Advisories » MGASA-2014-0503

Updated tcpdump package fixes security vulnerabilities

Publication date: 01 Dec 2014
Modification date: 01 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-8767 , CVE-2014-8769

Description

The Tcpdump program could crash when processing a malformed OLSR payload
when the verbose output flag was set (CVE-2014-8767).

The application decoder for the Ad hoc On-Demand Distance Vector (AODV)
protocol in Tcpdump fails to perform input validation and performs unsafe
out-of-bound accesses. The application will usually not crash, but perform
out-of-bounds accesses and output/leak larger amounts of invalid data, which
might lead to dropped packets. It is unknown if a payload exists that might
trigger segfaults (CVE-2014-8769).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14673
• https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144951.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8767
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8769

SRPMS

4/core

• tcpdump-4.4.0-2.1.mga4