1896498 – (CVE-2015-8012) CVE-2015-8012 lldpd: malformed packet leads to assertion failure and daemon crash

Bug 1896498 (CVE-2015-8012) - CVE-2015-8012 lldpd: malformed packet leads to assertion failure and daemon crash

Summary: CVE-2015-8012 lldpd: malformed packet leads to assertion failure and daemon c...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-8012
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1892460
TreeView+	depends on / blocked

Reported:	2020-11-10 17:57 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-06-07 15:49 UTC (History)
CC List:	37 users (show)
Fixed In Version:	lldpd 0.8.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the lldpd package that allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2020-12-14 18:47:23 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-11-10 17:57:19 UTC

lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet.

References:
http://www.openwall.com/lists/oss-security/2015/10/18/2
http://www.openwall.com/lists/oss-security/2015/10/30/2

Upstream patches:
https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
https://github.com/vincentbernat/lldpd/commit/9221b5c249f9e4843f77c7f888d5705348d179c0

Comment 1 Todd Cullum 2020-11-11 20:16:23 UTC

Statement:

The lldpd package as shipped with Red Hat Enterprise Linux 8 is not affected by this flaw because it has already received the patch. The flaw affects versions before 0.8.0 and the shipped version is 1.0.1+

Comment 2 Anten Skrabec 2020-11-11 20:32:14 UTC

All versions of openvswitch shipped by Red Hat are not affected by this flaw as the vulnerable code in lldpd is not used by openvswitch.

Comment 6 Anten Skrabec 2020-12-02 20:11:24 UTC

External References:

http://www.openwall.com/lists/oss-security/2015/10/18/2
http://www.openwall.com/lists/oss-security/2015/10/30/2

Comment 7 Product Security DevOps Team 2020-12-14 18:47:23 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-8012

Note You need to log in before you can comment on or make changes to this bug.

aconole
apevec
bmontgom
chrisw
ctrautma
dbecker
dblechte
dfediuck
eedri
eparis
fleitner
james.hogarth
jburrell
jhsiao
jjoyce
jokerman
jschluet
lhh
lpeer
mburman
mburns
mgoldboi
michal.skrivanek
nstielau
ovs-team
ralongi
rhos-maint
rkhan
sbonazzo
sclewis
sherold
slinaber
sponnaga
srevivo
tgraf
tredaelli
yturgema