Re: [Buildroot] CVE-2018-11574 version range fix

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: nvd@nist.gov
Cc: "buildroot@buildroot.org" <buildroot@buildroot.org>
Subject: Re: [Buildroot] CVE-2018-11574 version range fix
Date: Fri, 8 Sep 2023 22:59:38 +0200	[thread overview]
Message-ID: <20230908225938.249f3ff6@windsurf> (raw)
In-Reply-To: <20230903000100.0c1b187b@windsurf>

Hello,

Gentle ping on the below bug report. Thanks!

Thomas Petazzoni

On Sun, 3 Sep 2023 00:01:00 +0200
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> Hello,
> 
> CVE-2018-11574 is marked in the NVD database as affecting all pppd
> versions, as it has as its only "Configuration" the following CPE
> identifier match:
> 
>   cpe:2.3:a:point-to-point_protocol_project:point-to-point_protocol:-:*:*:*:*:*:*:*
> 
> However, it turns out that the upstream pppd was *never* affected by
> CVE-2018-11574. Let me walk through the story.
> 
> CVE-2018-11574 affects the EAP-TLS implementation in pppd. However,
> EAP-TLS was not supported in upstream pppd before its 2.4.9 release,
> thanks to commit
> https://github.com/ppp-project/ppp/commit/e87fe1bbd37a1486c5223f110e9ce3ef75971f93.
> 
> Before that EAP-TLS support for pppd was provided as an out-of-tree
> patch, provided by a third party developer at
> https://jjkeijser.github.io/ppp/download.html. It is this patch that
> was affected by CVE-2018-11574. As can be seen at
> https://jjkeijser.github.io/ppp/download.html, all versions of the
> patch prior to version 1.101 are affected, as 1.101 was precisely
> released to fix CVE-2018-11574.
> 
> So: before pppd 2.4.9, the only way to be affected by CVE-2018-11574
> was by having applied a third-party patch. I am not sure how to reflect
> this correctly in the CVE-2018-11574 information in the NVD database.
> To me, if one applies random patches to a code base, for sure those
> patches can introduce additional security vulnerabilities, so it
> doesn't make sense that CVE-2018-11574 is reported against pppd
> upstream.
> 
> In addition, in the EAP-TLS code that was added in pppd 2.4.9, the
> issue of CVE-2018-11574 is already fixed. Indeed, we did a diff between
> the out-of-tree EAP-TLS patch in version 0.999 (affected) and 1.101
> (not affected), which gives the attached file. And those fixes are
> indeed present in commit
> https://github.com/ppp-project/ppp/commit/e87fe1bbd37a1486c5223f110e9ce3ef75971f93,
> which introduced EAP-TLS support in upstream pppd.
> 
> Therefore: upstream pppd was never affected by this issue. Prior to
> pppd 2.4.9, there was no EAP-TLS support, and starting from 2.4.9, the
> EAP-TLS is correct with regard to CVE-2018-11574.
> 
> At the very least, I would suggest to change the CVE-2018-11574
> information to indicate that only versions up to (and excluding) 2.4.9
> are affected. Do you think this would be possible ?
> 
> Best regards,
> 
> Thomas

-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot