Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 753146 (CVE-2020-8036, CVE-2020-8037)

Summary: <net-analyzer/tcpdump-4.9.3-r4: Denial of service via PPP dissector (CVE-2020-8037)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: sam, zlogene
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2020-11-04 20:03:33 UTC
* CVE-2020-8036

"The tok2strbuf() function in tcpdump 4.10.0-PRE-GIT was used by the SOME/IP dissector in an unsafe way."

* CVE-2020-8037

"The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory."
Comment 1 Larry the Git Cow gentoo-dev 2020-11-07 01:44:59 UTC
The bug has been referenced in the following commit(s):

commit 5ffa42e571f5f14a5a3400a8993a4b7745a852ef
Author:     Sam James <>
AuthorDate: 2020-11-07 01:44:47 +0000
Commit:     Sam James <>
CommitDate: 2020-11-07 01:44:47 +0000

    net-analyzer/tcpdump: patch CVE-2020-8037
    Note that CVE-2020-8036 is already fixed in the version
    of 4.10.x packaged in Gentoo and 4.9.x is unaffected
    (the relevant functionality simply did not exist).
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sam James <>

 .../files/tcpdump-4.9.3-CVE-2020-8037.patch        | 63 ++++++++++++++++
 net-analyzer/tcpdump/tcpdump-4.10.0_rc1-r1.ebuild  | 22 ++----
 net-analyzer/tcpdump/tcpdump-4.9.3-r4.ebuild       | 86 ++++++++++++++++++++++
 3 files changed, 157 insertions(+), 14 deletions(-)
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2020-11-07 20:43:42 UTC
hppa/sparc stable
Comment 3 Sam James archtester gentoo-dev Security 2020-11-08 00:25:06 UTC
arm64 done
Comment 4 Sam James archtester gentoo-dev Security 2020-11-08 00:27:14 UTC
arm done
Comment 5 Sam James archtester gentoo-dev Security 2020-11-08 00:28:30 UTC
amd64 done
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-11-08 13:23:13 UTC
No glsa this time.