Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833139 (CVE-2021-45386, CVE-2021-45387, CVE-2022-27416, CVE-2022-27418)

Summary: <net-analyzer/tcpreplay-4.4.1: multiple vulnerabilities (CVE-2021-{45386,45387})
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 834459    
Bug Blocks:    

Description filip ambroz 2022-02-11 20:40:44 UTC
[CVE-2021-45386]
tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv6() at tree.c
URL: https://github.com/appneta/tcpreplay/issues/687
Fixed in: 4.4.0

[CVE-2021-45387]
tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv4() at tree.c.
URL: https://github.com/appneta/tcpreplay/issues/687
Fixed in: 4.4.0
Comment 1 Larry the Git Cow gentoo-dev 2022-02-13 16:21:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f59a2f395f9edd7db3c03ac4628300e417f827b3

commit f59a2f395f9edd7db3c03ac4628300e417f827b3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-13 16:18:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-13 16:19:25 +0000

    net-analyzer/tcpreplay: add 4.4.1
    
    Bug: https://bugs.gentoo.org/833139
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/tcpreplay/Manifest                    |  1 +
 .../tcpreplay-4.4.1-fix-bashism-configure.patch    | 34 +++++++++
 net-analyzer/tcpreplay/tcpreplay-4.4.1.ebuild      | 85 ++++++++++++++++++++++
 ...preplay-999999.ebuild => tcpreplay-9999.ebuild} |  2 +-
 4 files changed, 121 insertions(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 15:09:45 UTC
CVE-2022-27418 (https://github.com/appneta/tcpreplay/issues/703):

Tcpreplay v4.4.1 has a heap-based buffer overflow in do_checksum_math at /tcpedit/checksum.c.

CVE-2022-27416 (https://github.com/appneta/tcpreplay/issues/702):

Tcpreplay v4.4.1 was discovered to contain a double-free via __interceptor_free.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:10:56 UTC
GLSA request filed
Comment 4 Larry the Git Cow gentoo-dev 2022-10-16 14:46:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=88ba016aa774dab2e07e26e0c461ed03c93e6462

commit 88ba016aa774dab2e07e26e0c461ed03c93e6462
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:42:49 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:24 +0000

    [ GLSA 202210-08 ] Tcpreplay: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/833139
    Bug: https://bugs.gentoo.org/836240
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-08.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2022-10-16 15:03:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d5ed53a1fde4bc265745acf50499481a20054a1

commit 5d5ed53a1fde4bc265745acf50499481a20054a1
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-10-16 15:03:41 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 15:03:41 +0000

    net-analyzer/tcpreplay: drop 4.3.4, 4.4.1
    
    Bug: https://bugs.gentoo.org/836240
    Bug: https://bugs.gentoo.org/833139
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-analyzer/tcpreplay/Manifest               |  2 -
 net-analyzer/tcpreplay/tcpreplay-4.3.4.ebuild | 77 ------------------------
 net-analyzer/tcpreplay/tcpreplay-4.4.1.ebuild | 87 ---------------------------
 3 files changed, 166 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 15:04:19 UTC
GLSA released, all done!