hi,
sorry for the link in german:
https://blog.fefe.de/?ts=a0b08d9a
It seems that there is an RCE in server and client code:
https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426
"So it affects the server and client. Both eap_request() and eap_response() are vulnerable (and have the exact same bug). Further more, there is no check to see if you’ve actually configured eap and are using eap prior to hitting the parser. So even if it’s not configured, you’re still vulnerable. Oh, and it’s pre-auth."
There is no ppp release with this fix. It is only in current git. I also have not seen any CVE.