[Buildroot] CVE-2018-11574 version range fix
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Sat Sep 2 22:01:00 UTC 2023
Hello,
CVE-2018-11574 is marked in the NVD database as affecting all pppd
versions, as it has as its only "Configuration" the following CPE
identifier match:
cpe:2.3:a:point-to-point_protocol_project:point-to-point_protocol:-:*:*:*:*:*:*:*
However, it turns out that the upstream pppd was *never* affected by
CVE-2018-11574. Let me walk through the story.
CVE-2018-11574 affects the EAP-TLS implementation in pppd. However,
EAP-TLS was not supported in upstream pppd before its 2.4.9 release,
thanks to commit
https://github.com/ppp-project/ppp/commit/e87fe1bbd37a1486c5223f110e9ce3ef75971f93.
Before that EAP-TLS support for pppd was provided as an out-of-tree
patch, provided by a third party developer at
https://jjkeijser.github.io/ppp/download.html. It is this patch that
was affected by CVE-2018-11574. As can be seen at
https://jjkeijser.github.io/ppp/download.html, all versions of the
patch prior to version 1.101 are affected, as 1.101 was precisely
released to fix CVE-2018-11574.
So: before pppd 2.4.9, the only way to be affected by CVE-2018-11574
was by having applied a third-party patch. I am not sure how to reflect
this correctly in the CVE-2018-11574 information in the NVD database.
To me, if one applies random patches to a code base, for sure those
patches can introduce additional security vulnerabilities, so it
doesn't make sense that CVE-2018-11574 is reported against pppd
upstream.
In addition, in the EAP-TLS code that was added in pppd 2.4.9, the
issue of CVE-2018-11574 is already fixed. Indeed, we did a diff between
the out-of-tree EAP-TLS patch in version 0.999 (affected) and 1.101
(not affected), which gives the attached file. And those fixes are
indeed present in commit
https://github.com/ppp-project/ppp/commit/e87fe1bbd37a1486c5223f110e9ce3ef75971f93,
which introduced EAP-TLS support in upstream pppd.
Therefore: upstream pppd was never affected by this issue. Prior to
pppd 2.4.9, there was no EAP-TLS support, and starting from 2.4.9, the
EAP-TLS is correct with regard to CVE-2018-11574.
At the very least, I would suggest to change the CVE-2018-11574
information to indicate that only versions up to (and excluding) 2.4.9
are affected. Do you think this would be possible ?
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pppd-eap-tls-CVE-2018-11574-fix.patch
Type: text/x-patch
Size: 6189 bytes
Desc: not available
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20230903/252760f9/attachment.bin>
More information about the buildroot
mailing list