Debian Bug report logs -
#973877
tcpdump: CVE-2020-8037
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 6 Nov 2020 12:48:01 UTC
Severity: important
Tags: security, upstream
Found in versions tcpdump/4.9.3-1~deb10u1, tcpdump/4.9.3-6
Fixed in version tcpdump/4.9.3-7
Done: Romain Francoise <rfrancoise@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Romain Francoise <rfrancoise@debian.org>:
Bug#973877; Package src:tcpdump.
(Fri, 06 Nov 2020 12:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Romain Francoise <rfrancoise@debian.org>.
(Fri, 06 Nov 2020 12:48:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tcpdump
Version: 4.9.3-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 4.9.3-1~deb10u1
Hi,
The following vulnerability was published for tcpdump.
CVE-2020-8037[0]:
| The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a
| large amount of memory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8037
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8037
[1] https://github.com/the-tcpdump-group/tcpdump/commit/32027e199368dad9508965aae8cd8de5b6ab5231
Regards,
Salvatore
Marked as found in versions tcpdump/4.9.3-1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 06 Nov 2020 12:48:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Romain Francoise <rfrancoise@debian.org>:
Bug#973877; Package src:tcpdump.
(Fri, 06 Nov 2020 18:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to rfrancoise@debian.org:
Extra info received and forwarded to list. Copy sent to Romain Francoise <rfrancoise@debian.org>.
(Fri, 06 Nov 2020 18:03:02 GMT) (full text, mbox, link).
Message #12 received at 973877@bugs.debian.org (full text, mbox, reply):
Hi,
On Fri, Nov 6, 2020 at 1:48 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> The following vulnerability was published for tcpdump.
>
> CVE-2020-8037[0]:
> | The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a
> | large amount of memory.
Thanks for the bug report. I am aware of this CVE and working on a new
upload to unstable.
Is this no-dsa?
Information forwarded
to debian-bugs-dist@lists.debian.org, Romain Francoise <rfrancoise@debian.org>:
Bug#973877; Package src:tcpdump.
(Fri, 06 Nov 2020 20:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Romain Francoise <rfrancoise@debian.org>.
(Fri, 06 Nov 2020 20:09:02 GMT) (full text, mbox, link).
Message #17 received at 973877@bugs.debian.org (full text, mbox, reply):
Hi Romain,
On Fri, Nov 06, 2020 at 07:01:46PM +0100, Romain Francoise wrote:
> Hi,
>
> On Fri, Nov 6, 2020 at 1:48 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > The following vulnerability was published for tcpdump.
> >
> > CVE-2020-8037[0]:
> > | The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a
> > | large amount of memory.
>
> Thanks for the bug report. I am aware of this CVE and working on a new
> upload to unstable.
> Is this no-dsa?
Yes it does not warrant a DSA, but if you are at it and have capacity
for it, please do include a fix for it in the upcoming point release
(cf. https://lists.debian.org/debian-live/2020/11/msg00000.html).
Regards,
Salvatore
Reply sent
to Romain Francoise <rfrancoise@debian.org>:
You have taken responsibility.
(Sat, 07 Nov 2020 12:54:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 07 Nov 2020 12:54:07 GMT) (full text, mbox, link).
Message #22 received at 973877-close@bugs.debian.org (full text, mbox, reply):
Source: tcpdump
Source-Version: 4.9.3-7
Done: Romain Francoise <rfrancoise@debian.org>
We believe that the bug you reported is fixed in the latest version of
tcpdump, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 973877@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Francoise <rfrancoise@debian.org> (supplier of updated tcpdump package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Nov 2020 13:19:14 +0100
Source: tcpdump
Architecture: source
Version: 4.9.3-7
Distribution: unstable
Urgency: high
Maintainer: Romain Francoise <rfrancoise@debian.org>
Changed-By: Romain Francoise <rfrancoise@debian.org>
Closes: 973877
Changes:
tcpdump (4.9.3-7) unstable; urgency=high
.
* Cherry-pick commit 32027e1993 from the upstream tcpdump-4.9 branch to fix
untrusted input issue in the PPP printer (CVE-2020-8037, closes: #973877).
Checksums-Sha1:
c3cf01029d58bf51e265fecaa0ebcf3fb092d01c 2139 tcpdump_4.9.3-7.dsc
47a7e2644fd3e73378f74c22d696300f1e4b7482 18280 tcpdump_4.9.3-7.debian.tar.xz
790badbe327ff38e54a161b2e65d662434b83579 5959 tcpdump_4.9.3-7_source.buildinfo
Checksums-Sha256:
f650c269feba8d5b99d96f3236804452f70d504ac3aaa47ff88f9d730fb4216e 2139 tcpdump_4.9.3-7.dsc
763bc5852e97aa2ac5040623b1db2807f4de6f713bed0a4bbb35ca91f48eca60 18280 tcpdump_4.9.3-7.debian.tar.xz
210814d8d98994edde05e84cca8d2150f3a389e76748ee7895439c140dba8103 5959 tcpdump_4.9.3-7_source.buildinfo
Files:
bcaf7bb8dd460efd259a49da928aa01f 2139 net optional tcpdump_4.9.3-7.dsc
ad77f41ded3758f6494b439050d540b7 18280 net optional tcpdump_4.9.3-7.debian.tar.xz
250eb30bc8aa96d02308a35e1cf5bf00 5959 net optional tcpdump_4.9.3-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvjSXQsqYfs1+d+QtrRX0NfBfli0FAl+mkcYACgkQrRX0NfBf
li07tg/+Isi86VjkPPwMzn8hn8darkcG0rQzB/QDFUV2BDIERZeWULiMoNh9LoVM
dMKdHU5XqUGRMYoWYWGyPRx+YpbBDDaK7tcocafpDYtzd7GayEtnQArnxR/61PAv
JDms2PY17yCrVXNyt354duDt3ug3quIS92tBrXBU4RywRkuLFVaJYEiQaEnpF3oP
BAXJLwtSbMjIG3wImmxKpZIkDlPf4xW2kJ84HGZ1xmDrYui0rKu9doQe8ZuTFUSD
MmVGUQ7fDM8m/8lB8tQy2Ad9Ts1rIGDDoB2JSlwkRPqZIWtAIKDFBU1HGNlyXMEI
RPDjKP2ZLmM7X/IfkLdrJRpi0v+IqdiNTuF96VQyrjEcOWE7Ygv/MHGFf4OVpC4q
HJma9m+pjQ3lq3e65dM4yTDZO+VjWIrLAqjxokq1snptu1rESAfo34a+HYwv5a0d
lZZ6tl0lc7UD17F+WanPerT2a+rg+TkEXdan5XdP08XVCtdvwgmjPXopbe2TME35
9doz0UhjeSIOh0uASIABYPGNBA6LAk/vEdw2jMrLPRi3Wy4fxdQfp6sXnudy+2Hd
uWFztoI5MAp0Wcmc5eDNNcSv4kHrBLyflQhfTM8DlYNVysUDr7Y/O6d10OrcrZc5
NofjF65dD4EV3uBLBP9qHjaD8kJfu8FMBohrKWiLdwaZZigBGyk=
=GzvM
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 16 10:38:17 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon