|Summary:||CAN-2005-1267 tcpdump BGP DoS|
|Product:||Red Hat Enterprise Linux 4||Reporter:||Josh Bressers <bressers>|
|Component:||tcpdump||Assignee:||Martin Stransky <stransky>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||RHSA-2005-505||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-06-13 12:03:32 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Josh Bressers 2005-05-31 16:11:32 UTC
Simon L. Nielsen alerted vendor-sec to this issue: While working on the FreeBSD Security Advisory for the recent tcpdump issues (CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280) I noticed that there is another similar infinite loop DoS vulnerability in the BGP handling code. The problem lies in bgp_update_print() in print-bgp.c around line 1652, where the -1 return value from decode_prefix4() is not properly handled. This problem was fixed in tcpdump CVS repository in print-bgp.c v. 1.95 on May 5, but it hasn't gone to the tcpdump 3.8 branch, and hasn't been included in any of the vendor patch sets for earlier DoS vulnerabilities that I have seen.
Comment 1 Josh Bressers 2005-05-31 16:12:22 UTC
This issue should also affect RHEL2.1 and RHEL3
Comment 2 Josh Bressers 2005-05-31 16:13:04 UTC
Created attachment 115005 [details] Patch from upstream
Comment 3 Josh Bressers 2005-05-31 16:14:39 UTC
Created attachment 115006 [details] Proof of concept exploit
Comment 4 Martin Stransky 2005-06-01 08:03:02 UTC
When will the embargo expire?
Comment 5 Josh Bressers 2005-06-01 11:24:41 UTC
There is no set date yet. I'll let you know as soon as there is one. I expect it to be soon. This fix is already in the upstream CVS, so it makes little sense to try to keep it a secret for too long.
Comment 6 Mark J. Cox 2005-06-06 08:39:02 UTC
Removing embargo as per Simon Nielsen msg to vendor-sec
Comment 7 Martin Stransky 2005-06-08 08:34:20 UTC
RHEL2.1 and RHEL3 aren't affected by this issue, the bug is only in version 3.8.2.
Comment 8 Josh Bressers 2005-06-13 12:03:32 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-505.html