Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 552632 - <net-analyzer/tcpdump-4.7.4: Multiple vulnerabilities (CVE-2015-{0261,2153,2154,2155})
Summary: <net-analyzer/tcpdump-4.7.4: Multiple vulnerabilities (CVE-2015-{0261,2153,21...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-20 14:00 UTC by GLSAMaker/CVETool Bot
Modified: 2015-10-31 15:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 14:00:58 UTC
CVE-2015-2155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2155):
  The force printer in tcpdump before 4.7.2 allows remote attackers to cause a
  denial of service (crash) and possibly execute arbitrary code via
  unspecified vectors.

CVE-2015-2154 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2154):
  The osi_print_cksum function in print-isoclns.c in the ethernet printer in
  tcpdump before 4.7.2 allows remote attackers to cause a denial of service
  (out-of-bounds read and crash) via a crafted (1) length, (2) offset, or (3)
  base pointer checksum value.

CVE-2015-2153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2153):
  The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer in
  tcpdump before 4.7.2 allows remote attackers to cause a denial of service
  (out-of-bounds read or write and crash) via a crafted header length in an
  RPKI-RTR Protocol Data Unit (PDU).

CVE-2015-0261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0261):
  Integer signedness error in the mobility_opt_print function in the IPv6
  mobility printer in tcpdump before 4.7.2 allows remote attackers to cause a
  denial of service (out-of-bounds read and crash) or possibly execute
  arbitrary code via a negative length value.


Maintainers: if 4.7.4 is ready for stabilization, then please CC arch teams.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-21 06:37:18 UTC
Arch teams, please test and mark stable:

=net-analyzer/tcpdump-4.7.4
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

=net-libs/libpcap-1.7.3
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2015-06-21 13:21:53 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-22 04:54:01 UTC
Stable for PPC64.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-22 11:33:21 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-23 04:10:52 UTC
(In reply to Mikle Kolyada from comment #4)
> x86 stable

No.
Comment 6 Agostino Sarubbo gentoo-dev 2015-06-23 15:51:59 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Mikle Kolyada from comment #4)
> > x86 stable
> 
> No.

Dear Jeroen,

I appreciate that you double-check after people make commit/stabilize, but would be great if you could be more verbose about what is going wrong.
In this case I guess that libpcap was not marked stable for x86, but in general we appreciate more verbosity. Thanks a lot.
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-24 08:04:34 UTC
ppc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-25 05:05:22 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-26 08:05:53 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2015-06-28 10:50:06 UTC
arm stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 15:29:24 UTC
alpha stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-29 05:40:36 UTC
And again.
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-29 08:17:57 UTC
(In reply to Jeroen Roovers from comment #12)
> And again.

wrong.

https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/tcpdump/tcpdump-4.7.4.ebuild?r1=1.7&r2=1.8
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-29 16:02:55 UTC
(In reply to Mikle Kolyada from comment #13)
> (In reply to Jeroen Roovers from comment #12)
> > And again.
> 
> wrong.
> 
> https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/
> tcpdump/tcpdump-4.7.4.ebuild?r1=1.7&r2=1.8

This is why you read the comments and not just the Summary when it comes to security stabilisations.
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-29 17:10:30 UTC
(In reply to Jeroen Roovers from comment #14)
> (In reply to Mikle Kolyada from comment #13)
> > (In reply to Jeroen Roovers from comment #12)
> > > And again.
> > 
> > wrong.
> > 
> > https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/
> > tcpdump/tcpdump-4.7.4.ebuild?r1=1.7&r2=1.8
> 
> This is why you read the comments and not just the Summary when it comes to
> security stabilisations.

did you mean libcap too?
Comment 16 Agostino Sarubbo gentoo-dev 2015-07-03 10:04:35 UTC
alpha stable
Comment 17 Agostino Sarubbo gentoo-dev 2015-07-23 09:38:32 UTC
sparc stable
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-24 10:26:07 UTC
ia64 stable.

Cleanup, please!

GLSA vote: yes.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2015-08-04 15:43:22 UTC
Maintainer(s), Thank you for you for cleanup.

GLSA Vote: Yes
New GLSA Request filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 15:15:49 UTC
This issue was resolved and addressed in
 GLSA 201510-04 at https://security.gentoo.org/glsa/201510-04
by GLSA coordinator Kristian Fiskerstrand (K_F).