Source: tcpreplay Version: 4.5.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for tcpreplay. CVE-2025-9019[0]: | A vulnerability has been found in tcpreplay 4.5.1. This | vulnerability affects the function mask_cidr6 of the file cidr.c of | the component tcpprep. The manipulation leads to heap-based buffer | overflow. The attack can be initiated remotely. The complexity of an | attack is rather high. The exploitation appears to be difficult. The | exploit has been disclosed to the public and may be used. The | researcher is able to reproduce this with the latest official | release 4.5.1 and the current master branch. The code maintainer | cannot reproduce this for 4.5.2-beta1. In his reply the maintainer | explains that "[i]n that case, this is a duplicate that was fixed in | 4.5.2." Issue should be fixed in upcoming 4.5.2 upstream, but TTBOMK not yet released, that is issue seems fixed womewhere after 4.5.1 tag in the upstream repository, but no commit explicitly identified. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-9019 https://www.cve.org/CVERecord?id=CVE-2025-9019 [1] https://github.com/appneta/tcpreplay/issues/958 [2] https://github.com/appneta/tcpreplay/issues/959 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
