Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: a4fa71d8 by Markus Koschany at 2018-12-30T15:25:35Z CVE-2018-20552,CVE-2018-20553,tcpreplay: no-dsa for Jessie The heap-based buffer overflows are reproducible with ASAN, without ASAN the tcprep tool segfaults. Since we have marked similar issues as no-dsa in the past and none of our sponsors uses it, I also mark it as no-dsa. In addition to exploit this issue one has to manipulate a pcap file and trick someone into using it. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -64,10 +64,12 @@ CVE-2018-20554 RESERVED CVE-2018-20553 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len ...) - tcpreplay <unfixed> (bug #917574) + [jessie] - tcpreplay <no-dsa> (not used by any sponsor, hard to exploit) NOTE: https://github.com/appneta/tcpreplay/issues/530 NOTE: https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2 CVE-2018-20552 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tree ...) - tcpreplay <unfixed> (bug #917574) + [jessie] - tcpreplay <no-dsa> (not used by any sponsor, hard to exploit) NOTE: https://github.com/appneta/tcpreplay/issues/530 NOTE: https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2 CVE-2018-1000893 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4fa71d8b54a7dfa7fdb6e874ffe6d107148f77a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4fa71d8b54a7dfa7fdb6e874ffe6d107148f77a You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits