Summary: | net-analyzer/tcpdump <= 3.9.6 BGP dissector integer overflow (CVE-2007-3798) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | mu-b <mu-b> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | netmon |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.digit-labs.org/files/exploits/private/tcpdump-bgp.c | ||
Whiteboard: | A2? [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
mu-b
2007-07-10 10:16:03 UTC
Cool, nice find. Netmon: please comment. tcpdump-0.9.5-r3 and tcpdump-0.9.6-r1 are in the tree. Note, in this versions I've added feature requested in bug 176391, and now tcpdump by default drop its privileges to tcpdump user. The last question I have, did anybody reported this upstream? What upstream say on the issue. Before stabilization, personally I'd like to hear them... This bug seems to be open thus, I'll ask their opinion in tcpdump-workers. hi arches, please stable tcpdump-0.9.5-r3. thx! hi arches, please stable tcpdump-0.9.5-r3. thx!(In reply to comment #3) > hi arches, please stable tcpdump-0.9.5-r3. thx! > bah, i'm out of training :/ Stabilize tcpdump-3.9.5-r3, and it should be open no? sparc stable for 3.9.5-r3. alpha/ia64/x86 stable, thanks Tobias Stable for HPPA. net-analyzer/tcpdump-3.9.5-r3 amd64 stable ppc stable mips stable. Upstream unswered: "I reviewed the fix - it seemed a bit cleaner to have it continue processing the TLVs, without adding to the string, if the string buffer is full." I do not think we should change anythig right now, but in case we'll have another revision for this tcpdump version, I think it's worth to change the tcpdump-3.9.6-bgp-integer-overflow patch on: http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11&r2=1.91.2.12 ppc64 stable ====================================================== Name: CVE-2007-3798 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798 Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=184815 Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet. GLSA 200707-14, thanks everybody |