First Last Prev Next    This bug is not in your last search results.
Bug 38040 - tcpdump: Multiple issues (4.1)
tcpdump: Multiple issues (4.1)
Status: CLOSED WONTFIX
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P3 normal (vote)
: UCS 4.1-x-errata
Assigned To: UCS maintainers
:
Depends on: 45564
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-13 14:09 CET by Moritz Muehlenhoff
Modified: 2019-04-11 19:24 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2015-03-13 14:09:50 CET 
Security issues in multiple modules:

Ipv6 mobility (CVE-2015-0261)
TCP (CVE-2015-2153)
Ethernet (CVE-2015-2154)
forces (CVE-2015-2155)
Comment 1 Arvid Requate univentionstaff 2015-04-30 19:22:46 CEST 
Fix available in Debian 4.3.0-1+deb7u2
Comment 2 Arvid Requate univentionstaff 2017-01-30 20:17:00 CET 
Upstream Debian backport 4.9.0-1~deb7u1 fixes these issues:

* The AH parser in tcpdump before 4.9.0 has a buffer overflow in print-ah.c:ah_print(). (CVE-2016-7922)
* The ARP parser in tcpdump before 4.9.0 has a buffer overflow in print-arp.c:arp_print(). (CVE-2016-7923)
* The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:oam_print(). (CVE-2016-7924)
* The compressed SLIP parser in tcpdump before 4.9.0 has a buffer overflow in print-sl.c:sl_if_print(). (CVE-2016-7925)
* The Ethernet parser in tcpdump before 4.9.0 has a buffer overflow in print-ether.c:ethertype_print(). (CVE-2016-7926)
* The IEEE 802.11 parser in tcpdump before 4.9.0 has a buffer overflow in print-802_11.c:ieee802_11_radio_print(). (CVE-2016-7927)
* The IPComp parser in tcpdump before 4.9.0 has a buffer overflow in print-ipcomp.c:ipcomp_print(). (CVE-2016-7928)
* The Juniper PPPoE ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-juniper.c:juniper_parse_header(). (CVE-2016-7929)
* The LLC/SNAP parser in tcpdump before 4.9.0 has a buffer overflow in print-llc.c:llc_print(). (CVE-2016-7930)
* The MPLS parser in tcpdump before 4.9.0 has a buffer overflow in print-mpls.c:mpls_print(). (CVE-2016-7931)
* The PIM parser in tcpdump before 4.9.0 has a buffer overflow in print-pim.c:pimv2_check_checksum(). (CVE-2016-7932)
* The PPP parser in tcpdump before 4.9.0 has a buffer overflow in print-ppp.c:ppp_hdlc_if_print(). (CVE-2016-7933)
* The RTCP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtcp_print(). (CVE-2016-7934)
* The RTP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtp_print(). (CVE-2016-7935)
* The UDP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:udp_print(). (CVE-2016-7936)
* The VAT parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:vat_print(). (CVE-2016-7937)
* The ZeroMQ parser in tcpdump before 4.9.0 has an integer overflow in print-zeromq.c:zmtp1_print_frame(). (CVE-2016-7938)
* The GRE parser in tcpdump before 4.9.0 has a buffer overflow in print-gre.c, multiple functions. (CVE-2016-7939)
* The STP parser in tcpdump before 4.9.0 has a buffer overflow in print-stp.c, multiple functions. (CVE-2016-7940)
* The AppleTalk parser in tcpdump before 4.9.0 has a buffer overflow in print-atalk.c, multiple functions. (CVE-2016-7973)
* The IP parser in tcpdump before 4.9.0 has a buffer overflow in print-ip.c, multiple functions. (CVE-2016-7974)
* The TCP parser in tcpdump before 4.9.0 has a buffer overflow in print-tcp.c:tcp_print(). (CVE-2016-7975)
* The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). (CVE-2016-7983)
* The TFTP parser in tcpdump before 4.9.0 has a buffer overflow in print-tftp.c:tftp_print(). (CVE-2016-7984)
* The CALM FAST parser in tcpdump before 4.9.0 has a buffer overflow in print-calm-fast.c:calm_fast_print(). (CVE-2016-7985)
* The GeoNetworking parser in tcpdump before 4.9.0 has a buffer overflow in print-geonet.c, multiple functions. (CVE-2016-7986)
* The Classical IP over ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-cip.c:cip_if_print(). (CVE-2016-7992)
* A bug in util-print.c:relts_print() in tcpdump before 4.9.0 could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). (CVE-2016-7993)
* The FRF.15 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:frf15_print(). (CVE-2016-8574)
* The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2017-5482. (CVE-2016-8575)
* The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). (CVE-2017-5202)
* The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). (CVE-2017-5203)
* The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print(). (CVE-2017-5204)
* The ISAKMP parser in tcpdump before 4.9.0 has a buffer overflow in print-isakmp.c:ikev2_e_print(). (CVE-2017-5205)
* The OTV parser in tcpdump before 4.9.0 has a buffer overflow in print-otv.c:otv_print(). (CVE-2017-5341)
* In tcpdump before 4.9.0, a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). (CVE-2017-5342)
* The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2016-8575. (CVE-2017-5482)
* The SNMP parser in tcpdump before 4.9.0 has a buffer overflow in print-snmp.c:asn1_parse(). (CVE-2017-5483)
* The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:sig_print(). (CVE-2017-5484)
* The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in addrtoname.c:lookup_nsap(). (CVE-2017-5485)
* The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). (CVE-2017-5486)
Comment 3 Stefan Gohmann univentionstaff 2017-06-16 20:38:41 CEST 
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 4 Arvid Requate univentionstaff 2017-09-08 15:35:09 CEST 
4.9.0-1~deb7u2 additionally fixes:

* remote denial of service (heap-based buffer over-read and application crash) via crafted packet data. The crash occurs in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol. (CVE-2017-11108)

* heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c. (CVE-2017-11541)

* heap-based buffer over-read in the pimv1_print function in print-pim.c. (CVE-2017-11542)

* buffer overflow in the sliplink_print function in print-sl.c. (CVE-2017-11543)
Comment 5 Arvid Requate univentionstaff 2017-10-19 09:33:47 CEST 
New upstream Debian backport 4.9.2-1~deb7u1 fixes these issues:

* The SMB/CIFS parser in tcpdump before 4.9.2 has a buffer over-read in smbutil.c:name_len(). (CVE-2017-12893)
* Several protocol parsers in tcpdump before 4.9.2 could cause a buffer over-read in addrtoname.c:lookup_bytestring(). (CVE-2017-12894)
* The ICMP parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp.c:icmp_print(). (CVE-2017-12895)
* The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in print-isakmp.c:isakmp_rfc3948_print(). (CVE-2017-12896)
* The ISO CLNS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:isoclns_print(). (CVE-2017-12897)
* The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print-nfs.c:interp_reply(). (CVE-2017-12898)
* The DECnet parser in tcpdump before 4.9.2 has a buffer over-read in print-decnet.c:decnet_print(). (CVE-2017-12899)
* Several protocol parsers in tcpdump before 4.9.2 could cause a buffer over-read in util-print.c:tok2strbuf(). (CVE-2017-12900)
* The EIGRP parser in tcpdump before 4.9.2 has a buffer over-read in print-eigrp.c:eigrp_print(). (CVE-2017-12901)
* The Zephyr parser in tcpdump before 4.9.2 has a buffer over-read in print-zephyr.c, several functions. (CVE-2017-12902)
* The IPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-ip6.c:ip6_print(). (CVE-2017-12985)
* The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print(). (CVE-2017-12986)
* The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements(). (CVE-2017-12987)
* The telnet parser in tcpdump before 4.9.2 has a buffer over-read in print-telnet.c:telnet_parse(). (CVE-2017-12988)
* The RESP parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-resp.c:resp_get_length(). (CVE-2017-12989)
* The ISAKMP parser in tcpdump before 4.9.2 could enter an infinite loop due to bugs in print-isakmp.c, several functions. (CVE-2017-12990)
* The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print-bgp.c:bgp_attr_print(). (CVE-2017-12991)
* The RIPng parser in tcpdump before 4.9.2 has a buffer over-read in print-ripng.c:ripng_print(). (CVE-2017-12992)
* The Juniper protocols parser in tcpdump before 4.9.2 has a buffer over-read in print-juniper.c, several functions. (CVE-2017-12993)
* The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print-bgp.c:bgp_attr_print(). (CVE-2017-12994)
* The DNS parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-domain.c:ns_print(). (CVE-2017-12995)
* The PIMv2 parser in tcpdump before 4.9.2 has a buffer over-read in print-pim.c:pimv2_print(). (CVE-2017-12996)
* The LLDP parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-lldp.c:lldp_private_8021_print(). (CVE-2017-12997)
* The IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:isis_print_extd_ip_reach(). (CVE-2017-12998)
* The IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:isis_print(). (CVE-2017-12999)
* The IEEE 802.15.4 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_15_4.c:ieee802_15_4_if_print(). (CVE-2017-13000)
* The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print-nfs.c:nfs_printfh(). (CVE-2017-13001)
* The AODV parser in tcpdump before 4.9.2 has a buffer over-read in print-aodv.c:aodv_extension(). (CVE-2017-13002)
* The LMP parser in tcpdump before 4.9.2 has a buffer over-read in print-lmp.c:lmp_print(). (CVE-2017-13003)
* The Juniper protocols parser in tcpdump before 4.9.2 has a buffer over-read in print-juniper.c:juniper_parse_header(). (CVE-2017-13004)
* The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print-nfs.c:xid_map_enter(). (CVE-2017-13005)
* The L2TP parser in tcpdump before 4.9.2 has a buffer over-read in print-l2tp.c, several functions. (CVE-2017-13006)
* The Apple PKTAP parser in tcpdump before 4.9.2 has a buffer over-read in print-pktap.c:pktap_if_print(). (CVE-2017-13007)
* The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements(). (CVE-2017-13008)
* The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_print(). (CVE-2017-13009)
* The BEEP parser in tcpdump before 4.9.2 has a buffer over-read in print-beep.c:l_strnstart(). (CVE-2017-13010)
* Several protocol parsers in tcpdump before 4.9.2 could cause a buffer overflow in util-print.c:bittok2str_internal(). (CVE-2017-13011)
* The ICMP parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp.c:icmp_print(). (CVE-2017-13012)
* The ARP parser in tcpdump before 4.9.2 has a buffer over-read in print-arp.c, several functions. (CVE-2017-13013)
* The White Board protocol parser in tcpdump before 4.9.2 has a buffer over-read in print-wb.c:wb_prep(), several functions. (CVE-2017-13014)
* The EAP parser in tcpdump before 4.9.2 has a buffer over-read in print-eap.c:eap_print(). (CVE-2017-13015)
* The ISO ES-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:esis_print(). (CVE-2017-13016)
* The DHCPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-dhcp6.c:dhcp6opt_print(). (CVE-2017-13017)
* The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print(). (CVE-2017-13018)
* The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print(). (CVE-2017-13019)
* The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print-vtp.c:vtp_print(). (CVE-2017-13020)
* The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp6.c:icmp6_print(). (CVE-2017-13021)
* The IP parser in tcpdump before 4.9.2 has a buffer over-read in print-ip.c:ip_printroute(). (CVE-2017-13022)
* The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_opt_print(). (CVE-2017-13023)
* The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_opt_print(). (CVE-2017-13024)
* The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_opt_print(). (CVE-2017-13025)
* The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c, several functions. (CVE-2017-13026)
* The LLDP parser in tcpdump before 4.9.2 has a buffer over-read in print-lldp.c:lldp_mgmt_addr_tlv_print(). (CVE-2017-13027)
* The BOOTP parser in tcpdump before 4.9.2 has a buffer over-read in print-bootp.c:bootp_print(). (CVE-2017-13028)
* The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print-ppp.c:print_ccp_config_options(). (CVE-2017-13029)
* The PIM parser in tcpdump before 4.9.2 has a buffer over-read in print-pim.c, several functions. (CVE-2017-13030)
* The IPv6 fragmentation header parser in tcpdump before 4.9.2 has a buffer over-read in print-frag6.c:frag6_print(). (CVE-2017-13031)
* The RADIUS parser in tcpdump before 4.9.2 has a buffer over-read in print-radius.c:print_attr_string(). (CVE-2017-13032)
* The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print-vtp.c:vtp_print(). (CVE-2017-13033)
* The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print(). (CVE-2017-13034)
* The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:isis_print_id(). (CVE-2017-13035)
* The OSPFv3 parser in tcpdump before 4.9.2 has a buffer over-read in print-ospf6.c:ospf6_decode_v3(). (CVE-2017-13036)
* The IP parser in tcpdump before 4.9.2 has a buffer over-read in print-ip.c:ip_printts(). (CVE-2017-13037)
* The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print-ppp.c:handle_mlppp(). (CVE-2017-13038)
* The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in print-isakmp.c, several functions. (CVE-2017-13039)
* The MPTCP parser in tcpdump before 4.9.2 has a buffer over-read in print-mptcp.c, several functions. (CVE-2017-13040)
* The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp6.c:icmp6_nodeinfo_print(). (CVE-2017-13041)
* The HNCP parser in tcpdump before 4.9.2 has a buffer over-read in print-hncp.c:dhcpv6_print(). (CVE-2017-13042)
* The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print-bgp.c:decode_multicast_vpn(). (CVE-2017-13043)
* The HNCP parser in tcpdump before 4.9.2 has a buffer over-read in print-hncp.c:dhcpv4_print(). (CVE-2017-13044)
* The VQP parser in tcpdump before 4.9.2 has a buffer over-read in print-vqp.c:vqp_print(). (CVE-2017-13045)
* The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print-bgp.c:bgp_attr_print(). (CVE-2017-13046)
* The ISO ES-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:esis_print(). (CVE-2017-13047)
* The RSVP parser in tcpdump before 4.9.2 has a buffer over-read in print-rsvp.c:rsvp_obj_print(). (CVE-2017-13048)
* The Rx protocol parser in tcpdump before 4.9.2 has a buffer over-read in print-rx.c:ubik_print(). (CVE-2017-13049)
* The RPKI-Router parser in tcpdump before 4.9.2 has a buffer over-read in print-rpki-rtr.c:rpki_rtr_pdu_print(). (CVE-2017-13050)
* The RSVP parser in tcpdump before 4.9.2 has a buffer over-read in print-rsvp.c:rsvp_obj_print(). (CVE-2017-13051)
* The CFM parser in tcpdump before 4.9.2 has a buffer over-read in print-cfm.c:cfm_print(). (CVE-2017-13052)
* The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print-bgp.c:decode_rt_routing_info(). (CVE-2017-13053)
* The LLDP parser in tcpdump before 4.9.2 has a buffer over-read in print-lldp.c:lldp_private_8023_print(). (CVE-2017-13054)
* The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:isis_print_is_reach_subtlv(). (CVE-2017-13055)
* The Cisco HDLC parser in tcpdump before 4.9.2 has a buffer over-read in print-chdlc.c:chdlc_print(). (CVE-2017-13687)
* The OLSR parser in tcpdump before 4.9.2 has a buffer over-read in print-olsr.c:olsr_print(). (CVE-2017-13688)
* The IKEv1 parser in tcpdump before 4.9.2 has a buffer over-read in print-isakmp.c:ikev1_id_print(). (CVE-2017-13689)
* The IKEv2 parser in tcpdump before 4.9.2 has a buffer over-read in print-isakmp.c, several functions. (CVE-2017-13690)
* The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print(). (CVE-2017-13725)
Comment 6 Arvid Requate univentionstaff 2018-04-17 15:56:03 CEST 
This issue has been filed against UCS 4.1.

UCS 4.1 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.
First Last Prev Next    This bug is not in your last search results.