Debian Bug report logs -
#1018057
tcpreplay: CVE-2022-25484 CVE-2022-27939 CVE-2022-27940 CVE-2022-27941 CVE-2022-27942 CVE-2022-28487 CVE-2022-37047 CVE-2022-37048 CVE-2022-37049
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
:
Bug#1018057
; Package src:tcpreplay
.
(Wed, 24 Aug 2022 20:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
.
(Wed, 24 Aug 2022 20:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tcpreplay
Version: 4.4.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for tcpreplay.
CVE-2022-25484[0]:
| tcpprep v4.4.1 has a reachable assertion (assert(l2len > 0)) in
| packet2tree() at tree.c in tcpprep v4.4.1.
CVE-2022-27939[1]:
| tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in
| get_layer4_v6 in common/get.c.
CVE-2022-27940[2]:
| tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in
| get_ipv6_next in common/get.c.
CVE-2022-27941[3]:
| tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in
| get_l2len_protocol in common/get.c.
CVE-2022-27942[4]:
| tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in
| parse_mpls in common/get.c.
CVE-2022-28487[5]:
| Tcpreplay version 4.4.1 contains a memory leakage flaw in
| fix_ipv6_checksums() function. The highest threat from this
| vulnerability is to data confidentiality.
CVE-2022-37047[6]:
| The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain
| a heap-based buffer overflow in get_ipv6_next at common/get.c:713.
| NOTE: this is different from CVE-2022-27940.
CVE-2022-37048[7]:
| The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain
| a heap-based buffer overflow in get_l2len_protocol at
| common/get.c:344. NOTE: this is different from CVE-2022-27941.
CVE-2022-37049[8]:
| The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a
| heap-based buffer overflow in parse_mpls at common/get.c:150. NOTE:
| this is different from CVE-2022-27942.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25484
[1] https://security-tracker.debian.org/tracker/CVE-2022-27939
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27939
[2] https://security-tracker.debian.org/tracker/CVE-2022-27940
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27940
[3] https://security-tracker.debian.org/tracker/CVE-2022-27941
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27941
[4] https://security-tracker.debian.org/tracker/CVE-2022-27942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27942
[5] https://security-tracker.debian.org/tracker/CVE-2022-28487
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28487
[6] https://security-tracker.debian.org/tracker/CVE-2022-37047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37047
[7] https://security-tracker.debian.org/tracker/CVE-2022-37048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37048
[8] https://security-tracker.debian.org/tracker/CVE-2022-37049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37049
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 25 13:19:23 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.