Debian Bug report logs -
#829350
tcprewrite: CVE-2016-6160: segfault upon huge frames, missing size check
Reported by: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Sat, 2 Jul 2016 17:09:02 UTC
Severity: important
Tags: patch, security, upstream
Found in versions tcpreplay/3.4.4-2, tcpreplay/3.4.3-2
Fixed in versions tcpreplay/3.4.4-3, tcpreplay/3.4.4-2+deb8u1
Done: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#829350; Package tcpreplay.
(Sat, 02 Jul 2016 17:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
New Bug report received and forwarded. Copy sent to Noël Köthe <noel@debian.org>.
(Sat, 02 Jul 2016 17:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: tcpreplay
Version: 3.4.4-2
Severity: important
Tags: patch
Dear Maintainer,
as previously discussed in other places: The tcprewrite program
(src:tcpreplay) has a compile-time limit of the maximum frame size of
65535 it can handle. However, incoming frames are not checked against
that limit, and such frames do happen in the wild when capturing on the
With an MTU size of 65536 on the capturing host - default since kernel
3.6-ish and Debian jessie -, and and ethernet header added, a frame size
of 65549 exceeds that limit, sometimes resulting in a segmentation
fault. Reproducer available upon request.
As far as I can see this still exists in the not-yet packaged
tcpreplay-4.1.1.
The patch attached raises the limit and also adds a size check.
Additionally, I've prepared debdiffs for wheezy and jessie to address
this in a point release.
If you want more about that package, you know where to find me.
Christoph
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.13 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
[enforce-maxpacket.patch (text/x-diff, attachment)]
[tcpreplay_3.4.3-2+wheezy2.debdiff (text/plain, attachment)]
[tcpreplay_3.4.4-2+deb8u1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#829350; Package tcpreplay.
(Sat, 02 Jul 2016 17:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Noël Köthe <noel@debian.org>.
(Sat, 02 Jul 2016 17:18:04 GMT) (full text, mbox, link).
Message #10 received at 829350@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Two missing words were recovered from lost+found:
Christoph Biedl wrote...
> as previously discussed in other places: The tcprewrite program
> (src:tcpreplay) has a compile-time limit of the maximum frame size of
> 65535 it can handle. However, incoming frames are not checked against
> that limit, and such frames do happen in the wild when capturing on the
loopback interface.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Noël Köthe <noel@debian.org>:
You have taken responsibility.
(Sun, 03 Jul 2016 17:24:26 GMT) (full text, mbox, link).
Notification sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Bug acknowledged by developer.
(Sun, 03 Jul 2016 17:24:26 GMT) (full text, mbox, link).
Message #15 received at 829350-close@bugs.debian.org (full text, mbox, reply):
Source: tcpreplay
Source-Version: 3.4.4-3
We believe that the bug you reported is fixed in the latest version of
tcpreplay, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 829350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated tcpreplay package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Jul 2016 20:02:26 +0200
Source: tcpreplay
Binary: tcpreplay
Architecture: source amd64
Version: 3.4.4-3
Distribution: unstable
Urgency: medium
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description:
tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds
Closes: 796691 829350
Changes:
tcpreplay (3.4.4-3) unstable; urgency=medium
.
* extend the long description with the included executables to
make them searchable with apt. closes: #796691
* added enforce-maxpacket.patch. Thanks Christoph. closes: #829350
* debian/compat moved to debhelper 9
* debian/control raised Standards-Version no changes needed
* debian/rules added hardening to the build
Checksums-Sha1:
3201dba8e341b8f7b14f3928948e2fd5cf4f3a2d 1766 tcpreplay_3.4.4-3.dsc
2d3d822a0b77dabbfb763002ac8283462979f8b9 6340 tcpreplay_3.4.4-3.debian.tar.xz
d963cb7a715d13a9da3b939a360afbf12bb46ff1 1094556 tcpreplay-dbgsym_3.4.4-3_amd64.deb
37a3bbf83202a724f44b5f8061998af11d3dd344 217850 tcpreplay_3.4.4-3_amd64.deb
Checksums-Sha256:
427c286e3596c012838d710e4b2605d69ee11d11e1abe140a65367d71b63ca2f 1766 tcpreplay_3.4.4-3.dsc
ea7e913740a6d3461c917181d608d1cfc5c1e5b08550c49e78ed578c326bd35f 6340 tcpreplay_3.4.4-3.debian.tar.xz
024b49cd6ed58d1da44487495deaca852b9ca6c289dcce610e28735647b0adbc 1094556 tcpreplay-dbgsym_3.4.4-3_amd64.deb
5c56a8799f9adc3b1a390cc973fd238d7c0123346479b5436c0c49ea52108c30 217850 tcpreplay_3.4.4-3_amd64.deb
Files:
4f9dc0d6bb8d3ca2d888c37e3c7efcc1 1766 net optional tcpreplay_3.4.4-3.dsc
f612402c8263e6af5cf9dc1e92825ab0 6340 net optional tcpreplay_3.4.4-3.debian.tar.xz
34c67f5ba122eed02227de821cedc99e 1094556 debug extra tcpreplay-dbgsym_3.4.4-3_amd64.deb
2f313a0cd1480640cc3040b49beafc32 217850 net optional tcpreplay_3.4.4-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXeA2JAAoJEGjAeL6I+AzaLRIQALlYD8Sks+BtN+a1wRJXpSZl
BVY2L1Wp7pKLaLDP5mWfcfzNKw6fKvjmr7E6bTz4JFlVb6PkHnpEG8GT/NbEj/rF
WH844CW/S/WV/sPpf28O2r8wZkf6+s0V4Rb+mGED15kWvTtgl3ISrVj8u9nLJl31
ckaHD2H4NNLhQXaRc2ZiI7qJ4TfLTfbz952bjM0cKGO+3+7DYBgO0/Qm57MRUNim
JUb6m7EJLdMoqFYlPMxF5xck1yUwP4BFJKjf1Vd3vGRXbsLf0fL/900eZ0qqP445
f3DG/HnzQuwecJpGhO8FqcWFpJLkPzBn98h8RBbfM5b3ewJMEIyVtGAb1zFKp5Yj
LJ283CVhyM+Dx3Ukzj8aTdtphNsBr2vkINzUIH6KDjszbUBB5PGN7DX8k59XEXnc
7co6Uw/gFdEaZ0rJXk3ljEpghFLzo7gmbQPrvhoIClXFHbVJxK24MIQtuCPqIq35
i8+OFkDaFc9+8HRvCBXOTcXK1vZYeOiz9MB8BxldkdGMG1cbHuWSMsnJ/wssrNXi
+RQoxcJcOTlwlOfLnOIAKcMeZF0m9MIOEsHDlcY8GoEB26Y2vqO6x1NkAyT9vVLr
hAzJDrex5ZfkwEZh+wF1O7dUiO6fOqhIiwrMm0ZlrXP148MNMYjsL68b74O6aIbB
1h/J4mSG4ctsGzOkvKjz
=HCYu
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#829350; Package tcpreplay.
(Tue, 05 Jul 2016 13:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Noël Köthe <noel@debian.org>.
(Tue, 05 Jul 2016 13:57:06 GMT) (full text, mbox, link).
Message #20 received at 829350@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This has been assigned CVE-2016-6160.
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'tcprewrite: CVE-2016-6160: segfault upon huge frames, missing size check' from 'tcprewrite: segfault upon huge frames, missing size check'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 05 Jul 2016 14:15:08 GMT) (full text, mbox, link).
Added tag(s) upstream and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 05 Jul 2016 14:15:09 GMT) (full text, mbox, link).
Marked as found in versions tcpreplay/3.4.3-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 05 Jul 2016 14:36:05 GMT) (full text, mbox, link).
Reply sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
You have taken responsibility.
(Fri, 08 Jul 2016 11:51:13 GMT) (full text, mbox, link).
Notification sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Bug acknowledged by developer.
(Fri, 08 Jul 2016 11:51:13 GMT) (full text, mbox, link).
Message #31 received at 829350-close@bugs.debian.org (full text, mbox, reply):
Source: tcpreplay
Source-Version: 3.4.4-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
tcpreplay, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 829350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated tcpreplay package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Jul 2016 10:53:56 +0200
Source: tcpreplay
Binary: tcpreplay
Architecture: source
Version: 3.4.4-2+deb8u1
Distribution: stable
Urgency: low
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Closes: 829350
Description:
tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds
Changes:
tcpreplay (3.4.4-2+deb8u1) stable; urgency=low
.
* tcprewrite: Handle frames of 65535 octets size, add a
size check [CVE-2016-6160]. Closes: #829350
Checksums-Sha1:
4e8ff497804c225228d8cd9cf4b7eb63c04e3aa8 1794 tcpreplay_3.4.4-2+deb8u1.dsc
70da0ee32b9919a1db0293858519de393fc406e9 6168 tcpreplay_3.4.4-2+deb8u1.debian.tar.xz
Checksums-Sha256:
f14bd8e6ae827b8b707e24d4883fc2c1f691dd840d7ad6412ca59b7f05eadd73 1794 tcpreplay_3.4.4-2+deb8u1.dsc
b84447bb500ca55eead5241f091a23e8bcc0f3dfcf8bcf9e036c53d8580c4431 6168 tcpreplay_3.4.4-2+deb8u1.debian.tar.xz
Files:
6ad7ae3012c4f26bdaab8d1dcc76c8f9 1794 net optional tcpreplay_3.4.4-2+deb8u1.dsc
3d4ed6ffe4867aa1a585f7e3f6d0315a 6168 net optional tcpreplay_3.4.4-2+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXfo+bAAoJEAVMuPMTQ89Eur8QAIvyYVl125wZgS1vglsjqHZU
FkP3WVRsDo7+O4PvpQifl27ZihMQkH+xHuUa6ug9vVmuRdl5qPnPtls1VeapBivV
NxpFsiLfn9kbtm9RVhLupL193VA+QLYZOG9wAzXQzfFs0lJKCKPUq3q0VVdKAmJj
MTT4tcUP4VAEWNlyCNL9tqbMNdPs3KDEGZLtsgUEGW0fXCYlGccPdjcEtHdGEYNh
Zihvcxgrlux427RP5pg4bXgEOCBFAL35439jO40dT75gKfrllj0dQ1xnLB3wCIyi
Fjk4StelR2i+Vi9XGEbLMp9MClyXPEwr0Vphmax3Zz7/XoV/wHc9BiorzD3F31U4
dzLSaRQR/obVwiB1agEWmXV5ssuB9ciCOSRFpW7J00g7dThbLciA7fulW9WHanyP
YB8IMOS8FhD9rUTL/wvluFqRiJp41/uyQf5/h00y89ReVVGhi9y1k6U53brQUD7x
sNkMR+EzEijgsUqp2y+VsW2CtlPUqMR60cK2azIXLNzqjFDbPT4ZtXw/wohHK85k
7YU7yiAUq+Xf6xkV6ARI78QNGUlEbw32n8q6UdFRLMJyxlaejUq+t57QQcevkrqW
Nz2xmb958xNHUm3uAoK3/SmDnptG73ZYa0vLEG39OvW6TrOtDIF84crTjVQBGYkl
TWEZgq8gih9G2IiFUl6Z
=Uk6k
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 06 Aug 2016 07:32:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon