Bug#917574: tcpreplay: CVE-2018-20552 CVE-2018-20553
Unfortunately this issue got reopened rather than having the a new issue being opened. I considered original bugs being fixed in 4.3.1 by preventing invalid data from reaching the functions. The author of the issue took exception to the fact that the function in question didn’t have safeguards adding to address potential issues in the future should there be regression. The latest updates in 4.3.3 safeguards against future issues by additional checks in the functions rather than simply preventing bad data from reaching the functions. Regards, Fred. > On Jun 12, 2020, at 10:52 PM, Salvatore Bonaccorso wrote: > > Hi Christoph, > > On Fri, Dec 28, 2018 at 10:12:14PM +0100, Salvatore Bonaccorso wrote: >> Source: tcpreplay >> Version: 4.2.6-1 >> Severity: important >> Tags: security upstream >> Forwarded: https://github.com/appneta/tcpreplay/issues/530 >> >> Hi, >> >> The following vulnerabilities were published for tcpreplay. >> >> CVE-2018-20552[0]: >> | Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tree >> | in tree.c. >> >> CVE-2018-20553[1]: >> | Tcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len >> | in common/get.c. >> >> Unless I'm completely mistaken, I think the issues are at least >> present in 4.2.6, but please double check to be on safe side. >> >> If you fix the vulnerabilities please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. >> >> For further information see: >> >> [0] https://security-tracker.debian.org/tracker/CVE-2018-20552 >>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20552 >> [1] https://security-tracker.debian.org/tracker/CVE-2018-20553 >>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20553 >> [2] https://github.com/appneta/tcpreplay/issues/530 >> >> Please adjust the affected versions in the BTS as needed. > > Reopened this bug report, as it looks from upstream discussion in > https://github.com/appneta/tcpreplay/issues/530#issuecomment-480219130 > and following that the fixes were not correct. > > Regards, > Salvatore >
Bug#917574: tcpreplay: CVE-2018-20552 CVE-2018-20553
> On Dec 28, 2018, at 1:12 PM, Salvatore Bonaccorso wrote: > > Source: tcpreplay > Version: 4.2.6-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/appneta/tcpreplay/issues/530 > > Hi, > > The following vulnerabilities were published for tcpreplay. > > CVE-2018-20552[0]: > | Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tree > | in tree.c. > > CVE-2018-20553[1]: > | Tcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len > | in common/get.c. > > Unless I'm completely mistaken, I think the issues are at least > present in 4.2.6, but please double check to be on safe side. > I also believe the issue exists in version 3.4.4. The issue is fixed in 4.3.1. Let me know if you need assistance with a 3.4.4 patch. > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-20552 >https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20552 > [1] https://security-tracker.debian.org/tracker/CVE-2018-20553 >https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20553 > [2] https://github.com/appneta/tcpreplay/issues/530 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore >
Bug#901698: libudev-dev fails to install
Package: libudev Version: 232-25+deb9u2 Severity: important Dear Maintainer, When I attempt to install libudev-dev on stretch I get the error below. This prevents me from installing other packages such as libpci-dev and libsnmp-dev. sudo apt-get install libudev-dev Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: libudev-dev : Depends: libudev1 (= 232-25+deb9u2) but 237-3~bpo9+1 is to be installed E: Unable to correct problems, you have held broken packages. -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/6 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)