Hi Christoph, On Sun, Aug 17, 2025 at 11:06:08AM +0200, Christoph Biedl wrote: > Salvatore Bonaccorso wrote... > > > The following vulnerability was published for tcpreplay. > > > > CVE-2025-9019[0]: > > | A vulnerability has been found in tcpreplay 4.5.1. This > > | vulnerability affects the function mask_cidr6 of the file cidr.c of > > | the component tcpprep. The manipulation leads to heap-based buffer > > | overflow. The attack can be initiated remotely. The complexity of an > > | attack is rather high. The exploitation appears to be difficult. The > > | exploit has been disclosed to the public and may be used. The > > | researcher is able to reproduce this with the latest official > > | release 4.5.1 and the current master branch. The code maintainer > > | cannot reproduce this for 4.5.2-beta1. In his reply the maintainer > > | explains that "[i]n that case, this is a duplicate that was fixed in > > | 4.5.2." > > > > Issue should be fixed in upcoming 4.5.2 upstream, but TTBOMK not yet > > released, that is issue seems fixed womewhere after 4.5.1 tag in the > > upstream repository, but no commit explicitly identified. > > This is confusing: There is indeed no 4.5.2 release yet (only > 4.5.2-beta2). But if the issue is in (src/common/)cidr.c, that file was > last modified in July 2024 (in commit v4.5.0-beta3-5-gd62a6852 ["Bug > #888: check for map == NULL in cidr.c"]). > > If anyone sees the need for it, I can upload 4.5.2-beta2 - but I'd > really prefer some details about the whole story. To start with, a > commit that fixes the issue, just to assess which older Debian releases > are affected as well.
I do not see any urgency here, we can safely wait until we know more. Likely as well the issue might be marked unimportant like we did for the other tcpreplay issues. Regards, Salvatore
