CVE-2018-10932

NameCVE-2018-10932
Descriptionlldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: remote)
Debian Bugs905901

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lldpad (PTS)stretch0.9.46-3.1vulnerable
buster, sid1.0.1+git20180808.4e642bd-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lldpadsource(unstable)1.0.1+git20180808.4e642bd-1unimportant905901

Notes

https://github.com/intel/openlldp/pull/7
https://github.com/intel/openlldp/commit/41feb359a9d0082b0bcf68b1f2b37227f02af4f1
Terminal emulators need to perform proper escaping

Search for package or bug name: Reporting problems