Arch Linux Security Advisory ASA-201503-20 ========================================== Severity: High Date : 2015-03-20 CVE-ID : CVE-2014-8767 CVE-2014-8768 CVE-2014-8769 CVE-2014-9140 CVE-2015-0261 CVE-2015-2153 CVE-2015-2154 CVE-2015-2155 Package : tcpdump Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package tcpdump before version 4.7.3-1 is vulnerable to multiple issues including denial of service, out-of-bounds memory read and possibly arbitrary code execution. Resolution ========== Upgrade to 4.7.3-1. # pacman -Syu "tcpdump>=4.7.3-1" The problems have been fixed upstream in version 4.7.3. Workaround ========== None. Description =========== - CVE-2014-8767 (denial of service) Integer underflow in the olsr_print function when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame. - CVE-2014-8768 (denial of service) Multiple Integer underflows in the geonet_print function, when in verbose mode, allow remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame. - CVE-2014-8769 (out-of-bounds memory read) Might allow remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access. - CVE-2014-9140 (denial of service) Buffer overflow in the ppp_hdlc function in print-ppp.c allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet or possibly execute arbitrary code. - CVE-2015-0261 (out-of-bounds memory read) IPv6 mobility printer mobility_opt_print() typecastimg/signedness error would handle "len" as "int" (=positive and negative numbers), instead of "unsigned int" (=only positive numbers). When calling mobility_opt_print() with a negative "len", the "i < len" check would not be satisfied and it would not enter the loop and try to read from bp[i]. - CVE-2015-2153 (arbitrary code execution) TCP printer problem with missing length check in the rpki_rtr_pdu_print() function in print-rpki-rtr.c when processing RPKI-RTR PDUs (Protocol Data Units) with an incorrect header length. Without this check, the function will try to operate on invalid data when processing certain packets, leading to all kinds of unwanted side effects, including crashes due to invalid reads, writes and general memory corruption. Due to the memory corruption aspect it may lead to code execution. - CVE-2015-2154 (out-of-bounds memory read) Ethernet printer osi_print_cksum() missing sanity checks in print-isoclns.c. The function may call the create_osi_cksum() function in checksum.c with invalid data leading to out-of-bounds memory read. - CVE-2015-2155 (arbitrary code execution) A flaw was found in tcpdump's force printer. A remote attacker could use this flaw to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. Impact ====== A remote attacker is able to inject specially crafted packets that cause tcpdump to crash leading to denial of service, or possibly execute arbitrary code via various vectors. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8767 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8768 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8769 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9140 https://access.redhat.com/security/cve/CVE-2015-0261 https://access.redhat.com/security/cve/CVE-2015-2153 https://access.redhat.com/security/cve/CVE-2015-2154 https://access.redhat.com/security/cve/CVE-2015-2155 https://bugs.archlinux.org/task/44153