Bug 729096 (CVE-2011-2903) - CVE-2011-2903 tcptrack: heap overflow in parsing the command line
Summary: CVE-2011-2903 tcptrack: heap overflow in parsing the command line
Alias: CVE-2011-2903
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 729098
TreeView+ depends on / blocked
Reported: 2011-08-08 17:21 UTC by Vincent Danen
Modified: 2019-09-29 12:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-09-13 21:16:05 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-08-08 17:21:54 UTC
A heap overflow in the parsing of the command line in tcptrack was corrected in version 1.4.2 [1].  If tcptrack were configured as a handler for other applications that could pass user-supplied command line input to tcptrack, it could result in a crash of tcptrack or, potentially, the execution of arbitrary code with the privileges of the user running tcptrack.

Fedora currently has 1.4.0 and should be updated to 1.4.2.

[1] http://www.rhythm.cx/~steve/devel/tcptrack/#news

Comment 1 Vincent Danen 2011-08-08 17:25:09 UTC
Created tcptrack tracking bugs for this issue

Affects: fedora-all [bug 729098]

Comment 2 Vincent Danen 2011-08-10 17:53:26 UTC
This issue was assigned the name CVE-2011-2903.

Comment 3 Vincent Danen 2011-09-13 21:16:05 UTC
According to MITRE, there is some question as to whether this should be called a flaw:


The "attack" is through a command line argument.  While it's listed as a 
sniffer, the above text suggests that tcptrack might not be 
setuid/privileged, since the only given scenario is "as a handler for 
other applications."  Unless this is a typical/known scenario, this seems 
like just another unprivileged application, in which case the control over 
a command line argument would not directly cross privilege boundaries, 
thus falling into the realm of "bug" and not "vulnerability."

Given the above, and that tcptrack has been updated to the fixed 1.4.2 version in Fedora 16, we won't be insisting on packages for Fedora 14 and 15.

Note You need to log in before you can comment on or make changes to this bug.