Source: tcpreplay Version: 4.4.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for tcpreplay. CVE-2022-25484[0]: | tcpprep v4.4.1 has a reachable assertion (assert(l2len > 0)) in | packet2tree() at tree.c in tcpprep v4.4.1. CVE-2022-27939[1]: | tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in | get_layer4_v6 in common/get.c. CVE-2022-27940[2]: | tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in | get_ipv6_next in common/get.c. CVE-2022-27941[3]: | tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in | get_l2len_protocol in common/get.c. CVE-2022-27942[4]: | tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in | parse_mpls in common/get.c. CVE-2022-28487[5]: | Tcpreplay version 4.4.1 contains a memory leakage flaw in | fix_ipv6_checksums() function. The highest threat from this | vulnerability is to data confidentiality. CVE-2022-37047[6]: | The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain | a heap-based buffer overflow in get_ipv6_next at common/get.c:713. | NOTE: this is different from CVE-2022-27940. CVE-2022-37048[7]: | The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain | a heap-based buffer overflow in get_l2len_protocol at | common/get.c:344. NOTE: this is different from CVE-2022-27941. CVE-2022-37049[8]: | The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a | heap-based buffer overflow in parse_mpls at common/get.c:150. NOTE: | this is different from CVE-2022-27942. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25484 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25484 [1] https://security-tracker.debian.org/tracker/CVE-2022-27939 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27939 [2] https://security-tracker.debian.org/tracker/CVE-2022-27940 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27940 [3] https://security-tracker.debian.org/tracker/CVE-2022-27941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27941 [4] https://security-tracker.debian.org/tracker/CVE-2022-27942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27942 [5] https://security-tracker.debian.org/tracker/CVE-2022-28487 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28487 [6] https://security-tracker.debian.org/tracker/CVE-2022-37047 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37047 [7] https://security-tracker.debian.org/tracker/CVE-2022-37048 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37048 [8] https://security-tracker.debian.org/tracker/CVE-2022-37049 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37049 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
