- Package:
- src:tcpreplay
- Source:
- src:tcpreplay
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-18 18:35:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for tcpreplay. CVE-2025-9019[0]: | A vulnerability has been found in tcpreplay 4.5.1. This | vulnerability affects the function mask_cidr6 of the file cidr.c of | the component tcpprep. The manipulation leads to heap-based buffer | overflow. The attack can be initiated remotely. The complexity of an | attack is rather high. The exploitation appears to be difficult. The | exploit has been disclosed to the public and may be used. The | researcher is able to reproduce this with the latest official | release 4.5.1 and the current master branch. The code maintainer | cannot reproduce this for 4.5.2-beta1. In his reply the maintainer | explains that "[i]n that case, this is a duplicate that was fixed in | 4.5.2." Issue should be fixed in upcoming 4.5.2 upstream, but TTBOMK not yet released, that is issue seems fixed womewhere after 4.5.1 tag in the upstream repository, but no commit explicitly identified. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-9019 https://www.cve.org/CVERecord?id=CVE-2025-9019 [1] https://github.com/appneta/tcpreplay/issues/958 [2] https://github.com/appneta/tcpreplay/issues/959 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Salvatore Bonaccorso wrote...
4.5.2-beta2). But if the issue is in (src/common/)cidr.c, that file was
last modified in July 2024 (in commit v4.5.0-beta3-5-gd62a6852 ["Bug
#888: check for map == NULL in cidr.c"]).
If anyone sees the need for it, I can upload 4.5.2-beta2 - but I'd
really prefer some details about the whole story. To start with, a
commit that fixes the issue, just to assess which older Debian releases
are affected as well.
Access to any of these pages require insecure browser settings. What a
great time we're living in.
Christoph
Salvatore Bonaccorso wrote...
4.5.2-beta2). But if the issue is in (src/common/)cidr.c, that file was
last modified in July 2024 (in commit v4.5.0-beta3-5-gd62a6852 ["Bug
#888: check for map == NULL in cidr.c"]).
If anyone sees the need for it, I can upload 4.5.2-beta2 - but I'd
really prefer some details about the whole story. To start with, a
commit that fixes the issue, just to assess which older Debian releases
are affected as well.
Access to any of these pages require insecure browser settings. What a
great time we're living in.
Christoph
Hi Christoph, I do not see any urgency here, we can safely wait until we know more. Likely as well the issue might be marked unimportant like we did for the other tcpreplay issues. Regards, Salvatore
To help things along, I can release 4.5.2 by late tonight. I still have some issues that were recently opened, but I can defer to 4.5.3. Fred Klassen
To help things along, I can release 4.5.2 by late tonight. I still have some issues that were recently opened, but I can defer to 4.5.3. Fred Klassen
Fred Klassen wrote...
If I read correctly, you've already planned to release 4.5.2 in the next
couple of days. In my opinion, there's no need for an extra rush then.
Christoph
Fred Klassen wrote...
If I read correctly, you've already planned to release 4.5.2 in the next
couple of days. In my opinion, there's no need for an extra rush then.
Christoph