Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

lldpad: CVE-2018-10932: improper sanitization of shell-escape codes

Related Vulnerabilities: CVE-2018-10932  

Source

Debian Bug report logs - #905901
lldpad: CVE-2018-10932: improper sanitization of shell-escape codes

version graph

Package: src:lldpad; Maintainer for src:lldpad is Debian FCoE Maintainers <team+fcoe@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 11 Aug 2018 12:06:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version lldpad/1.0.1+git20150824.036e314-4

Fixed in version lldpad/1.0.1+git20180808.4e642bd-1

Done: Valentin Vidic <Valentin.Vidic@CARNet.hr>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/intel/openlldp/pull/7

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FCoE Maintainers <pkg-fcoe-general@lists.alioth.debian.org>:
Bug#905901; Package src:lldpad. (Sat, 11 Aug 2018 12:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FCoE Maintainers <pkg-fcoe-general@lists.alioth.debian.org>. (Sat, 11 Aug 2018 12:06:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lldpad: CVE-2018-10932: improper sanitization of shell-escape codes
Date: Sat, 11 Aug 2018 14:02:31 +0200
Source: lldpad
Version: 1.0.1+git20150824.036e314-4
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/intel/openlldp/pull/7

Hi,

The following vulnerability was published for lldpad.

CVE-2018-10932[0]:
improper sanitization of shell-escape codes 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10932
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10932

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 16 Aug 2018 17:27:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian FCoE Maintainers <pkg-fcoe-general@lists.alioth.debian.org>:
Bug#905901; Package src:lldpad. (Fri, 17 Aug 2018 12:33:02 GMT) (full text, mbox, link).

Acknowledgement sent to Valentin Vidic <Valentin.Vidic@CARNet.hr>:
Extra info received and forwarded to list. Copy sent to Debian FCoE Maintainers <pkg-fcoe-general@lists.alioth.debian.org>. (Fri, 17 Aug 2018 12:33:02 GMT) (full text, mbox, link).

Message #12 received at 905901@bugs.debian.org (full text, mbox, reply):

From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 905901@bugs.debian.org
Subject: Re: Bug#905901: lldpad: CVE-2018-10932: improper sanitization of shell-escape codes
Date: Fri, 17 Aug 2018 14:28:32 +0200
On Sat, Aug 11, 2018 at 02:02:31PM +0200, Salvatore Bonaccorso wrote:
> Source: lldpad
> Version: 1.0.1+git20150824.036e314-4
> Severity: important
> Tags: patch security upstream
> Forwarded: https://github.com/intel/openlldp/pull/7
> 
> Hi,
> 
> The following vulnerability was published for lldpad.
> 
> CVE-2018-10932[0]:
> improper sanitization of shell-escape codes 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-10932
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10932
> 
> Please adjust the affected versions in the BTS as needed.

I will package the new upstream version that should have this fixed.

-- 
Valentin

Reply sent to Valentin Vidic <Valentin.Vidic@CARNet.hr>:
You have taken responsibility. (Sat, 18 Aug 2018 07:54:24 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 18 Aug 2018 07:54:24 GMT) (full text, mbox, link).

Message #17 received at 905901-close@bugs.debian.org (full text, mbox, reply):

From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
To: 905901-close@bugs.debian.org
Subject: Bug#905901: fixed in lldpad 1.0.1+git20180808.4e642bd-1
Date: Sat, 18 Aug 2018 06:34:44 +0000
Source: lldpad
Source-Version: 1.0.1+git20180808.4e642bd-1

We believe that the bug you reported is fixed in the latest version of
lldpad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905901@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Valentin Vidic <Valentin.Vidic@CARNet.hr> (supplier of updated lldpad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Aug 2018 12:14:54 +0200
Source: lldpad
Binary: lldpad-dev lldpad
Architecture: source
Version: 1.0.1+git20180808.4e642bd-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FCoE Maintainers <team+fcoe@tracker.debian.org>
Changed-By: Valentin Vidic <Valentin.Vidic@CARNet.hr>
Description:
 lldpad     - Link Layer Discovery Protocol Implementation (Runtime)
 lldpad-dev - Link Layer Discovery Protocol Implementation (Development headers
Closes: 905901
Changes:
 lldpad (1.0.1+git20180808.4e642bd-1) unstable; urgency=medium
 .
   * New upstream version 1.0.1+git20180808.4e642bd
     - Fixes CVE-2018-10932: improper sanitization of shell-escape
       codes (Closes: #905901)
   * Refresh patches for new upstream version
   * Add symbols for liblldp_clif.so.1
   * Package test lldpad only
Checksums-Sha1:
 24228b9be60f795a51a068ea21a886eb3d088de7 2318 lldpad_1.0.1+git20180808.4e642bd-1.dsc
 3040a4355a6f22128c8884b8b2153dc7fdb51774 432355 lldpad_1.0.1+git20180808.4e642bd.orig.tar.gz
 a12c9701aa5e5ca1ddfc746eee73cabfe5f15b45 9252 lldpad_1.0.1+git20180808.4e642bd-1.debian.tar.xz
 75e223a71690534fb295aec0e4cca5e4b4838923 6478 lldpad_1.0.1+git20180808.4e642bd-1_amd64.buildinfo
Checksums-Sha256:
 ab9788ee1762af86c3d4a88edb94b659f74eaf423c5bf52dae2316ca0e26a7ee 2318 lldpad_1.0.1+git20180808.4e642bd-1.dsc
 e0602229902ec6e4003a762c72a421d5e3caac97f7f62595e8444c14392fbe2d 432355 lldpad_1.0.1+git20180808.4e642bd.orig.tar.gz
 f145dcfc01bdd10aac4055fedd1cf89728c0a97e1b3b69d28c0bd0b1daaa513e 9252 lldpad_1.0.1+git20180808.4e642bd-1.debian.tar.xz
 1d6527f0eb0eddc13891cad13ad306c2c8f7f500220efec883b50638ee82ae6a 6478 lldpad_1.0.1+git20180808.4e642bd-1_amd64.buildinfo
Files:
 e2bb20f33fe1d2c5433466f8d39ee0b7 2318 net optional lldpad_1.0.1+git20180808.4e642bd-1.dsc
 4077821bd429418f65c6c14429f78f90 432355 net optional lldpad_1.0.1+git20180808.4e642bd.orig.tar.gz
 ff580e8252af5d7805ffe70a566ba5da 9252 net optional lldpad_1.0.1+git20180808.4e642bd-1.debian.tar.xz
 92cdc453196f63772fb08567de8dc6f1 6478 net optional lldpad_1.0.1+git20180808.4e642bd-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAlt3ub0UHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZrGBAAr9BY1SjUN3NJfvb6pti8uKf2e3U0
zjQ2pc8PNvlbd0P5Eu+1FOJFLiWs42hDEX3IyD+HgPTiB3CJO3WoXRn6AFNzu2XT
n2ZiT/m5D1XYCXqJT+/hXiH0bSZi/KqMEfko6TUtIkmPTOFajHXRzlTpvNs806gC
Oc5B90cYTaILu7P2O6Kgml+FIiyOJqCLUwHFP0pCbVzzqexQNIPFuo+ZGUyRQTse
TSfPfYNiLAuPOWNq3z0XbD16dpzJOXTBVYpx4ZfZG+rRTlgmffT31eDpM3e9odGC
RW5GE31T+a5Et2+XyXUE3/2NDPzeqJsOOjzLJvqL7oCgLGz00tpYwRmFecYUMVJu
6McV7+qBNtQqb0ihTGsBQ56U+QzXNTGhlKuDs5FcaTiL/bTymcd+Qisl4Gb/rZzi
eYlofwlU3vnzYhUtEDufNfskFb19J1I4DkftC58OCWY+vfxK6DRi1h4teUJv5dqn
7EZLX+fo24aTAknlcP/aeE0lw56B2d2r5YfdyrWuN62Yhq3Il2wCJRi+xW9QKNgl
WsK0FE3QbLTjVGIRtK3kYMTBtmsVyRH+thgZ4LufrNON6nO9JAfJNtgOVPgyNGKQ
ukKWL5CxCEVYInuAZ8CQaBeTyGz6jq3zl79aOk4dg4FIW3uYb94KuXTieQH6b47V
rWzbqqCQ8/EUrdU=
=s8FO
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 Sep 2018 07:26:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:10:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started