A heap overflow in the parsing of the command line in tcptrack was corrected in version 1.4.2 [1]. If tcptrack were configured as a handler for other applications that could pass user-supplied command line input to tcptrack, it could result in a crash of tcptrack or, potentially, the execution of arbitrary code with the privileges of the user running tcptrack. Fedora currently has 1.4.0 and should be updated to 1.4.2. [1] http://www.rhythm.cx/~steve/devel/tcptrack/#news
Created tcptrack tracking bugs for this issue Affects: fedora-all [bug 729098]
This issue was assigned the name CVE-2011-2903.
According to MITRE, there is some question as to whether this should be called a flaw: http://www.openwall.com/lists/oss-security/2011/08/31/1 The "attack" is through a command line argument. While it's listed as a sniffer, the above text suggests that tcptrack might not be setuid/privileged, since the only given scenario is "as a handler for other applications." Unless this is a typical/known scenario, this seems like just another unprivileged application, in which case the control over a command line argument would not directly cross privilege boundaries, thus falling into the realm of "bug" and not "vulnerability." Given the above, and that tcptrack has been updated to the fixed 1.4.2 version in Fedora 16, we won't be insisting on packages for Fedora 14 and 15.