[ASA-202007-3] tcpreplay: information disclosure
Arch Linux Security Advisory ASA-202007-3 ========================================= Severity: Medium Date : 2020-07-31 CVE-ID : CVE-2020-12740 Package : tcpreplay Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-1154 Summary ======= The package tcpreplay before version 4.3.3-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 4.3.3-1. # pacman -Syu "tcpreplay>=4.3.3-1" The problem has been fixed upstream in version 4.3.3. Workaround ========== None. Description =========== tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer over-read during a get_c operation. The issue is being triggered in the function get_ipv6_next() at common/get.c. Impact ====== A remote attacker is able to disclose information on the affected host with a crafted pcap file. References ========== https://github.com/appneta/tcpreplay/issues/576 https://security.archlinux.org/CVE-2020-12740
participants (1)
-
Morten Linderud