tcpreplay: CVE-2018-18408

Debian Bug report logs - #911493
tcpreplay: CVE-2018-18408

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tcpreplay: CVE-2018-18408

Date: Sat, 20 Oct 2018 21:47:09 +0200

Source: tcpreplay
Version: 4.2.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/appneta/tcpreplay/issues/489

Hi,

The following vulnerability was published for tcpreplay.

CVE-2018-18408[0]:
| A use-after-free was discovered in the tcpbridge binary of Tcpreplay
| 4.3.0 beta1. The issue gets triggered in the function post_args() at
| tcpbridge.c, causing a denial of service or possibly unspecified other
| impact.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-18408
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18408
[1] https://github.com/appneta/tcpreplay/issues/489

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 911493@bugs.debian.org (full text, mbox, reply):

From: Fredrick Klassen <fklassen@appneta.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 911493@bugs.debian.org

Subject: Re: Bug#911493: tcpreplay: CVE-2018-18408

Date: Sat, 20 Oct 2018 14:42:30 -0700

Salvatore,

I have been creating and testing fixes. I also have updated CHANGELOG a suggested below. Currently my fixes are in Beta.

Can you tell me what "Please adjust the affected versions in the BTS as needed” means? Does that mean that I have to do something other than closing the bug in GitHub?

Thanks, Fred Klassen (Tcpreplay maintainer).

> On Oct 20, 2018, at 12:47 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> 
> Source: tcpreplay
> Version: 4.2.6-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/appneta/tcpreplay/issues/489
> 
> Hi,
> 
> The following vulnerability was published for tcpreplay.
> 
> CVE-2018-18408[0]:
> | A use-after-free was discovered in the tcpbridge binary of Tcpreplay
> | 4.3.0 beta1. The issue gets triggered in the function post_args() at
> | tcpbridge.c, causing a denial of service or possibly unspecified other
> | impact.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-18408
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18408
> [1] https://github.com/appneta/tcpreplay/issues/489
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 

Message #15 received at 911493@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Fredrick Klassen <fklassen@appneta.com>

Cc: 911493@bugs.debian.org

Subject: Re: Bug#911493: tcpreplay: CVE-2018-18408

Date: Sun, 21 Oct 2018 08:31:21 +0200

Hi Fredrick,

[Disclaimer, not the Debian maintainer here for tcpreplay, who is
Christoph Biedl, only did report the issues downstream in the bug
tracker].

On Sat, Oct 20, 2018 at 02:42:30PM -0700, Fredrick Klassen wrote:
> Salvatore,
> 
> I have been creating and testing fixes. I also have updated
> CHANGELOG a suggested below. Currently my fixes are in Beta.

Ack, seen those already.

> Can you tell me what "Please adjust the affected versions in the BTS
> as needed” means? Does that mean that I have to do something other
> than closing the bug in GitHub?

No this was not meant for something to be done in the Github
repository, but here in the Debian specific tracking. I checked the
code of tcpreplay in the package version 4.2.6-1, and marked it as
found there (unless I missed something). That sentence is from a used
template, to indicate, please check time permitting as well the
current supported other versions for if the issue affects that suite.
Currently in Debian stretch there is 3.4.4-3, based on the upstream
3.4.4 version with additional patches.

These issues probably do not really warrant a so called DSA (Debian
Security Advisory), but still if affected could be fixed in a next
point release for stretch.

Many thanks for your work, it is great if upstream maintainers/authors
have as well enought time to monitor downstream bugtracker for issues!

Does this answers your question?

Regards,
Salvatore

Message #20 received at 911493@bugs.debian.org (full text, mbox, reply):

From: Fredrick Klassen <fklassen@appneta.com>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 911493@bugs.debian.org

Subject: Re: Bug#911493: tcpreplay: CVE-2018-18408

Date: Sun, 21 Oct 2018 09:57:21 -0700

Thanks. Yes, this addressed my issues.

Every issue identified by your team exists in 3.4.4 code. I took over the maintenance of Tcpreplay starting at 4.0.0, and inherited these issues.

I agree that these issues are not serious. They are mostly brought on by invalid PCAP files, and I have not seen any that send uninitialized memory over the wire.

I plan to get the 4.3 release out in before  Nov 18. In the mean time, I’ll release one or two more betas so that my fixes can soak a little.

Regards, Fred.

> On Oct 20, 2018, at 11:31 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> 
> Hi Fredrick,
> 
> [Disclaimer, not the Debian maintainer here for tcpreplay, who is
> Christoph Biedl, only did report the issues downstream in the bug
> tracker].
> 
> On Sat, Oct 20, 2018 at 02:42:30PM -0700, Fredrick Klassen wrote:
>> Salvatore,
>> 
>> I have been creating and testing fixes. I also have updated
>> CHANGELOG a suggested below. Currently my fixes are in Beta.
> 
> Ack, seen those already.
> 
>> Can you tell me what "Please adjust the affected versions in the BTS
>> as needed” means? Does that mean that I have to do something other
>> than closing the bug in GitHub?
> 
> No this was not meant for something to be done in the Github
> repository, but here in the Debian specific tracking. I checked the
> code of tcpreplay in the package version 4.2.6-1, and marked it as
> found there (unless I missed something). That sentence is from a used
> template, to indicate, please check time permitting as well the
> current supported other versions for if the issue affects that suite.
> Currently in Debian stretch there is 3.4.4-3, based on the upstream
> 3.4.4 version with additional patches.
> 
> These issues probably do not really warrant a so called DSA (Debian
> Security Advisory), but still if affected could be fixed in a next
> point release for stretch.
> 
> Many thanks for your work, it is great if upstream maintainers/authors
> have as well enought time to monitor downstream bugtracker for issues!
> 
> Does this answers your question?
> 
> Regards,
> Salvatore

Message #27 received at 911493@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 911493@bugs.debian.org

Cc: Fredrick Klassen <fklassen@appneta.com>

Subject: Re: Bug#911493: tcpreplay: CVE-2018-18408

Date: Mon, 22 Oct 2018 22:07:16 +0200

[Message part 1 (text/plain, inline)]

Salvatore Bonaccorso wrote...

> [Disclaimer, not the Debian maintainer here for tcpreplay, who is
> Christoph Biedl, only did report the issues downstream in the bug
> tracker].

Yeah, I'm here, sorry for not reacting earlier. I'll dive into the things that
have been done so far and will try to resolve them for Debian ASAP.

> Many thanks for your work, it is great if upstream maintainers/authors
> have as well enought time to monitor downstream bugtracker for issues!

Seconded.

    Christoph

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 911493-close@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

To: 911493-close@bugs.debian.org

Subject: Bug#911493: fixed in tcpreplay 4.3.1-1

Date: Tue, 12 Feb 2019 08:56:28 +0000

Source: tcpreplay
Source-Version: 4.3.1-1

We believe that the bug you reported is fixed in the latest version of
tcpreplay, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 911493@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated tcpreplay package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 11 Feb 2019 08:15:45 +0100
Source: tcpreplay
Architecture: source
Version: 4.3.1-1
Distribution: unstable
Urgency: medium
Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Closes: 902952 910596 910597 910598 911454 911493 917574
Changes:
 tcpreplay (4.3.1-1) unstable; urgency=medium
 .
   * New upstream version 4.3.1
     Closes: #917574 [CVE-2018-20552 CVE-2018-20553]
     Closes: #902952 [CVE-2018-13112]
     Closes: #910596 [CVE-2018-17580]
     Closes: #910597 [CVE-2018-17582]
     Closes: #910598 [CVE-2018-17974]
     Closes: #911454 [CVE-2018-18407]
     Closes: #911493 [CVE-2018-18408]
Checksums-Sha1:
 23fd845a841e7f67053e73b2ec90de706151069c 2010 tcpreplay_4.3.1-1.dsc
 3e326f1e87d58f236e40fdd91343f5dc142be2df 746804 tcpreplay_4.3.1.orig.tar.xz
 2868ccf83e95154cc174bff8b87377e5c6ab302b 516 tcpreplay_4.3.1.orig.tar.xz.asc
 167ed739980fd7060f3b120f9f41b7f492ccd55a 7892 tcpreplay_4.3.1-1.debian.tar.xz
 007d8f85aa16a74ba6f07906cc940b7ed3e3d63e 5720 tcpreplay_4.3.1-1_powerpc.buildinfo
Checksums-Sha256:
 4acb5d8b0aa75adc5e578babe4f0348fc332d0a2f034ebaedc78e9bec15b1647 2010 tcpreplay_4.3.1-1.dsc
 108924a25e616e3465139410c49cae629c338df73443dfc8fc155ea9f099c659 746804 tcpreplay_4.3.1.orig.tar.xz
 22f1e906aec21e301eb01f246ed62848cad85e1498cacf0f20661e29c7d3b0d5 516 tcpreplay_4.3.1.orig.tar.xz.asc
 aaefe7e84a98692447b4c4d6899eb4f2a1261d5ff370e74306ea7753d4578091 7892 tcpreplay_4.3.1-1.debian.tar.xz
 ad7b3cd220e8c17421a1be6efb9e4b21876a8d0b3b0324681151f7217f4aeba1 5720 tcpreplay_4.3.1-1_powerpc.buildinfo
Files:
 be63da7ac7ab0a4562c3efdfb18a723b 2010 net optional tcpreplay_4.3.1-1.dsc
 d0789299b36813051b5d34f9764d0518 746804 net optional tcpreplay_4.3.1.orig.tar.xz
 9ca381b72254104a99a59d2e50d61739 516 net optional tcpreplay_4.3.1.orig.tar.xz.asc
 db6e1456fdd7e47f752c3bfbb5c31fd2 7892 net optional tcpreplay_4.3.1-1.debian.tar.xz
 6a5d46909fae49dddcd9f353772da326 5720 net optional tcpreplay_4.3.1-1_powerpc.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlxidwwACgkQxCxY61kU
kv1FjBAAup2/7dcxutxB/vemV5UmSPIYHmAxwOIY6Fry8Q1Kh7y0vfmzdvKiEFvr
cA6hETrGC+vmrfUd5LSsqmO6qwSduOs6qEWHC1atEskgxx4WYwW7wrNX112Ho2YV
Ply7c22510Z8eD447ZXZwyI8QlNa+3bs+b09W96atZLpOOr6I4fQvUlCqWbf7FDV
qvA35GVER8dn4z3lLDPXFFXcr8DcaiGrGsqkt5RMXbIOgRmCzJ71rgaRJpZt6KuV
R+GrXQ18kHIT+S6h6z17Qyi4yslbs9PugXxeRBdVmJuOCK8p3g3mQAVt4CFamb/4
g7szUS2YY5W1LBq+rpzGU1VbdlBpSE/ura/VxlmGUf9nZPRvaMMdK8VuR9qmc/Pn
4eRk6i7D+3LeVF5aX6kLCYJFCTVutojZu0wOVGU4EdGWz68AB08tNOB4dfQdPs7E
i+bW269QMemHY7VHC8aalkrn2CDLRQd+3/MgeoeptqYCqhkAPLFknNGwNJ/NahTC
s1qKZ+PffDZSqQ6wRKK1mc4iP1IC3ESRkUw1I2Yys2+Gt2O9qXGokbnO1iEi097V
TqhHCNtIu+BWL5k0vLUS0z1AGobdZtMAqri91k3B+kGNTWU1Po8ravm30f5up11m
MDKzH2iF9jO36zkj2iTRBvFp8jMIOUpO5wXRs2recRDVZpSFq+o=
=Qzh8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.