Blocks: 1591318
TreeView+ depends on / blocked
 
Reported: 2018-08-10 16:17 UTC by Scott Gayou
Modified: 2019-09-29 14:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
lldptool can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Scott Gayou 2018-08-10 16:17:59 UTC
lldptool can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal.

Upstream patch:

https://github.com/intel/openlldp/pull/7

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1551623

Comment 1 Scott Gayou 2018-08-10 16:18:07 UTC
Acknowledgments:

Name: Aaron Conole (Red Hat)

Comment 3 Scott Gayou 2018-08-10 18:51:50 UTC
Statement:

Red Hat Product Security has rated this issue as having a security impact of Low, and a future update may address this flaw.

Comment 4 Scott Gayou 2018-08-10 18:59:13 UTC
Created lldpad tracking bugs for this issue:

Affects: fedora-all [bug 1614932]

Comment 6 Ronald Bynoe 2018-08-10 19:28:53 UTC
The pull request was not originally referenced to this BZ, also the original pull request did not call out the security implications clearly. As I wasn't added to this BZ, I wasn't aware until just now of this BZ. Anyway, the PR was merged 2 days ago:
https://github.com/intel/openlldp/commit/41feb359a9d0082b0bcf68b1f2b37227f02af4f1

We did not perform security QA on this PR however, so I'd like to have a developer take another look at our merge and ensure that openlldp (with the merged commit) looks good, and we'll perform more validation with the patch integrated.

I'll try to get the version bumped as well so we can request that openlldp gets updated in RHEL 7.6 and RHEL 8.

Comment 7 Scott Gayou 2018-08-10 20:02:40 UTC
In reply to comment 6:
> The pull request was not originally referenced to this BZ, also the original
> pull request did not call out the security implications clearly. As I wasn't
> added to this BZ, I wasn't aware until just now of this BZ. Anyway, the PR
> was merged 2 days ago:
> https://github.com/intel/openlldp/commit/
> 41feb359a9d0082b0bcf68b1f2b37227f02af4f1
> 
> We did not perform security QA on this PR however, so I'd like to have a
> developer take another look at our merge and ensure that openlldp (with the
> merged commit) looks good, and we'll perform more validation with the patch
> integrated.
> 
> I'll try to get the version bumped as well so we can request that openlldp
> gets updated in RHEL 7.6 and RHEL 8.

Apologies, I believe this should have gone through Intel as they are the correct CNA. Completely slipped my mind. Let us know if you want the CVE rejected so Intel can assign instead.

Regards.

Comment 9 Scott Gayou 2018-08-27 15:40:37 UTC
This affects versions up to upstream v1.0.1. The fix is committed upstream, and the next release may include this fix.


Note You need to log in before you can comment on or make changes to this bug.