ASA-202101-29: lldpd: information disclosure
Arch Linux Security Advisory ASA-202101-29
=========================================
Severity: Medium
Date : 2021-01-20
CVE-ID : CVE-2020-27827
Package : lldpd
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-1451
Summary
======
The package lldpd before version 1.0.8-1 is vulnerable to information
disclosure.
Resolution
=========
Upgrade to 1.0.8-1.
# pacman -Syu "lldpd>=1.0.8-1"
The problem has been fixed upstream in version 1.0.8.
Workaround
=========
None.
Description
==========
A security issue was found in lldpd before version 1.0.8. A packet that
contains multiple instances of certain TLVs will cause lldpd to
continually allocate memory and leak the old memory. As an example,
multiple instances of system name TLV will cause old values to be
dropped by the decoding routine.
Impact
=====
A remote attack can leak information through crafted packets.
References
=========
https://github.com/lldpd/lldpd/blob/master/NEWS
https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61
https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
https://github.com/openvswitch/ovs/pull/337
https://github.com/openvswitch/ovs/commit/f915f32f5667e3b9d460055d8b47fa5d204ce83a
https://security.archlinux.org/CVE-2020-27827
A lldpd security update has been released for Arch Linux.