Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 38206 - tcpdump, arpwatch, libpcap bump to stable for security fix
Summary: tcpdump, arpwatch, libpcap bump to stable for security fix
Status: RESOLVED DUPLICATE of bug 46258
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All All
: Highest critical (vote)
Assignee: Gentoo Security
Depends on:
Blocks: 46258
  Show dependency tree
Reported: 2004-01-14 13:05 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2005-07-17 13:06 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---
klieber: Pending+


Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-01-14 13:05:23 UTC
	Subject: 	[RHSA-2004:007-01] Updated tcpdump packages fix various vulnerabilities
	Date: 	January 14, 2004 2:44:00 PM EST

Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated tcpdump packages fix various vulnerabilities
Advisory ID:       RHSA-2004:007-01
Issue date:        2004-01-07
Updated on:        2004-01-14
Product:           Red Hat Linux
Keywords:          tcpdump arpwatch buffer overflow
Cross references:  
Obsoletes:         RHSA-2003:174
CVE Names:         CAN-2003-0989
- ---------------------------------------------------------------------

1. Topic:

Updated tcpdump, libpcap, and arpwatch packages fix a number of
vulnerabilities in ISAKMP parsing.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386

3. Problem description:

Tcpdump is a command-line tool for monitoring network traffic. 

George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1.  The Common Vulnerabilities and Exposures project
( has assigned the name CAN-2003-0989 to this issue.

Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. 

Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim.  If the victim uses tcpdump, these
pakets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user.

Users of tcpdump are advised to upgrade to these erratum packages, which
contain backported security patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Please note that this update is available via Red Hat Network.  To use Red
Hat Network, launch the Red Hat Update Agent with the following command:


This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 9:



6. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------

226b13743f96ea03b3c3a17e74114b1b 9/en/os/SRPMS/tcpdump-3.7.2-7.9.1.src.rpm
fe3af157c00676c7021f793a5afd1f62 9/en/os/i386/arpwatch-2.1a11-7.9.1.i386.rpm
384fee9a20392740cf83cced8eb41a3c 9/en/os/i386/libpcap-0.7.2-7.9.1.i386.rpm
c5eb264f2f18ddffd07e700d752c63ba 9/en/os/i386/tcpdump-3.7.2-7.9.1.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key is
available from

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

    md5sum <filename>

7. References:

8. Contact:

The Red Hat security contact is <>.  More contact
details at

Copyright 2003 Red Hat, Inc.
Version: GnuPG v1.0.7 (GNU/Linux)

Comment 1 SpanKY gentoo-dev 2004-01-14 15:42:06 UTC
so what package is the real problem here ?
or do all four suffer from the same thing ?
Comment 2 solar (RETIRED) gentoo-dev 2004-01-14 16:54:58 UTC
Sounds like the root of the problem here is libpcap itself and arping and tcpdump are two of the packages affected on RH.
Comment 3 solar (RETIRED) gentoo-dev 2004-01-14 16:58:19 UTC
From: 	Sebastian Krahmer <>
Subject: 	[Full-Disclosure] SUSE Security Announcement: tcpdump (SuSE-SA:2004:002)
Date: 	Wed, 14 Jan 2004 15:20:10 +0100 (CET)

                    SUSE Security Announcement

        Package:                tcpdump
        Announcement-ID:        SuSE-SA:2004:002
        Date:                   Wed Jan 14 14:00:00 MET 2004
        Affected products:      8.0, 8.1, 8.2, 9.0
                                SuSE eMail Server III
                                SuSE Firewall Adminhost VPN
                                SuSE Linux Admin-CD for Firewall
                                SuSE Firewall on CD 2 - VPN
                                SuSE Firewall on CD 2
                                SuSE Linux Enterprise Server 7
                                SLES 8 for IBM iSeries and IBM pSeries
                                SuSE Linux Enterprise Server 8
                                SuSE Linux Desktop 1.0
                                SuSE Linux School Server for i386
                                SuSE Linux Standard Server 8
                                SuSE Linux Office Server
                                UnitedLinux 1.0
        Vulnerability Type:     remote DoS
        Severity (1-10):        3
        SUSE default package:   yes
        Cross References:

    Content of this advisory:
        1) security vulnerability resolved: remote DoS condition in tcpdumps
           ISAKMP handling
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds:
            - opera
            - mc
            - mod_gzip
            - tripwire
            - cvs
            - gnome-filesystem
            - XDM (XFree86, xf86)
            - inn
            - mpg321
            - popper
            - kdepim3
            - pin
            - 3ddiag
            - mod_auth_shadow
        3) standard appendix (further information)


1)  problem description, brief discussion, solution, upgrade information

    Tcpdump is a well known tool for administrators to analyze network
      There is a bug in the tcpdump code responsible for handling ISAKMP
    messages. This bug allows remote attackers to destroy a current
    tcpdump session by tricking the tcpdump program with evil ISAKMP
    messages to enter an endless loop.

2)  Pending vulnerabilities in SUSE Distributions and Workarounds:

    - Opera web browser
    The SuSE Security Team has discovered a flaw in the Opera web browsers
    X.509 certificate handling during the SSL handshake. It allows attackers
    to prompt the Opera web browser with invalid certificates containing
    the public key of the attacker. Thus, he can read or modify the
    HTTPS traffic without notification by the user.
    New packages fixing this problem will be available soon on our ftp

    - mc
    By using a special combination of links in archive-files it is possible
    to execute arbitrary commands while mc tries to open it in its VFS.
    The packages will be released soon.

    - mod_gzip (apache-contrib)
    The apache module mod_gzip is vulnerable to remote code execution
    while running in debug-mode. We do not ship this module in debug-mode
    but future versions will include the fix.
    Additionally the mod_gzip code was audited to fix more possible security
    related bugs.
    After more testing a new apache-contrib RPM package will be released.

    - tripwire
    Tripwire is a file integrity checker. The tripwire version on SuSE Linux
    8.2 and 9.0 do crash when a requested file does not exists.
    New packages will be available soon.

    - cvs
    The cvs server-side can be tricked to create files in the root filesystem
    of the server by requesting malformed modules. The permissions on the
    root filesystem normally prevent this malfunction. Additionally the
    package will include a fix for a format-string bug.
    New packages will be available soon.

    - gnome-filesystem
    A script included in the gnome-filesystem package handles temporary
    files insecurely. This script is called by YaST2 with root
    privileges. The bug can be exploited locally to create or overwrite
    arbitrary files in the filesystem. The bug is fixed in our current
    source-tree since November 2003 but nevertheless update packages
    for older SuSE Linux versions will be released soon.

    - XDM (XFree86, xf86)
    A missing check for failure conditions in the PAM code of XDM
    can lead to local root access in conjunction with Kerberos
    and alike. New packages will be released soon.

    - inn
    A buffer overflow in the code for handling control messages
    can be exploited remotely.
    New packages are available on our FTP servers.

    - mpg321
    A format-bug in mpg321 can be exploited (even remotely by HTTP streaming)
    to execute code with the permissions of the user running mpg321 on
    special MP3 files.
    New packages are available on our FTP servers.

    - popper
    Popper handles temporary files in an insecure manner.
    New packages are available on our FTP servers.

    - kdepim3
    It was possible to use a buffer overflow via a special crafted vcard file
    to run code during generating previews. By default it was only possible
    on local filesystems, but the user can enable this also for remote file
    New packages are available on our FTP servers.

    - pin
    Pin handles local temporary files in an insecure manner which may lead
    to local privilege escalation.
    Thanks to Stefan Nordhausen <nordhaus at>
    for reporting one of the issues.
    New packages are available on our FTP servers.

    - 3ddiag
    Some 3ddiag scripts handle temporary files in an insecure manner.
    Thanks to Stefan Nordhausen <nordhaus at>
    for reporting some of the issues.
    New packages will be available on our FTP servers soon.

    - mod_auth_shadow (apache-contrib)
    This apache module ignores account expiration dates.
    The update will be released together with mod_gzip.
Comment 4 Andy Dustman 2004-02-09 13:12:02 UTC
I still can't even get tcpdump-3.8.1 to build on any ~x86 box I have. See bug #37184.

tcpdump.o(.text+0x409): In function `main':
: undefined reference to `pcap_debug'
collect2: ld returned 1 exit status
make: *** [tcpdump] Error 1

I have libpcap-0.8.1.
Comment 5 Andy Dustman 2004-02-23 13:48:30 UTC
The problem I had was due to using -finline-functions, which is implied by -O3, and is the ultimate source of the problem. src_compile() should be changed thusly:

src_compile() {
        replace-flags -O[3-9] -O2
        filter-flags -finline-functions # new
        econf `use_with ssl crypto` `use_enable ipv6` || die
        make CCOPT="$CFLAGS" || die
Comment 6 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-23 17:43:49 UTC
tcpdump builds and runs fine for me on ~x86.
Comment 7 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 01:44:44 UTC
tcpdump 3.8.1 apparently fixes this issue.  From what I gather from the CVE, only tcpdump (and not libcap) is affected by this issue:

3.8.1 is already marked stable on ppc sparc hppa and amd64.  CC'ing other arches.

aliz -- can you see about marking 3.8.1 stable on x86?
Comment 8 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 01:51:30 UTC
CondorDes -- want to take a stab at this one?
Comment 9 Aron Griffis (RETIRED) gentoo-dev 2004-03-30 08:19:30 UTC
I marked this stable on alpha and ia64
Comment 10 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-30 09:44:02 UTC
Got it.

I'll get a GLSA drafted for this sometime today.  It looks like we're still waiting on x86 and mips.
Comment 11 solar (RETIRED) gentoo-dev 2004-03-30 12:09:36 UTC
tcpdump-3.8.3 just went into the portage tree 15 mins ago.. (same bug? dup?)

Bug #46258
Comment 12 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-30 23:07:27 UTC
re comment 11:

Yes, I think this is a dup, even though the CAN numbers are different.  They're all in the same timeframe, and the advisories seem to be describing the same bug.
Comment 13 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-30 23:50:45 UTC
Just finished drafting the GLSA.
Comment 14 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-06 00:22:49 UTC
This is really a duplicate ...

*** This bug has been marked as a duplicate of 46258 ***