Debian Bug report logs -
#910596
tcpreplay: CVE-2018-17580
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Bug#910596; Package src:tcpreplay.
(Mon, 08 Oct 2018 14:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>.
(Mon, 08 Oct 2018 14:45:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tcpreplay
Version: 4.2.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/appneta/tcpreplay/issues/485
Hi,
The following vulnerability was published for tcpreplay.
CVE-2018-17580[0]:
| A heap-based buffer over-read exists in the function fast_edit_packet()
| in the file send_packets.c of Tcpreplay v4.3.0 beta1. This can lead to
| Denial of Service (DoS) and potentially Information Exposure when the
| application attempts to process a crafted pcap file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-17580
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17580
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions tcpreplay/3.4.4-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Oct 2018 18:54:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 22 Oct 2018 20:03:20 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Fri, 02 Nov 2018 21:33:04 GMT) (full text, mbox, link).
Reply sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
You have taken responsibility.
(Tue, 12 Feb 2019 08:57:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Feb 2019 08:57:11 GMT) (full text, mbox, link).
Message #16 received at 910596-close@bugs.debian.org (full text, mbox, reply):
Source: tcpreplay
Source-Version: 4.3.1-1
We believe that the bug you reported is fixed in the latest version of
tcpreplay, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 910596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated tcpreplay package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 Feb 2019 08:15:45 +0100
Source: tcpreplay
Architecture: source
Version: 4.3.1-1
Distribution: unstable
Urgency: medium
Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Closes: 902952 910596 910597 910598 911454 911493 917574
Changes:
tcpreplay (4.3.1-1) unstable; urgency=medium
.
* New upstream version 4.3.1
Closes: #917574 [CVE-2018-20552 CVE-2018-20553]
Closes: #902952 [CVE-2018-13112]
Closes: #910596 [CVE-2018-17580]
Closes: #910597 [CVE-2018-17582]
Closes: #910598 [CVE-2018-17974]
Closes: #911454 [CVE-2018-18407]
Closes: #911493 [CVE-2018-18408]
Checksums-Sha1:
23fd845a841e7f67053e73b2ec90de706151069c 2010 tcpreplay_4.3.1-1.dsc
3e326f1e87d58f236e40fdd91343f5dc142be2df 746804 tcpreplay_4.3.1.orig.tar.xz
2868ccf83e95154cc174bff8b87377e5c6ab302b 516 tcpreplay_4.3.1.orig.tar.xz.asc
167ed739980fd7060f3b120f9f41b7f492ccd55a 7892 tcpreplay_4.3.1-1.debian.tar.xz
007d8f85aa16a74ba6f07906cc940b7ed3e3d63e 5720 tcpreplay_4.3.1-1_powerpc.buildinfo
Checksums-Sha256:
4acb5d8b0aa75adc5e578babe4f0348fc332d0a2f034ebaedc78e9bec15b1647 2010 tcpreplay_4.3.1-1.dsc
108924a25e616e3465139410c49cae629c338df73443dfc8fc155ea9f099c659 746804 tcpreplay_4.3.1.orig.tar.xz
22f1e906aec21e301eb01f246ed62848cad85e1498cacf0f20661e29c7d3b0d5 516 tcpreplay_4.3.1.orig.tar.xz.asc
aaefe7e84a98692447b4c4d6899eb4f2a1261d5ff370e74306ea7753d4578091 7892 tcpreplay_4.3.1-1.debian.tar.xz
ad7b3cd220e8c17421a1be6efb9e4b21876a8d0b3b0324681151f7217f4aeba1 5720 tcpreplay_4.3.1-1_powerpc.buildinfo
Files:
be63da7ac7ab0a4562c3efdfb18a723b 2010 net optional tcpreplay_4.3.1-1.dsc
d0789299b36813051b5d34f9764d0518 746804 net optional tcpreplay_4.3.1.orig.tar.xz
9ca381b72254104a99a59d2e50d61739 516 net optional tcpreplay_4.3.1.orig.tar.xz.asc
db6e1456fdd7e47f752c3bfbb5c31fd2 7892 net optional tcpreplay_4.3.1-1.debian.tar.xz
6a5d46909fae49dddcd9f353772da326 5720 net optional tcpreplay_4.3.1-1_powerpc.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlxidwwACgkQxCxY61kU
kv1FjBAAup2/7dcxutxB/vemV5UmSPIYHmAxwOIY6Fry8Q1Kh7y0vfmzdvKiEFvr
cA6hETrGC+vmrfUd5LSsqmO6qwSduOs6qEWHC1atEskgxx4WYwW7wrNX112Ho2YV
Ply7c22510Z8eD447ZXZwyI8QlNa+3bs+b09W96atZLpOOr6I4fQvUlCqWbf7FDV
qvA35GVER8dn4z3lLDPXFFXcr8DcaiGrGsqkt5RMXbIOgRmCzJ71rgaRJpZt6KuV
R+GrXQ18kHIT+S6h6z17Qyi4yslbs9PugXxeRBdVmJuOCK8p3g3mQAVt4CFamb/4
g7szUS2YY5W1LBq+rpzGU1VbdlBpSE/ura/VxlmGUf9nZPRvaMMdK8VuR9qmc/Pn
4eRk6i7D+3LeVF5aX6kLCYJFCTVutojZu0wOVGU4EdGWz68AB08tNOB4dfQdPs7E
i+bW269QMemHY7VHC8aalkrn2CDLRQd+3/MgeoeptqYCqhkAPLFknNGwNJ/NahTC
s1qKZ+PffDZSqQ6wRKK1mc4iP1IC3ESRkUw1I2Yys2+Gt2O9qXGokbnO1iEi097V
TqhHCNtIu+BWL5k0vLUS0z1AGobdZtMAqri91k3B+kGNTWU1Po8ravm30f5up11m
MDKzH2iF9jO36zkj2iTRBvFp8jMIOUpO5wXRs2recRDVZpSFq+o=
=Qzh8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 23 Mar 2019 07:31:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:48:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon