Aug 3, 2011 - tcptrack 1.4.2 released
tcptrack 1.4.2 is now released. This fixes a heap overflow in the parsing of the command line. Thanks to Patroklos Argyroudis for the discovery and Chow Loong Jin for a fix.
As stated by Patroklos Argyroudis, this may have security repercussions if tcptrack is configured as a handler for other applications that can pass user-supplied command line input to tcptrack.
A number of other miscellaneous problems have been fixed as well.
Arch team, please test and mark stable:
Thanks, folks. GLSA request filed.
Heap-based buffer overflow in tcptrack before 1.4.2 might allow attackers to
execute arbitrary code via a long command line argument. NOTE: this is only
a vulnerability in limited scenarios in which tcptrack is "configured as a
handler for other applications." This issue might not qualify for inclusion
This issue was resolved and addressed in
GLSA 201402-22 at http://security.gentoo.org/glsa/glsa-201402-22.xml
by GLSA coordinator Chris Reffett (creffett).