Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711316 (CVE-2019-1010057, CVE-2019-14459) - <net-analyzer/nfdump-1.6.19: multiple vulnerabilities (CVE-2019-{14459,1010057})
Summary: <net-analyzer/nfdump-1.6.19: multiple vulnerabilities (CVE-2019-{14459,1010057})
Status: RESOLVED FIXED
Alias: CVE-2019-1010057, CVE-2019-14459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/phaag/nfdump/issue...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-02 14:17 UTC by Sam James
Modified: 2020-06-20 01:29 UTC (History)
1 user (show)

See Also:
Package list:
=net-analyzer/nfdump-1.6.19
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 14:17:03 UTC
Description:
"nfdump 1.6.16 and earlier is affected by: Buffer Overflow. The impact is: The impact could range from a denial of service to local code execution. The component is: nfx.c:546, nffile_inline.c:83, minilzo.c (redistributed). The attack vector is: nfdump must read and process a specially crafted file. The fixed version is: after commit 9f0fe9563366f62a71d34c92229da3432ec5cf0e."

Patch: https://github.com/phaag/nfdump/commit/9f0fe9563366f62a71d34c92229da3432ec5cf0e
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 15:06:20 UTC
2) CVE-2019-14459

Description:
"nfdump 1.6.17 and earlier is affected by an integer overflow in the function Process_ipfix_template_withdraw in ipfix.c that can be abused in order to crash the process remotely (denial of service)."

Bug: https://github.com/phaag/nfdump/issues/171
Patch: https://github.com/phaag/nfdump/commit/3b006ededaf351f1723aea6c727c9edd1b1fff9b
Comment 2 Agostino Sarubbo gentoo-dev 2020-03-12 16:21:40 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-03-12 16:26:30 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 02:20:12 UTC
New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 02:26:56 UTC
This issue was resolved and addressed in
 GLSA 202003-17 at https://security.gentoo.org/glsa/202003-17
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 02:27:25 UTC
Re-opening for cleanup.
Comment 7 NATTkA bot gentoo-dev 2020-04-06 11:25:05 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:38:37 UTC
@maintainer(s), ping, please cleanup