Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 377917 (CVE-2011-2903) - <net-analyzer/tcptrack-1.4.2 - heap overflow in command line parsing (CVE-2011-2903)
Summary: <net-analyzer/tcptrack-1.4.2 - heap overflow in command line parsing (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2011-2903
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.rhythm.cx/~steve/devel/tcp...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-05 20:40 UTC by Jeroen Roovers
Modified: 2014-02-21 16:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers gentoo-dev 2011-08-05 20:40:15 UTC
Aug 3, 2011 - tcptrack 1.4.2 released

tcptrack 1.4.2 is now released. This fixes a heap overflow in the parsing of the command line. Thanks to Patroklos Argyroudis for the discovery and Chow Loong Jin for a fix.

As stated by Patroklos Argyroudis, this may have security repercussions if tcptrack is configured as a handler for other applications that can pass user-supplied command line input to tcptrack.

A number of other miscellaneous problems have been fixed as well.


Arch team, please test and mark stable:
=net-analyzer/tcptrack-1.4.2
Target KEYWORDS="x86"
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-08-06 03:31:02 UTC
x86 stable
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 22:28:37 UTC
Thanks, folks. GLSA request filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:44:06 UTC
CVE-2011-2903 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2903):
  Heap-based buffer overflow in tcptrack before 1.4.2 might allow attackers to
  execute arbitrary code via a long command line argument. NOTE: this is only
  a vulnerability in limited scenarios in which tcptrack is "configured as a
  handler for other applications." This issue might not qualify for inclusion
  in CVE.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:21 UTC
This issue was resolved and addressed in
 GLSA 201402-22 at http://security.gentoo.org/glsa/glsa-201402-22.xml
by GLSA coordinator Chris Reffett (creffett).