Bug 729096 (CVE-2011-2903)

Summary: CVE-2011-2903 tcptrack: heap overflow in parsing the command line
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jitesh.1337
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20110803,reported=20110805,source=gentoo,impact=moderate,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/tcptrack=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-13 21:16:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 729098    
Bug Blocks:    

Description Vincent Danen 2011-08-08 17:21:54 UTC
A heap overflow in the parsing of the command line in tcptrack was corrected in version 1.4.2 [1].  If tcptrack were configured as a handler for other applications that could pass user-supplied command line input to tcptrack, it could result in a crash of tcptrack or, potentially, the execution of arbitrary code with the privileges of the user running tcptrack.

Fedora currently has 1.4.0 and should be updated to 1.4.2.

[1] http://www.rhythm.cx/~steve/devel/tcptrack/#news

Comment 1 Vincent Danen 2011-08-08 17:25:09 UTC
Created tcptrack tracking bugs for this issue

Affects: fedora-all [bug 729098]

Comment 2 Vincent Danen 2011-08-10 17:53:26 UTC
This issue was assigned the name CVE-2011-2903.

Comment 3 Vincent Danen 2011-09-13 21:16:05 UTC
According to MITRE, there is some question as to whether this should be called a flaw:

http://www.openwall.com/lists/oss-security/2011/08/31/1

The "attack" is through a command line argument.  While it's listed as a 
sniffer, the above text suggests that tcptrack might not be 
setuid/privileged, since the only given scenario is "as a handler for 
other applications."  Unless this is a typical/known scenario, this seems 
like just another unprivileged application, in which case the control over 
a command line argument would not directly cross privilege boundaries, 
thus falling into the realm of "bug" and not "vulnerability."


Given the above, and that tcptrack has been updated to the fixed 1.4.2 version in Fedora 16, we won't be insisting on packages for Fedora 14 and 15.