Bug 82995

Summary: tcpdump problem with bgp decoding
Product: Red Hat Enterprise Linux 2.1 Reporter: Mark J. Cox <mjc>
Component: tcpdumpAssignee: Harald Hoyer <harald>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: eric.moret, samsonite451
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-02-26 15:19:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Mark J. Cox 2003-01-29 13:11:58 UTC
The BGP decoding routines for tcpdump used incorrect bounds checking when
copying data. This could be abused by introducing malicious traffic on a sniffed
network for a denial of service attack against tcpdump, or possibly even remote
code execution.

RHSA-2002:094 patched CAN-2002-0380 with tcpdump-3.6.2-11
AS/RHSA-2002:121 patched CAN-2002-0380 with tcpdump-3.6.2-11

See http://marc.theaimsgroup.com/?l=bugtraq&m=103956164004031&w=2
also http://www.tcpdump.org/lists/workers/2001/10/msg00101.html

3.6.* is vulnerable, 3.7 isn't

CVE applied for Dec11: CAN-2002-1350

Comment 1 Harald Hoyer 2003-02-12 14:01:57 UTC
*** Bug 80152 has been marked as a duplicate of this bug. ***

Comment 2 Mark J. Cox 2003-02-26 15:19:45 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Comment 3 Sam 2003-03-08 13:50:12 UTC
This hasn't been fixed in anything but the Advanced Series. It should be reopened.

Comment 4 Mark J. Cox 2003-03-08 14:16:05 UTC
This bug is filed against the Advanced Server product and therefore should be
closed.  There might be a bug already open against the base product for this
security issue, but even if not an errata is in progress for the base.