Salvatore Bonaccorso wrote... > The following vulnerability was published for tcpreplay. > > CVE-2025-9019[0]: > | A vulnerability has been found in tcpreplay 4.5.1. This > | vulnerability affects the function mask_cidr6 of the file cidr.c of > | the component tcpprep. The manipulation leads to heap-based buffer > | overflow. The attack can be initiated remotely. The complexity of an > | attack is rather high. The exploitation appears to be difficult. The > | exploit has been disclosed to the public and may be used. The > | researcher is able to reproduce this with the latest official > | release 4.5.1 and the current master branch. The code maintainer > | cannot reproduce this for 4.5.2-beta1. In his reply the maintainer > | explains that "[i]n that case, this is a duplicate that was fixed in > | 4.5.2." > > Issue should be fixed in upcoming 4.5.2 upstream, but TTBOMK not yet > released, that is issue seems fixed womewhere after 4.5.1 tag in the > upstream repository, but no commit explicitly identified.
This is confusing: There is indeed no 4.5.2 release yet (only 4.5.2-beta2). But if the issue is in (src/common/)cidr.c, that file was last modified in July 2024 (in commit v4.5.0-beta3-5-gd62a6852 ["Bug #888: check for map == NULL in cidr.c"]). If anyone sees the need for it, I can upload 4.5.2-beta2 - but I'd really prefer some details about the whole story. To start with, a commit that fixes the issue, just to assess which older Debian releases are affected as well. > [0] (...) > https://www.cve.org/CVERecord?id=CVE-2025-9019 > [1] https://github.com/appneta/tcpreplay/issues/958 > [2] https://github.com/appneta/tcpreplay/issues/959 Access to any of these pages require insecure browser settings. What a great time we're living in. Christoph
signature.asc
Description: PGP signature
