Bug 1419066 (CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486) - tcpdump: multiple overflow issues in protocol decoding
Summary: tcpdump: multiple overflow issues in protocol decoding
Status: CLOSED ERRATA
Alias: CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170202,repor...
Keywords: Security
: 1419067 1419068 1419070 1419071 1419072 1419073 1419074 1419075 1419076 1419077 1419078 1419079 1419080 1419081 1419082 1419083 1419085 1419087 1419088 1419089 1419090 1419091 1419093 1419094 1419095 1419097 1419098 1419099 1419100 1419101 1419102 1419103 1419104 1419106 1419107 1419108 1419109 1419110 1419111 1419112 (view as bug list)
Depends On: 1419114 1447507
Blocks: 1415638 1419144
TreeView+ depends on / blocked
 
Reported: 2017-02-03 15:13 UTC by Adam Mariš
Modified: 2017-08-03 02:46 UTC (History)
9 users (show)

Fixed In Version: tcpdump 4.9.0
Doc Type: If docs needed, set a value
Doc Text:
Multiple out of bounds read and integer overflow vulnerabilities were found in tcpdump affecting the decoding of various protocols. An attacker could create a crafted pcap file or send specially crafted packets to the network segment where tcpdump is running in live capture mode (without -w) which could cause it to display incorrect data, crash or enter an infinite loop.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-03 02:46:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1871 normal SHIPPED_LIVE Moderate: tcpdump security, bug fix, and enhancement update 2017-08-01 16:00:24 UTC

Description Adam Mariš 2017-02-03 15:13:34 UTC
Multiple buffer overflows, and one integer overflow, in protocol decoding were found that may cause incorrect decoding, segmentation fault or (in the case of integer overflow) an infinite loop. These issues can be be exploited either locally, by making the target user decode a crafted .pcap file using tcpdump, or remotely by sending crafted packets to the network segment where the target system is running tcpdump decoding the live packet capture.  Ability to send crafted packets to the target network segment is limited by the protocols' ability to cross network segments, or presence of firewall rules.

Upstream changelog:

http://www.tcpdump.org/tcpdump-changes.txt

Comment 1 Adam Mariš 2017-02-03 15:13:46 UTC
Acknowledgments:

Name: the Tcpdump project

Comment 2 Adam Mariš 2017-02-03 15:35:20 UTC
Created tcpdump tracking bugs for this issue:

Affects: fedora-all [bug 1419114]

Comment 4 Doran Moppert 2017-02-13 06:49:53 UTC
Statement:

Red Hat Product Security has rated these issues as having Moderate security impact. These issues may be fixed in a future minor release of Red Hat Enterprise Linux 7. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 5 Doran Moppert 2017-02-13 06:50:02 UTC
Mitigation:

When invoked with the "-w" option, to write raw packets to a pcap file (for forensic purposes or offline examination), tcpdump does not use the protocol decoding subsystem and is not affected by these flaws. Red Hat Product Security recommends that any unattended uses of tcpdump use this option to ensure uninterrupted packet capture.

Comment 6 Doran Moppert 2017-02-13 07:36:58 UTC
Detail of individual CVEs:

CVE-2016-7922 Buffer overflow in AH parser in print-ah.c:ah_print()
CVE-2016-7923 Buffer overflow in ARP parser in print-arp.c:arp_print()
CVE-2016-7924 Buffer overflow in ATM parser in print-atm.c:oam_print()
CVE-2016-7925 Buffer overflow in compressed SLIP parser in print-sl.c:sl_if_print()
CVE-2016-7926 Buffer overflow in Ethernet parser in print-ether.c:ethertype_print()
CVE-2016-7927 Buffer overflow in IEEE 802.11 parser in print-802_11.c:ieee802_11_radio_print()
CVE-2016-7928 Buffer overflow in IPComp parser in print-ipcomp.c:ipcomp_print()
CVE-2016-7929 Buffer overflow in Juniper PPPoE ATM parser in print-juniper.c:juniper_parse_header()
CVE-2016-7930 Buffer overflow in LLC parser in print-llc.c:llc_print()
CVE-2016-7931 Buffer overflow in MPLS parser in print-mpls.c:mpls_print()
CVE-2016-7932 Buffer overflow in PIM parser in print-pim.c:pimv2_check_checksum()
CVE-2016-7933 Buffer overflow in PPP parser in print-ppp.c:ppp_hdlc_if_print()
CVE-2016-7934 Buffer overflow in RTCP parser in print-udp.c:rtcp_print()
CVE-2016-7935 Buffer overflow in RTP parser in print-udp.c:rtp_print()
CVE-2016-7936 Buffer overflow in UDP parser in print-udp.c:udp_print()
CVE-2016-7937 Buffer overflow in VAT parser in print-udp.c:vat_print()
CVE-2016-7938 Integer overflow in ZeroMQ parser in print-zeromq.c:zmtp1_print_frame()
CVE-2016-7939 Buffer overflow in GRE parser in print-gre.c, multiple functions
CVE-2016-7940 Buffer overflow in STP parser in print-stp.c, multiple functions
CVE-2016-7973 Buffer overflow in AppleTalk parser in print-atalk.c, multiple functions
CVE-2016-7974 Buffer overflow in IP parser in print-ip.c, multiple functions
CVE-2016-7975 Buffer overflow in TCP parser in print-tcp.c:tcp_print()
CVE-2016-7983 Buffer overflow in BOOTP parser in print-bootp.c:bootp_print()
CVE-2016-7984 Buffer overflow in TFTP parser in print-tftp.c:tftp_print()
CVE-2016-7985 Buffer overflow in CALM FAST parser in print-calm-fast.c:calm_fast_print()
CVE-2016-7986 Buffer overflow in GeoNetworking parser in print-geonet.c, multiple functions
CVE-2016-7992 Buffer overflow in Classical IP over ATM parser in print-cip.c:cip_if_print()
CVE-2016-7993 Buffer overflow in util-print.c:relts_print() in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM)
CVE-2016-8574 Buffer overflow in FRF.15 parser in print-fr.c:frf15_print()
CVE-2016-8575 Buffer overflow in Q.933 parser in print-fr.c:q933_print()
CVE-2017-5202 Buffer overflow in ISO CLNS parser in print-isoclns.c:clnp_print()
CVE-2017-5203 Buffer overflow in BOOTP parser in print-bootp.c:bootp_print()
CVE-2017-5204 Buffer overflow in IPv6 parser in print-ip6.c:ip6_print()
CVE-2017-5205 Buffer overflow in ISAKMP parser in print-isakmp.c:ikev2_e_print()
CVE-2017-5341 Buffer overflow in OTV parser in print-otv.c:otv_print()
CVE-2017-5342 Buffer overflow in print-ether.c:ether_print() in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE)
CVE-2017-5482 Buffer overflow in Q.933 parser in print-fr.c:q933_print()
CVE-2017-5483 Buffer overflow in SNMP parser in print-snmp.c:asn1_parse()
CVE-2017-5484 Buffer overflow in ATM parser in print-atm.c:sig_print()
CVE-2017-5485 Buffer overflow in ISO CLNS parser in addrtoname.c:lookup_nsap()
CVE-2017-5486 Buffer overflow in ISO CLNS parser in print-isoclns.c:clnp_print()

Comment 7 Doran Moppert 2017-02-20 03:44:26 UTC
*** Bug 1419112 has been marked as a duplicate of this bug. ***

Comment 8 Doran Moppert 2017-02-20 03:47:42 UTC
*** Bug 1419067 has been marked as a duplicate of this bug. ***

Comment 9 Doran Moppert 2017-02-20 03:47:58 UTC
*** Bug 1419068 has been marked as a duplicate of this bug. ***

Comment 10 Doran Moppert 2017-02-20 03:48:13 UTC
*** Bug 1419070 has been marked as a duplicate of this bug. ***

Comment 11 Doran Moppert 2017-02-20 03:48:29 UTC
*** Bug 1419071 has been marked as a duplicate of this bug. ***

Comment 12 Doran Moppert 2017-02-20 03:48:44 UTC
*** Bug 1419072 has been marked as a duplicate of this bug. ***

Comment 13 Doran Moppert 2017-02-20 03:48:58 UTC
*** Bug 1419073 has been marked as a duplicate of this bug. ***

Comment 14 Doran Moppert 2017-02-20 03:49:15 UTC
*** Bug 1419074 has been marked as a duplicate of this bug. ***

Comment 15 Doran Moppert 2017-02-20 03:49:32 UTC
*** Bug 1419075 has been marked as a duplicate of this bug. ***

Comment 16 Doran Moppert 2017-02-20 03:49:46 UTC
*** Bug 1419076 has been marked as a duplicate of this bug. ***

Comment 17 Doran Moppert 2017-02-20 03:50:02 UTC
*** Bug 1419077 has been marked as a duplicate of this bug. ***

Comment 18 Doran Moppert 2017-02-20 03:50:20 UTC
*** Bug 1419078 has been marked as a duplicate of this bug. ***

Comment 19 Doran Moppert 2017-02-20 03:50:33 UTC
*** Bug 1419079 has been marked as a duplicate of this bug. ***

Comment 20 Doran Moppert 2017-02-20 03:50:49 UTC
*** Bug 1419080 has been marked as a duplicate of this bug. ***

Comment 21 Doran Moppert 2017-02-20 03:51:04 UTC
*** Bug 1419081 has been marked as a duplicate of this bug. ***

Comment 22 Doran Moppert 2017-02-20 03:51:20 UTC
*** Bug 1419082 has been marked as a duplicate of this bug. ***

Comment 23 Doran Moppert 2017-02-20 03:51:37 UTC
*** Bug 1419083 has been marked as a duplicate of this bug. ***

Comment 24 Doran Moppert 2017-02-20 03:51:54 UTC
*** Bug 1419085 has been marked as a duplicate of this bug. ***

Comment 25 Doran Moppert 2017-02-20 03:52:08 UTC
*** Bug 1419087 has been marked as a duplicate of this bug. ***

Comment 26 Doran Moppert 2017-02-20 03:52:22 UTC
*** Bug 1419088 has been marked as a duplicate of this bug. ***

Comment 27 Doran Moppert 2017-02-20 03:52:38 UTC
*** Bug 1419089 has been marked as a duplicate of this bug. ***

Comment 28 Doran Moppert 2017-02-20 03:52:53 UTC
*** Bug 1419090 has been marked as a duplicate of this bug. ***

Comment 29 Doran Moppert 2017-02-20 03:53:10 UTC
*** Bug 1419091 has been marked as a duplicate of this bug. ***

Comment 30 Doran Moppert 2017-02-20 03:53:24 UTC
*** Bug 1419093 has been marked as a duplicate of this bug. ***

Comment 31 Doran Moppert 2017-02-20 03:53:37 UTC
*** Bug 1419094 has been marked as a duplicate of this bug. ***

Comment 32 Doran Moppert 2017-02-20 03:53:56 UTC
*** Bug 1419095 has been marked as a duplicate of this bug. ***

Comment 33 Doran Moppert 2017-02-20 03:54:13 UTC
*** Bug 1419097 has been marked as a duplicate of this bug. ***

Comment 34 Doran Moppert 2017-02-20 03:54:27 UTC
*** Bug 1419098 has been marked as a duplicate of this bug. ***

Comment 35 Doran Moppert 2017-02-20 03:54:43 UTC
*** Bug 1419099 has been marked as a duplicate of this bug. ***

Comment 36 Doran Moppert 2017-02-20 03:54:59 UTC
*** Bug 1419100 has been marked as a duplicate of this bug. ***

Comment 37 Doran Moppert 2017-02-20 03:55:14 UTC
*** Bug 1419101 has been marked as a duplicate of this bug. ***

Comment 38 Doran Moppert 2017-02-20 03:55:28 UTC
*** Bug 1419102 has been marked as a duplicate of this bug. ***

Comment 39 Doran Moppert 2017-02-20 03:55:42 UTC
*** Bug 1419103 has been marked as a duplicate of this bug. ***

Comment 40 Doran Moppert 2017-02-20 03:55:56 UTC
*** Bug 1419104 has been marked as a duplicate of this bug. ***

Comment 41 Doran Moppert 2017-02-20 03:56:11 UTC
*** Bug 1419106 has been marked as a duplicate of this bug. ***

Comment 42 Doran Moppert 2017-02-20 03:56:27 UTC
*** Bug 1419107 has been marked as a duplicate of this bug. ***

Comment 43 Doran Moppert 2017-02-20 03:56:43 UTC
*** Bug 1419108 has been marked as a duplicate of this bug. ***

Comment 44 Doran Moppert 2017-02-20 03:56:59 UTC
*** Bug 1419109 has been marked as a duplicate of this bug. ***

Comment 45 Doran Moppert 2017-02-20 03:57:16 UTC
*** Bug 1419110 has been marked as a duplicate of this bug. ***

Comment 46 Doran Moppert 2017-02-20 03:57:33 UTC
*** Bug 1419111 has been marked as a duplicate of this bug. ***

Comment 54 errata-xmlrpc 2017-08-01 12:14:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1871 https://access.redhat.com/errata/RHSA-2017:1871


Note You need to log in before you can comment on or make changes to this bug.