Bug 1800727 (CVE-2020-8597) - CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
Summary: CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8597
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1800734 1806412 1806413 1806414 1806415 1806416 1806417 1825905
Blocks: 1800732
TreeView+ depends on / blocked
 
Reported: 2020-02-07 20:03 UTC by Pedro Sampaio
Modified: 2023-10-06 19:09 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the ppp package in versions 2.4.2 through 2.4.8. The bounds check for the rhostname was improperly constructed in the EAP request and response functions which could allow a buffer overflow to occur. Data confidentiality and integrity, as well as system availability, are all at risk with this vulnerability.
Clone Of:
Environment:
Last Closed: 2020-02-27 15:49:55 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0630 0 None None None 2020-02-27 15:21:07 UTC
Red Hat Product Errata RHSA-2020:0631 0 None None None 2020-02-27 15:42:17 UTC
Red Hat Product Errata RHSA-2020:0633 0 None None None 2020-02-27 15:40:10 UTC
Red Hat Product Errata RHSA-2020:0634 0 None None None 2020-02-27 15:26:46 UTC

Description Pedro Sampaio 2020-02-07 20:03:57 UTC
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.

Upstream patch:

https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426

Comment 1 Pedro Sampaio 2020-02-07 20:08:18 UTC
Created ppp tracking bugs for this issue:

Affects: fedora-all [bug 1800734]

Comment 5 Huzaifa S. Sidhpurwala 2020-02-24 07:09:10 UTC
Statement:

The ppp packages distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The "Stack Smashing Protection" may help mitigate code execution attacks for this flaw and limit its impact to crash only.

Comment 8 Jaroslav Škarvada 2020-02-25 10:44:26 UTC
What's the impact to set in the errata field?

Comment 9 Jaroslav Škarvada 2020-02-25 14:57:10 UTC
(In reply to Jaroslav Škarvada from comment #8)
> What's the impact to set in the errata field?

I got the information from one of the cloned bugzillas: Important.

Comment 11 errata-xmlrpc 2020-02-27 15:21:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0630 https://access.redhat.com/errata/RHSA-2020:0630

Comment 12 errata-xmlrpc 2020-02-27 15:26:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0634 https://access.redhat.com/errata/RHSA-2020:0634

Comment 13 errata-xmlrpc 2020-02-27 15:40:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0633 https://access.redhat.com/errata/RHSA-2020:0633

Comment 14 errata-xmlrpc 2020-02-27 15:42:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0631 https://access.redhat.com/errata/RHSA-2020:0631

Comment 15 Product Security DevOps Team 2020-02-27 15:49:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8597

Comment 16 Huzaifa S. Sidhpurwala 2020-03-03 03:42:44 UTC
Mitigation:

Red Hat is working on providing updates packages which patches this flaw. This flaw can only be mitigated by updating to these package versions. The "Stack Smashing Protection" may help mitigate code execution attacks for this flaw and limit its impact to crash only.


Note You need to log in before you can comment on or make changes to this bug.