Your message dated Sat, 30 May 2026 12:28:32 +0000
with message-id <[email protected]>
and subject line Bug#1137278: fixed in arpwatch 2.1a15-10
has caused the Debian Bug report #1137278,
regarding arpwatch: heap buffer overflow in db.c via oversized DNS hostname,
CVE pending
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137278
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: arpwatch
Version: 2.1a15-9
Severity: grave
Tags: security
X-Debbugs-CC: [email protected]
Dear Maintainer,
arpwatch 2.1a15 contains a heap buffer overflow in db.c. When arpwatch
performs a reverse DNS lookup for an IP address observed in ARP traffic,
the resolved hostname is copied into a fixed 34-byte buffer without length
validation. A DNS response containing a hostname longer than 33 characters
(valid per RFC 1035, max 253 characters) overflows the buffer by up to
219 bytes.
The fix is present in upstream arpwatch 3.0 (released 2019-12-01) but
Debian bookworm still ships version 2.1a15 from 2000.
VULNERABLE CODE
===============
File: db.c
struct einfo {
u_char e[6]; /* ether address */
char h[34]; /* simple hostname <- only 34 bytes */
time_t t; /* timestamp */
};
Two affected locations:
1. elist_alloc() -- called when a new IP/MAC pair is first seen:
h = getsname(a);
if (h != NULL && !isdigit((int)*h))
strcpy(ep->h, h); /* <- overflow if len(h) > 33 */
2. check_hname() -- called when hostname changes:
h = getsname(ap->a);
if (!isdigit((int)*h) && strcmp(h, ep->h) != 0) {
strcpy(ep->h, h); /* <- overflow if len(h) > 33 */
}
getsname() calls gethostbyaddr() and truncates the result at the first
'.' (to strip the domain). A PTR record containing a label without dots
(e.g. 253 'A' characters) passes through untruncated and causes the
overflow.
ATTACK SCENARIO
===============
1. arpwatch is running and monitoring a network interface.
2. An ARP packet is observed for an IP address.
3. arpwatch performs a reverse DNS lookup (PTR query) for that IP.
4. An attacker who controls the DNS response (via rogue DNS server,
DNS cache poisoning, or control of the PTR record for the IP)
returns a hostname of 34 or more characters without any dots.
5. strcpy(ep->h, h) overflows the 34-byte heap buffer by up to 219
bytes, corrupting adjacent heap metadata.
On Debian, arpwatch typically runs as root or a dedicated user with
CAP_NET_RAW. A successful exploit could achieve arbitrary code execution
with those privileges.
FIX IN UPSTREAM 3.x
====================
Fixed in arpwatch 3.0 (2019-12-01) with two changes:
1. Buffer size increased from 34 to 64 bytes:
char h[64]; /* simple hostname */
2. strcpy replaced with bounded copy:
strncpy(ep->h, h, sizeof(ep->h));
ep->h[sizeof(ep->h) - 1] = '\0';
Recommended remediation: update the Debian package from 2.1a15 to the
current upstream release (3.6, 2024-01-21).
Upstream source:
https://ee.lbl.gov/downloads/arpwatch/arpwatch-3.6.tar.gz
CVSS ESTIMATE
=============
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H -- Score: 8.1 (High)
DISCLOSURE TIMELINE
===================
2026-05-21 Vulnerability identified during source code audit
2026-05-21 Report submitted to [email protected]
2026-05-22 Report submitted to Debian BTS per Moritz Mühlenhoff request
Reporter: Igor Garofano <[email protected]>
*Igor Garofano*
Cyber Security Specialist
*+39-3922283057*
*EC-council CTIA, CEH v10, CHFI, ITIL v3, Splunk, IBM Qradar Siem
Foundation, Oracle Cloud Architect Associate, **Google Cloud Architect,**
NSE4.*
--- End Message ---
--- Begin Message ---
Source: arpwatch
Source-Version: 2.1a15-10
Done: Sven Geuer <[email protected]>
We believe that the bug you reported is fixed in the latest version of
arpwatch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Geuer <[email protected]> (supplier of updated arpwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 May 2026 14:00:03 +0200
Source: arpwatch
Architecture: source
Version: 2.1a15-10
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Sven Geuer <[email protected]>
Closes: 1137278
Changes:
arpwatch (2.1a15-10) unstable; urgency=medium
.
* Team upload.
* d/p/*: Add patch fixing heap buffer overflow via oversized DNS hostname
(Closes: #1137278).
* d/control:
- Drop 'Priority: optional'.
- Drop 'Rules-Requires-Root: no'.
- Bump Standards-Version to 4.7.4.
* d/watch: Update watch file to version 5 format.
* d/copyright: Bump packaging copyright years.
Checksums-Sha1:
74c16b1873c3c91dc8434f6a951374249dd872bb 1963 arpwatch_2.1a15-10.dsc
fa1c99e08a0511b2121a3509f5cc8a780aa6333a 33792 arpwatch_2.1a15-10.debian.tar.xz
93ff29822c27c9701ef0c067fd2de945c53328eb 5886
arpwatch_2.1a15-10_amd64.buildinfo
Checksums-Sha256:
bfed8a9f4cb654934ef2912c15de4ff8289d2510e642a9326ce488b8f183a582 1963
arpwatch_2.1a15-10.dsc
212a3647477201f031ba9b994b2ec63c76a8f60939a6c5220fb0c3b0ae985280 33792
arpwatch_2.1a15-10.debian.tar.xz
3bb33b8e81db9e3d976a55222bdff1d0f9f3eceefaf5515d771e23ac2eb3fd72 5886
arpwatch_2.1a15-10_amd64.buildinfo
Files:
22f0901e12e8689314729db6274c2d5c 1963 admin optional arpwatch_2.1a15-10.dsc
0ff6e936eccd4e771e778f56cb34a4cf 33792 admin optional
arpwatch_2.1a15-10.debian.tar.xz
8f6ae90ed5a5b9a89e331d295a6ae78b 5886 admin optional
arpwatch_2.1a15-10_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEEPfXoqkP8n9/QhvGVrfUO2vit1YUFAmoa0b4PHHNnZUBkZWJp
YW4ub3JnAAoJEK31Dtr4rdWFy7gP/AmpAPSOqc9l+zZ2Id4kO6uJF48IB97OXCbr
l/sfNXLP1A+FskeGFABNZXDhv6ePjxfRmCKh7TNI3Re3byPydN+FS0v+9V1yy6Og
7peI93qcYF10QGWFBkn3zQ5cemsnuvciDop6n+kk08P5UM5IdhOPuujfwOY/0V0s
3lwP8sJe8cFjZvTsf2ZPA+9rhnnt56tLEIHvN2IRsAQi+d3NUQoscq+DiBTk4baw
UJydcBMs1dE6rp5tiVKLUZBeDgVG3fIhiGuuNV2myPqCS6D9R7M0RNUoz3Gf1BDV
0AMfFSlzVc8kb/6mQcBNAJiLt638KFMNKj3WmUvBTgJl9jRZwQCEravOIj/fgC32
wkood1qDlvwZSGzH6mavKh8KhFmqE/lA7Dr+dccutEANG7tmYbwDans+m+jPcGrL
8DJY8rqy5CH99S1dCU52DOcwj6z1c8vMC/62JiAHCY/ylrCiAtMt1XSx6Vlf/6S9
vJ+8SUcUZA+ZngGY4GZs2wfv5Rth1KzjhRp0Mt/X221GnCDCfBUyPM5ppWfcXvyV
asL+ffYH9oisiAQtBYFzjhqM7VcHvAgdz3X4f+JPpFIjBmLfBlMizTBcFjWW7Wmu
gtg2jDrTEL1mIRh0qNoZb62QlLMk7r/VEZiXfvsb9H5wqX58PuNvGVzob+F1RUsL
ET6wm4AN
=OGMt
-----END PGP SIGNATURE-----
pgpvc366lhTQF.pgp
Description: PGP signature
--- End Message ---
