[Buildroot] CVE-2018-11574 version range fix

Thomas Petazzoni thomas.petazzoni at bootlin.com
Fri Sep 8 20:59:38 UTC 2023 

Hello,

Gentle ping on the below bug report. Thanks!

Thomas Petazzoni

On Sun, 3 Sep 2023 00:01:00 +0200
Thomas Petazzoni <thomas.petazzoni at bootlin.com> wrote:

> Hello,
> 
> CVE-2018-11574 is marked in the NVD database as affecting all pppd
> versions, as it has as its only "Configuration" the following CPE
> identifier match:
> 
>   cpe:2.3:a:point-to-point_protocol_project:point-to-point_protocol:-:*:*:*:*:*:*:*
> 
> However, it turns out that the upstream pppd was *never* affected by
> CVE-2018-11574. Let me walk through the story.
> 
> CVE-2018-11574 affects the EAP-TLS implementation in pppd. However,
> EAP-TLS was not supported in upstream pppd before its 2.4.9 release,
> thanks to commit
> https://github.com/ppp-project/ppp/commit/e87fe1bbd37a1486c5223f110e9ce3ef75971f93.
> 
> Before that EAP-TLS support for pppd was provided as an out-of-tree
> patch, provided by a third party developer at
> https://jjkeijser.github.io/ppp/download.html. It is this patch that
> was affected by CVE-2018-11574. As can be seen at
> https://jjkeijser.github.io/ppp/download.html, all versions of the
> patch prior to version 1.101 are affected, as 1.101 was precisely
> released to fix CVE-2018-11574.
> 
> So: before pppd 2.4.9, the only way to be affected by CVE-2018-11574
> was by having applied a third-party patch. I am not sure how to reflect
> this correctly in the CVE-2018-11574 information in the NVD database.
> To me, if one applies random patches to a code base, for sure those
> patches can introduce additional security vulnerabilities, so it
> doesn't make sense that CVE-2018-11574 is reported against pppd
> upstream.
> 
> In addition, in the EAP-TLS code that was added in pppd 2.4.9, the
> issue of CVE-2018-11574 is already fixed. Indeed, we did a diff between
> the out-of-tree EAP-TLS patch in version 0.999 (affected) and 1.101
> (not affected), which gives the attached file. And those fixes are
> indeed present in commit
> https://github.com/ppp-project/ppp/commit/e87fe1bbd37a1486c5223f110e9ce3ef75971f93,
> which introduced EAP-TLS support in upstream pppd.
> 
> Therefore: upstream pppd was never affected by this issue. Prior to
> pppd 2.4.9, there was no EAP-TLS support, and starting from 2.4.9, the
> EAP-TLS is correct with regard to CVE-2018-11574.
> 
> At the very least, I would suggest to change the CVE-2018-11574
> information to indicate that only versions up to (and excluding) 2.4.9
> are affected. Do you think this would be possible ?
> 
> Best regards,
> 
> Thomas



-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com

More information about the buildroot mailing list