Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 696040 (CVE-2018-10103, CVE-2018-10105, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14879, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16301, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2019-15167) - <net-analyzer/tcpdump-4.9.3 - multiple buffer overflow/overread vulnerabilities
Summary: <net-analyzer/tcpdump-4.9.3 - multiple buffer overflow/overread vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-10103, CVE-2018-10105, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14879, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16301, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2019-15167
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2017-16808
  Show dependency tree
 
Reported: 2019-10-02 06:36 UTC by Jeroen Roovers (RETIRED)
Modified: 2019-10-26 17:35 UTC (History)
1 user (show)

See Also:
Package list:
=net-analyzer/tcpdump-4.9.3 =net-libs/libpcap-1.9.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2019-10-02 06:36:19 UTC
CHANGES:

Friday, September 20, 2019, by mcr@sandelman.ca
  A huge thank you to Denis, Francois-Xavier and Guy who did much of the heavy lifting.
  Summary for 4.9.3 tcpdump release
    Fix buffer overflow/overread vulnerabilities:
      CVE-2017-16808 (AoE)
      CVE-2018-14468 (FrameRelay)
      CVE-2018-14469 (IKEv1)
      CVE-2018-14470 (BABEL)
      CVE-2018-14466 (AFS/RX)
      CVE-2018-14461 (LDP)
      CVE-2018-14462 (ICMP)
      CVE-2018-14465 (RSVP)
      CVE-2018-14881 (BGP)
      CVE-2018-14464 (LMP)
      CVE-2018-14463 (VRRP)
      CVE-2018-14467 (BGP)
      CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
      CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
      CVE-2018-14880 (OSPF6)
      CVE-2018-16451 (SMB)
      CVE-2018-14882 (RPL)
      CVE-2018-16227 (802.11)
      CVE-2018-16229 (DCCP)
      CVE-2018-16301 (was fixed in libpcap)
      CVE-2018-16230 (BGP)
      CVE-2018-16452 (SMB)
      CVE-2018-16300 (BGP)
      CVE-2018-16228 (HNCP)
      CVE-2019-15166 (LMP)
      CVE-2019-15167 (VRRP)
    Fix for cmdline argument/local issues:
      CVE-2018-14879 (tcpdump -V)
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2019-10-02 06:39:58 UTC
CVE-2018-14468,CVE-2018-14469,CVE-2018-14470,CVE-2018-14466,CVE-2018-14461,CVE-2018-14462,CVE-2018-14465,CVE-2018-14881,CVE-2018-14464,CVE-2018-14463,CVE-2018-14467,CVE-2018-10103,CVE-2018-10105,CVE-2018-14880,CVE-2018-16451,CVE-2018-14882,CVE-2018-16227,CVE-2018-16229,CVE-2018-16301,CVE-2018-16230,CVE-2018-16452,CVE-2018-16300,CVE-2018-16228,CVE-2019-15166,CVE-2019-15167,CVE-2018-14879
Comment 2 Larry the Git Cow gentoo-dev 2019-10-02 07:06:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86c4aec29acf3e9d6bded979d104189d3a6b3f42

commit 86c4aec29acf3e9d6bded979d104189d3a6b3f42
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-10-02 07:05:08 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-10-02 07:06:50 +0000

    net-analyzer/tcpdump: Set libpcap version dependency for USE=test
    
    Fails several tests with <net-libs/libpcap-1.9.1
    
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=696040
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/tcpdump/tcpdump-4.9.3.ebuild | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Comment 3 Stabilization helper bot gentoo-dev 2019-10-06 20:01:46 UTC
An automated check of this bug failed - the following invalid arch is referenced in the atom list:

=net-libs/libpcap-1.9.1
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-10-06 21:32:25 UTC
x86 stable
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-10-07 00:47:17 UTC
arm64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-07 08:45:56 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-07 09:50:43 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-07 09:53:37 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-10-07 10:45:48 UTC
sparc stable
Comment 10 Sergei Trofimovich gentoo-dev 2019-10-07 19:31:12 UTC
ia64 stable
Comment 11 Sergei Trofimovich gentoo-dev 2019-10-11 22:41:50 UTC
hppa stable
Comment 12 Matt Turner gentoo-dev 2019-10-14 02:41:13 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2019-10-14 09:53:34 UTC
s390 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2019-10-14 10:17:22 UTC
(In reply to Agostino Sarubbo from comment #13)
> s390 stable.
> 
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

Keywords for net-libs/libpcap:
            | a a a a i p p x h m s s s r m | e u s | r
            | l m r r a p p 8 p 6 3 h p i i | a n l | e
            | p d m m 6 c c 6 p 8 9   a s p | p u o | p
            | h 6   6 4   6   a k 0   r c s | i s t | o
            | a 4   4     4           c v   |   e   |
            |                               |   d   |
------------+-------------------------------+-------+-------
1.8.1       | + + + + + + + + + o + ~ + o ~ | 6 o 0 | gentoo
1.8.1-r2    | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ ~ ~ o ~ | 6 #   | gentoo
1.9.0       | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ ~ ~ ~ ~ | 6 #   | gentoo
1.9.0-r1    | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ ~ + ~ ~ | 6 #   | gentoo
[I]1.9.1    | + + ~ + + + + + + o + ~ + ~ ~ | 6 o   | gentoo
9999        | o o o o o o o o o o o o o o o | 6 o   | gentoo

You forgot about ARM...
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-10-20 08:55:08 UTC
arm stable
Comment 16 Thomas Deutschmann gentoo-dev Security 2019-10-26 17:35:44 UTC
GLSA Vote: No!

Repository is clean, all done!