tcpick: Remote DoS [CVE-2006-0048]

Debian Bug report logs - #360571
tcpick: Remote DoS [CVE-2006-0048]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian BTS Submit <submit@bugs.debian.org>

Subject: tcpick: Remote DoS [CVE-2006-0048]

Date: Mon, 3 Apr 2006 12:45:27 +0200

[Message part 1 (text/plain, inline)]

Package: tcpick
Version: 0.2.1-2
Severity: grave
Tags: security

Hi,

Andrea Barisan recently found a remote crash in tcpick. I'm not sure
whether it can be exploited to execute arbitrary code, I didn't
investigate it closely. Details are here:

  http://sourceforge.net/mailarchive/forum.php?thread_id=9989610&forum_id=37151

This has been assigned CVE-2006-0048. Please mention this number in
the changelog to ease tracking.

Thank you,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 360571@bugs.debian.org (full text, mbox, reply):

From: Cedric Delfosse <cedric@debian.org>

To: tcpick-project@lists.sourceforge.net

Cc: 360571@bugs.debian.org

Subject: A quick fix for CVE-2006-0048

Date: Mon, 03 Apr 2006 21:43:40 +0200

[Message part 1 (text/plain, inline)]

Hi,

here is a very quick fix so that at least tcpick does not segfault.

tcpick will abort like this with this patch:

# tcpick -r /tmp/tcpick_test.pcap -a -Y -yP -n "not port 22"
tcpick: invalid option -- Y
Starting tcpick 0.2.1 at 2006-04-03 21:16 CEST
Timeout for connections is 600
tcpick: reading from /tmp/tcpick_test.pcap
setting filter: "not port 22"
1      SYN-SENT       10.1.7.1:1025 > 10.1.7.3:443
seqprobe
.8...........1.7.1.10.in-addr.arpa.....
SUICIDE: [got_packet] payload lenght calculated with iplen and hdr->len
differs by -10 bytes
hdr->len = 64
datalink_size  = 14
IP_SIZE  = 20
iplen    = 40
tcp_size = 20
iplen - IP_SIZE - tcp_size = 0
(hdr->len - (int)( payload - packet ) = 10


3 packets captured
1 tcp sessions detected


Regards,

-- 
Cédric Delfosse, http://cdelfosse.free.fr
Get a free backup server: http://lrs.linbox.org !

[tcpick.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 360571-close@bugs.debian.org (full text, mbox, reply):

From: Cédric Delfosse <cedric@debian.org>

To: 360571-close@bugs.debian.org

Subject: Bug#360571: fixed in tcpick 0.2.1-3

Date: Thu, 20 Apr 2006 14:32:36 -0700

Source: tcpick
Source-Version: 0.2.1-3

We believe that the bug you reported is fixed in the latest version of
tcpick, which is due to be installed in the Debian FTP archive:

tcpick_0.2.1-3.diff.gz
  to pool/main/t/tcpick/tcpick_0.2.1-3.diff.gz
tcpick_0.2.1-3.dsc
  to pool/main/t/tcpick/tcpick_0.2.1-3.dsc
tcpick_0.2.1-3_i386.deb
  to pool/main/t/tcpick/tcpick_0.2.1-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 360571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cédric Delfosse <cedric@debian.org> (supplier of updated tcpick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 14 Apr 2006 20:59:07 +0200
Source: tcpick
Binary: tcpick
Architecture: source i386
Version: 0.2.1-3
Distribution: unstable
Urgency: high
Maintainer: Cédric Delfosse <cedric@debian.org>
Changed-By: Cédric Delfosse <cedric@debian.org>
Description: 
 tcpick     - TCP stream sniffer and connection tracker
Closes: 360571
Changes: 
 tcpick (0.2.1-3) unstable; urgency=high
 .
   * src/write.c: temporary patch to fix CVE-2006-0048 (Closes: Bug#360571)
     As upstream is not responsive, I have written this one-line patch.
     With the option -yP, tcpick shows data contained in the captured packets.
     For some packets, tcpick computes a negative buffer length, which is used
     in a while (buffer length) {} loop to display the packet content. When the
     buffer length is negative, the loop never ends, and tcpick segfaults after
     a while.
     This patch tests if the computed buffer length is negative before using
     it, and set it to 0 in this case.
Files: 
 0f68563f61fbc42b344a9bb2a4455c33 593 net optional tcpick_0.2.1-3.dsc
 5008447b0492f666df27669f89d9b382 4895 net optional tcpick_0.2.1-3.diff.gz
 6f1421ca851027121ec974e44b792219 36056 net optional tcpick_0.2.1-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFER/pubmmXPPfovGMRArtmAJ4qSflcuXb+ba3UKyKulq0vyKWqogCdEVIm
CNUwskcJxpf/JRaIg4o1bAs=
=FTbK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.