Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 552632

Summary: <net-analyzer/tcpdump-4.7.4: Multiple vulnerabilities (CVE-2015-{0261,2153,2154,2155})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=553758
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 14:00:58 UTC 
CVE-2015-2155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2155):
  The force printer in tcpdump before 4.7.2 allows remote attackers to cause a
  denial of service (crash) and possibly execute arbitrary code via
  unspecified vectors.

CVE-2015-2154 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2154):
  The osi_print_cksum function in print-isoclns.c in the ethernet printer in
  tcpdump before 4.7.2 allows remote attackers to cause a denial of service
  (out-of-bounds read and crash) via a crafted (1) length, (2) offset, or (3)
  base pointer checksum value.

CVE-2015-2153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2153):
  The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer in
  tcpdump before 4.7.2 allows remote attackers to cause a denial of service
  (out-of-bounds read or write and crash) via a crafted header length in an
  RPKI-RTR Protocol Data Unit (PDU).

CVE-2015-0261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0261):
  Integer signedness error in the mobility_opt_print function in the IPv6
  mobility printer in tcpdump before 4.7.2 allows remote attackers to cause a
  denial of service (out-of-bounds read and crash) or possibly execute
  arbitrary code via a negative length value.


Maintainers: if 4.7.4 is ready for stabilization, then please CC arch teams.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-21 06:37:18 UTC 
Arch teams, please test and mark stable:

=net-analyzer/tcpdump-4.7.4
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

=net-libs/libpcap-1.7.3
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2015-06-21 13:21:53 UTC 
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-22 04:54:01 UTC 
Stable for PPC64.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-22 11:33:21 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-23 04:10:52 UTC 
(In reply to Mikle Kolyada from comment #4)
> x86 stable

No.
Comment 6 Agostino Sarubbo gentoo-dev 2015-06-23 15:51:59 UTC 
(In reply to Jeroen Roovers from comment #5)
> (In reply to Mikle Kolyada from comment #4)
> > x86 stable
> 
> No.

Dear Jeroen,

I appreciate that you double-check after people make commit/stabilize, but would be great if you could be more verbose about what is going wrong.
In this case I guess that libpcap was not marked stable for x86, but in general we appreciate more verbosity. Thanks a lot.
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-24 08:04:34 UTC 
ppc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-25 05:05:22 UTC 
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-26 08:05:53 UTC 
x86 stable
Comment 10 Markus Meier gentoo-dev 2015-06-28 10:50:06 UTC 
arm stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 15:29:24 UTC 
alpha stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-29 05:40:36 UTC 
And again.
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-29 08:17:57 UTC 
(In reply to Jeroen Roovers from comment #12)
> And again.

wrong.

https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/tcpdump/tcpdump-4.7.4.ebuild?r1=1.7&r2=1.8
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-29 16:02:55 UTC 
(In reply to Mikle Kolyada from comment #13)
> (In reply to Jeroen Roovers from comment #12)
> > And again.
> 
> wrong.
> 
> https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/
> tcpdump/tcpdump-4.7.4.ebuild?r1=1.7&r2=1.8

This is why you read the comments and not just the Summary when it comes to security stabilisations.
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-29 17:10:30 UTC 
(In reply to Jeroen Roovers from comment #14)
> (In reply to Mikle Kolyada from comment #13)
> > (In reply to Jeroen Roovers from comment #12)
> > > And again.
> > 
> > wrong.
> > 
> > https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/
> > tcpdump/tcpdump-4.7.4.ebuild?r1=1.7&r2=1.8
> 
> This is why you read the comments and not just the Summary when it comes to
> security stabilisations.

did you mean libcap too?
Comment 16 Agostino Sarubbo gentoo-dev 2015-07-03 10:04:35 UTC 
alpha stable
Comment 17 Agostino Sarubbo gentoo-dev 2015-07-23 09:38:32 UTC 
sparc stable
Comment 18 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-24 10:26:07 UTC 
ia64 stable.

Cleanup, please!

GLSA vote: yes.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2015-08-04 15:43:22 UTC 
Maintainer(s), Thank you for you for cleanup.

GLSA Vote: Yes
New GLSA Request filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 15:15:49 UTC 
This issue was resolved and addressed in
 GLSA 201510-04 at https://security.gentoo.org/glsa/201510-04
by GLSA coordinator Kristian Fiskerstrand (K_F).