[Bug 273171] category/port: tcpdump used in this project is vulnerable

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 273171] tcpdump is vulnerable"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 17 Aug 2023 06:04:21 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273171

            Bug ID: 273171
           Summary: category/port: tcpdump used in this project is
                    vulnerable
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: thresh416@outlook.com

Branch
stable/13, releng/13.0, releng/13.1, releng/13.2

What is the security issue or vulnerability?
As CVE-2020-8037 described, the ppp decapsulator in tcpdump 4.9.3 can be
convinced to allocate a large amount of memory, which is still used in this
project.
This can be easily fixed by apply the patch of this CVE ( CVE-2020-8037 ) , as
listed in the next section.

Security issue or vulnerability information
CVE-2020-8037's description:https://nvd.nist.gov/vuln/detail/CVE-2020-8037
CVE-2020-8037's patch commit:the-tcpdump-group/tcpdump@32027e1

-- 
You are receiving this mail because:
You are the assignee for the bug.