Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534660 - <net-analyzer/tcpdump-4.6.2-r1 - Multiple vulnerabilities (CVE-2014-{8767,8768,8769,9140})
Summary: <net-analyzer/tcpdump-4.6.2-r1 - Multiple vulnerabilities (CVE-2014-{8767,876...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-04 16:05 UTC by GLSAMaker/CVETool Bot
Modified: 2015-02-07 20:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 16:05:15 UTC
CVE-2014-9140 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9140):
  Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and
  earlier allows remote attackers to cause a denial of service (crash) cia a
  crafted PPP packet.

CVE-2014-8769 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8769):
  tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensitive
  information from memory or cause a denial of service (packet loss or
  segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV)
  packet, which triggers an out-of-bounds memory access.

CVE-2014-8768 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8768):
  Multiple Integer underflows in the geonet_print function in tcpdump 4.5.0
  through 4.6.2, when in verbose mode, allow remote attackers to cause a
  denial of service (segmentation fault and crash) via a crafted length value
  in a Geonet frame.

CVE-2014-8767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8767):
  Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2,
  when in verbose mode, allows remote attackers to cause a denial of service
  (crash) via a crafted length value in an OLSR frame.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-06 20:31:14 UTC
There is a tcpdump-4.7.0-bp.tar.gz but I am pretty sure that's not an official release.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-07 16:24:37 UTC
Arch teams, please test and mark stable:
=net-analyzer/tcpdump-4.6.2-r1
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-01-07 16:53:52 UTC
amd64 stable
Comment 4 Andreas Schürch gentoo-dev 2015-01-08 10:02:47 UTC
x86 done.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-08 23:35:15 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-01-09 08:38:56 UTC
ppc stable
Comment 7 Tobias Klausmann gentoo-dev 2015-01-09 12:18:06 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2015-01-11 21:06:41 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-01-13 10:21:48 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-01-14 13:52:21 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-01-16 08:09:13 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-17 20:19:56 UTC
Cleanup was done. 

GLSA has been drafted and is ready for peer review.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 20:27:44 UTC
This issue was resolved and addressed in
 GLSA 201502-05 at http://security.gentoo.org/glsa/glsa-201502-05.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).