| Summary: | <net-analyzer/tcpreplay-4.4.2: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | netmon |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/appneta/tcpreplay/issues/723 | ||
| Whiteboard: | B4 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 877033 | ||
| Bug Blocks: | |||
|
Description
John Helmert III
2022-03-27 01:06:37 UTC
CVE-2022-28487 (https://github.com/appneta/tcpreplay/pull/720): Tcpreplay version 4.4.1 contains a memory leakage flaw in fix_ipv6_checksums() function. The highest threat from this vulnerability is to data confidentiality. All issues are patched in the 4.4.2 *branch*, doesn't seem Github has a release of 4.4.2 yet. CVE-2022-37047 (https://github.com/appneta/tcpreplay/issues/734): The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_ipv6_next at common/get.c:713. NOTE: this is different from CVE-2022-27940. Patched by https://github.com/appneta/tcpreplay/issues/718 CVE-2022-37048 (https://github.com/appneta/tcpreplay/issues/735): The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_l2len_protocol at common/get.c:344. NOTE: this is different from CVE-2022-27941. Patched by https://github.com/appneta/tcpreplay/pull/744 CVE-2022-37049 (https://github.com/appneta/tcpreplay/issues/736): The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in parse_mpls at common/get.c:150. NOTE: this is different from CVE-2022-27942. Patched by https://github.com/appneta/tcpreplay/issues/718 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8a5c2cc9833bc9c4f85eb8be95bc5dcc83ea8e8 commit f8a5c2cc9833bc9c4f85eb8be95bc5dcc83ea8e8 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-27 05:57:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-27 06:05:56 +0000 net-analyzer/tcpreplay: add 4.4.2 Bug: https://bugs.gentoo.org/836240 Signed-off-by: Sam James <sam@gentoo.org> net-analyzer/tcpreplay/Manifest | 1 + net-analyzer/tcpreplay/tcpreplay-4.4.2.ebuild | 86 +++++++++++++++++++++++++++ net-analyzer/tcpreplay/tcpreplay-9999.ebuild | 1 - 3 files changed, 87 insertions(+), 1 deletion(-) GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=88ba016aa774dab2e07e26e0c461ed03c93e6462 commit 88ba016aa774dab2e07e26e0c461ed03c93e6462 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:42:49 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:45:24 +0000 [ GLSA 202210-08 ] Tcpreplay: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/833139 Bug: https://bugs.gentoo.org/836240 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-08.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d5ed53a1fde4bc265745acf50499481a20054a1 commit 5d5ed53a1fde4bc265745acf50499481a20054a1 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-10-16 15:03:41 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 15:03:41 +0000 net-analyzer/tcpreplay: drop 4.3.4, 4.4.1 Bug: https://bugs.gentoo.org/836240 Bug: https://bugs.gentoo.org/833139 Signed-off-by: John Helmert III <ajak@gentoo.org> net-analyzer/tcpreplay/Manifest | 2 - net-analyzer/tcpreplay/tcpreplay-4.3.4.ebuild | 77 ------------------------ net-analyzer/tcpreplay/tcpreplay-4.4.1.ebuild | 87 --------------------------- 3 files changed, 166 deletions(-) GLSA released, all done! |