[arch-security] [ASA-201503-20] tcpdump: multiple issues

Fri Mar 20 21:55:37 UTC 2015

Arch Linux Security Advisory ASA-201503-20
==========================================

Severity: High
Date    : 2015-03-20
CVE-ID  : CVE-2014-8767 CVE-2014-8768 CVE-2014-8769 CVE-2014-9140
          CVE-2015-0261 CVE-2015-2153 CVE-2015-2154 CVE-2015-2155
Package : tcpdump
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package tcpdump before version 4.7.3-1 is vulnerable to multiple
issues including denial of service, out-of-bounds memory read and
possibly arbitrary code execution.

Resolution
==========

Upgrade to 4.7.3-1.

# pacman -Syu "tcpdump>=4.7.3-1"

The problems have been fixed upstream in version 4.7.3.

Workaround
==========

None.

Description
===========

- CVE-2014-8767 (denial of service)

Integer underflow in the olsr_print function when in verbose mode,
allows remote attackers to cause a denial of service (crash) via a
crafted length value in an OLSR frame.

- CVE-2014-8768 (denial of service)

Multiple Integer underflows in the geonet_print function, when in
verbose mode, allow remote attackers to cause a denial of service
(segmentation fault and crash) via a crafted length value in a Geonet frame.

- CVE-2014-8769 (out-of-bounds memory read)

Might allow remote attackers to obtain sensitive information from memory
or cause a denial of service (packet loss or segmentation fault) via a
crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers
an out-of-bounds memory access.

- CVE-2014-9140 (denial of service)

Buffer overflow in the ppp_hdlc function in print-ppp.c allows remote
attackers to cause a denial of service (crash) cia a crafted PPP packet
or possibly execute arbitrary code.

- CVE-2015-0261 (out-of-bounds memory read)

IPv6 mobility printer mobility_opt_print() typecastimg/signedness error
would handle "len" as "int" (=positive and negative numbers), instead of
"unsigned int" (=only positive numbers). When calling
mobility_opt_print() with a negative "len", the "i < len" check would
not be satisfied and it would not enter the loop and try to read from bp[i].

- CVE-2015-2153 (arbitrary code execution)

TCP printer problem with missing length check in the
rpki_rtr_pdu_print() function in print-rpki-rtr.c when processing
RPKI-RTR PDUs (Protocol Data Units) with an incorrect header length.
Without this check, the function will try to operate on invalid data
when processing certain packets, leading to all kinds of unwanted side
effects, including crashes due to invalid reads, writes and general
memory corruption. Due to the memory corruption aspect it may lead to
code execution.

- CVE-2015-2154 (out-of-bounds memory read)

Ethernet printer osi_print_cksum() missing sanity checks in
print-isoclns.c. The function may call the create_osi_cksum() function
in checksum.c with invalid data leading to out-of-bounds memory read.

- CVE-2015-2155 (arbitrary code execution)

A flaw was found in tcpdump's force printer. A remote attacker could use
this flaw to cause tcpdump to crash, resulting in a denial of service,
or possibly execute arbitrary code.

Impact
======

A remote attacker is able to inject specially crafted packets that cause
tcpdump to crash leading to denial of service, or possibly execute
arbitrary code via various vectors.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8767
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8768
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8769
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9140
https://access.redhat.com/security/cve/CVE-2015-0261
https://access.redhat.com/security/cve/CVE-2015-2153
https://access.redhat.com/security/cve/CVE-2015-2154
https://access.redhat.com/security/cve/CVE-2015-2155
https://bugs.archlinux.org/task/44153

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150320/46f75937/attachment.asc>