Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612224 (CVE-2017-6429) - <net-analyzer/tcpreplay-4.1.2-r1: Buffer overflow in tcpcapinfo utility (CVE-2017-6429)
Summary: <net-analyzer/tcpreplay-4.1.2-r1: Buffer overflow in tcpcapinfo utility (CVE-...
Alias: CVE-2017-6429
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa/cve]
Depends on:
Reported: 2017-03-10 16:33 UTC by Agostino Sarubbo
Modified: 2017-03-24 06:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-10 16:33:05 UTC
From ${URL} :

Tcpcapinfo utility of Tcpreplay has a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle.


Upstream bug:

Upstream patch:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-18 11:31:45 UTC
Upstream appears to be working leisurely toward a 4.2.0 release and has not (yet) released a 4.1 branch version that fixes the issue.

Arch teams, please test and mark stable:
Targeted stable KEYWORDS : amd64 x86
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 14:24:18 UTC
CVE-2017-6429 (
  Buffer overflow in the tcpcapinfo utility in Tcpreplay before 4.2.0 Beta 1
  allows remote attackers to have unspecified impact via a pcap file with an
  over-size packet.
Comment 3 Agostino Sarubbo gentoo-dev 2017-03-20 12:28:48 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-21 14:34:33 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Thomas Deutschmann gentoo-dev 2017-03-23 20:27:19 UTC
No ACE/RCE, downgraded to B3.

GLSA Vote: No

Repository is clean, all done.