Bug#551092: tcptrack: Command line heap overflow

Patroklos Argyroudis Thu, 15 Oct 2009 08:09:44 -0700

Package: tcptrack
Version: 1.3.0-1
Severity: normal


tcptrack is prone to a command line heap overflow.  Here is a transcript:

[a...@hegel /tmp]$ tcptrack -i eth0 `python -c 'print "A"*1024'`
*** glibc detected *** tcptrack: free(): invalid next size (fast): 0x08069078 
***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7ce58f4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7ce7896]
/usr/lib/libpcap.so.0.8[0xb7f6f33f]
/usr/lib/libpcap.so.0.8[0xb7f6f718]
/usr/lib/libpcap.so.0.8(pcap_activate+0x13)[0xb7f71c83]
/usr/lib/libpcap.so.0.8(pcap_open_live+0x7a)[0xb7f72caa]
tcptrack[0x804dcdf]
tcptrack[0x8051115]
tcptrack(__gxx_personality_v0+0x279)[0x8049ca1]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7c8d7a5]
tcptrack(pthread_cancel+0x49)[0x8049ac1]
======= Memory map: ========
08048000-08057000 r-xp 00000000 08:01 14304224   /usr/bin/tcptrack
08057000-08058000 rw-p 0000e000 08:01 14304224   /usr/bin/tcptrack
08058000-08079000 rw-p 08058000 00:00 0          [heap]
b6b00000-b6b21000 rw-p b6b00000 00:00 0 
b6b21000-b6c00000 ---p b6b21000 00:00 0 
b6c6f000-b6c70000 ---p b6c6f000 00:00 0 
b6c70000-b7470000 rw-p b6c70000 00:00 0 
b7470000-b7471000 ---p b7470000 00:00 0 
b7471000-b7c73000 rw-p b7471000 00:00 0 
b7c73000-b7c75000 r-xp 00000000 08:01 1048831    /lib/i686/cmov/libdl-2.9.so
b7c75000-b7c76000 r--p 00001000 08:01 1048831    /lib/i686/cmov/libdl-2.9.so
b7c76000-b7c77000 rw-p 00002000 08:01 1048831    /lib/i686/cmov/libdl-2.9.so
b7c77000-b7dcf000 r-xp 00000000 08:01 1048793    /lib/i686/cmov/libc-2.9.so
b7dcf000-b7dd0000 ---p 00158000 08:01 1048793    /lib/i686/cmov/libc-2.9.so
b7dd0000-b7dd2000 r--p 00158000 08:01 1048793    /lib/i686/cmov/libc-2.9.so
b7dd2000-b7dd3000 rw-p 0015a000 08:01 1048793    /lib/i686/cmov/libc-2.9.so
b7dd3000-b7dd7000 rw-p b7dd3000 00:00 0 
b7dd7000-b7e01000 r-xp 00000000 08:01 1048942    /lib/libgcc_s.so.1
b7e01000-b7e02000 rw-p 00029000 08:01 1048942    /lib/libgcc_s.so.1
b7e02000-b7e26000 r-xp 00000000 08:01 1048801    /lib/i686/cmov/libm-2.9.so
b7e26000-b7e27000 r--p 00023000 08:01 1048801    /lib/i686/cmov/libm-2.9.so
b7e27000-b7e28000 rw-p 00024000 08:01 1048801    /lib/i686/cmov/libm-2.9.so
b7e28000-b7f0e000 r-xp 00000000 08:01 14308191   /usr/lib/libstdc++.so.6.0.13
b7f0e000-b7f12000 r--p 000e6000 08:01 14308191   /usr/lib/libstdc++.so.6.0.13
b7f12000-b7f13000 rw-p 000ea000 08:01 14308191   /usr/lib/libstdc++.so.6.0.13
b7f13000-b7f1a000 rw-p b7f13000 00:00 0 
b7f1a000-b7f2f000 r-xp 00000000 08:01 1048817    /lib/i686/cmov/libnsl-2.9.so
b7f2f000-b7f30000 r--p 00014000 08:01 1048817    /lib/i686/cmov/libnsl-2.9.so
b7f30000-b7f31000 rw-p 00015000 08:01 1048817    /lib/i686/cmov/libnsl-2.9.so
b7f31000-b7f33000 rw-p b7f31000 00:00 0 
b7f33000-b7f68000 r-xp 00000000 08:01 1048638    /lib/libncurses.so.5.7
b7f68000-b7f6b000 rw-p 00035000 08:01 1048638    /lib/libncurses.so.5.7
b7f6b000-b7f97000 r-xp 00000000 08:01 14308533   /usr/lib/libpcap.so.1.0.0
b7f97000-b7f99000 rw-p 0002b000 08:01 14308533   /usr/lib/libpcap.so.1.0.0
b7f99000-b7f9a000 rw-p b7f99000 00:00 0 
b7f9a000-b7faf000 r-xp 00000000 08:01 1048829    
/lib/i686/cmov/libpthread-2.9.so
b7faf000-b7fb0000 r--p 00014000 08:01 1048829    
/lib/i686/cmov/libpthread-2.9.so
b7fb0000-b7fb1000 rw-p 00015000 08:01 1048829    
/lib/i686/cmov/libpthread-2.9.so
b7fb1000-b7fb3000 rw-p b7fb1000 00:00 0 
b7fb3000-b7fba000 r-xp 00000000 08:01 1048823    /lib/i686/cmov/librt-2.9.so
b7fba000-b7fbb000 r--p 00006000 08:01 1048823    /lib/i686/cmov/librt-2.9.so
b7fbb000-b7fbc000 rw-p 00007000 08:01 1048823    /lib/i686/cmov/librt-2.9.so
b7fdf000-b7fe1000 rw-p b7fdf000 00:00 0 
b7fe1000-b7fe2000 r-xp b7fe1000 00:00 0          [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:01 1048746    /lib/ld-2.9.so
b7ffe000-b7fff000 r--p 0001b000 08:01 1048746    /lib/ld-2.9.so
b7fff000-b8000000 rw-p 0001c000 08:01 1048746    /lib/ld-2.9.so
bffea000-c0000000 rw-p bffea000 00:00 0          [stack]
Aborted (core dumped)

This may have security repercussions if tcptrack is configured as a handler for
other applications that can pass user-supplied command line input to tcptrack.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages tcptrack depends on:
ii  libc6                     2.9-25         GNU C Library: Shared libraries
ii  libgcc1                   1:4.4.1-4      GCC support library
ii  libncurses5               5.7+20090803-2 shared libraries for terminal hand
ii  libpcap0.8                1.0.0-4        system interface for user-level pa
ii  libstdc++6                4.4.1-4        The GNU Standard C++ Library v3

tcptrack recommends no packages.

tcptrack suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#551092: tcptrack: Command line heap overflow

Reply via email to