Dear Maintainer,

arpwatch 2.1a15 contains a heap buffer overflow in db.c. When arpwatch
performs a reverse DNS lookup for an IP address observed in ARP traffic,
the resolved hostname is copied into a fixed 34-byte buffer without length
validation. A DNS response containing a hostname longer than 33 characters
(valid per RFC 1035, max 253 characters) overflows the buffer by up to
219 bytes.

The fix is present in upstream arpwatch 3.0 (released 2019-12-01) but
Debian bookworm still ships version 2.1a15 from 2000.


VULNERABLE CODE
===============

File: db.c

    struct einfo {
        u_char e[6];    /* ether address */
        char h[34];     /* simple hostname  <- only 34 bytes */
        time_t t;       /* timestamp */
    };

Two affected locations:

1. elist_alloc() -- called when a new IP/MAC pair is first seen:

    h = getsname(a);
    if (h != NULL && !isdigit((int)*h))
        strcpy(ep->h, h);    /* <- overflow if len(h) > 33 */

2. check_hname() -- called when hostname changes:

    h = getsname(ap->a);
    if (!isdigit((int)*h) && strcmp(h, ep->h) != 0) {
        strcpy(ep->h, h);    /* <- overflow if len(h) > 33 */
    }

getsname() calls gethostbyaddr() and truncates the result at the first
'.' (to strip the domain). A PTR record containing a label without dots
(e.g. 253 'A' characters) passes through untruncated and causes the
overflow.


ATTACK SCENARIO
===============

1. arpwatch is running and monitoring a network interface.
2. An ARP packet is observed for an IP address.
3. arpwatch performs a reverse DNS lookup (PTR query) for that IP.
4. An attacker who controls the DNS response (via rogue DNS server,
   DNS cache poisoning, or control of the PTR record for the IP)
   returns a hostname of 34 or more characters without any dots.
5. strcpy(ep->h, h) overflows the 34-byte heap buffer by up to 219
   bytes, corrupting adjacent heap metadata.

On Debian, arpwatch typically runs as root or a dedicated user with
CAP_NET_RAW. A successful exploit could achieve arbitrary code execution
with those privileges.


FIX IN UPSTREAM 3.x
====================

Fixed in arpwatch 3.0 (2019-12-01) with two changes:

  1. Buffer size increased from 34 to 64 bytes:
       char h[64];   /* simple hostname */

  2. strcpy replaced with bounded copy:
       strncpy(ep->h, h, sizeof(ep->h));
       ep->h[sizeof(ep->h) - 1] = '\0';

Recommended remediation: update the Debian package from 2.1a15 to the
current upstream release (3.6, 2024-01-21).

Upstream source:
https://ee.lbl.gov/downloads/arpwatch/arpwatch-3.6.tar.gz


CVSS ESTIMATE
=============

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H -- Score: 8.1 (High)


DISCLOSURE TIMELINE
===================

  2026-05-21  Vulnerability identified during source code audit
  2026-05-21  Report submitted to security@debian.org
  2026-05-22  Report submitted to Debian BTS per Moritz Mühlenhoff request


Reporter: Igor Garofano <igorgarofano@gmail.com>

*Igor Garofano*

Cyber Security Specialist

*+39-3922283057*


*EC-council CTIA, CEH v10, CHFI, ITIL v3, Splunk, IBM Qradar Siem
Foundation, Oracle Cloud Architect Associate, **Google Cloud Architect,**
NSE4.*

Version 2.1a15 in Debian contains a number of extension conficting with
upstream 3.0 and above. Thus, we'll patch Debian's 2.1a15 .

We believe that the bug you reported is fixed in the latest version of
arpwatch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1137278@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Geuer <sge@debian.org> (supplier of updated arpwatch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 30 May 2026 14:00:03 +0200
Source: arpwatch
Architecture: source
Version: 2.1a15-10
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Changed-By: Sven Geuer <sge@debian.org>
Closes: 1137278
Changes:
 arpwatch (2.1a15-10) unstable; urgency=medium
 .
   * Team upload.
   * d/p/*: Add patch fixing heap buffer overflow via oversized DNS hostname
     (Closes: #1137278).
   * d/control:
     - Drop 'Priority: optional'.
     - Drop 'Rules-Requires-Root: no'.
     - Bump Standards-Version to 4.7.4.
   * d/watch: Update watch file to version 5 format.
   * d/copyright: Bump packaging copyright years.
Checksums-Sha1:
 74c16b1873c3c91dc8434f6a951374249dd872bb 1963 arpwatch_2.1a15-10.dsc
 fa1c99e08a0511b2121a3509f5cc8a780aa6333a 33792 arpwatch_2.1a15-10.debian.tar.xz
 93ff29822c27c9701ef0c067fd2de945c53328eb 5886 arpwatch_2.1a15-10_amd64.buildinfo
Checksums-Sha256:
 bfed8a9f4cb654934ef2912c15de4ff8289d2510e642a9326ce488b8f183a582 1963 arpwatch_2.1a15-10.dsc
 212a3647477201f031ba9b994b2ec63c76a8f60939a6c5220fb0c3b0ae985280 33792 arpwatch_2.1a15-10.debian.tar.xz
 3bb33b8e81db9e3d976a55222bdff1d0f9f3eceefaf5515d771e23ac2eb3fd72 5886 arpwatch_2.1a15-10_amd64.buildinfo
Files:
 22f0901e12e8689314729db6274c2d5c 1963 admin optional arpwatch_2.1a15-10.dsc
 0ff6e936eccd4e771e778f56cb34a4cf 33792 admin optional arpwatch_2.1a15-10.debian.tar.xz
 8f6ae90ed5a5b9a89e331d295a6ae78b 5886 admin optional arpwatch_2.1a15-10_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEPfXoqkP8n9/QhvGVrfUO2vit1YUFAmoa0b4PHHNnZUBkZWJp
YW4ub3JnAAoJEK31Dtr4rdWFy7gP/AmpAPSOqc9l+zZ2Id4kO6uJF48IB97OXCbr
l/sfNXLP1A+FskeGFABNZXDhv6ePjxfRmCKh7TNI3Re3byPydN+FS0v+9V1yy6Og
7peI93qcYF10QGWFBkn3zQ5cemsnuvciDop6n+kk08P5UM5IdhOPuujfwOY/0V0s
3lwP8sJe8cFjZvTsf2ZPA+9rhnnt56tLEIHvN2IRsAQi+d3NUQoscq+DiBTk4baw
UJydcBMs1dE6rp5tiVKLUZBeDgVG3fIhiGuuNV2myPqCS6D9R7M0RNUoz3Gf1BDV
0AMfFSlzVc8kb/6mQcBNAJiLt638KFMNKj3WmUvBTgJl9jRZwQCEravOIj/fgC32
wkood1qDlvwZSGzH6mavKh8KhFmqE/lA7Dr+dccutEANG7tmYbwDans+m+jPcGrL
8DJY8rqy5CH99S1dCU52DOcwj6z1c8vMC/62JiAHCY/ylrCiAtMt1XSx6Vlf/6S9
vJ+8SUcUZA+ZngGY4GZs2wfv5Rth1KzjhRp0Mt/X221GnCDCfBUyPM5ppWfcXvyV
asL+ffYH9oisiAQtBYFzjhqM7VcHvAgdz3X4f+JPpFIjBmLfBlMizTBcFjWW7Wmu
gtg2jDrTEL1mIRh0qNoZb62QlLMk7r/VEZiXfvsb9H5wqX58PuNvGVzob+F1RUsL
ET6wm4AN
=OGMt
-----END PGP SIGNATURE-----

Hello,

Bug #1137278 in arpwatch reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/pkg-security-team/arpwatch/-/commit/5284437028f2fb07b82b51d4f6ca734b0549650e
------------------------------------------------------------------------
d/p/*: Add patch fixing heap buffer overflow via oversized DNS hostname.

Closes: #1137278
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1137278

Hi Sven,

Thanks for fixing the issue in unstable and for forky. If your time
permits, can you as well fix the issue in trixie and bookworm via the
next (and for bookworm last) point release? The issue won't warrant a
DSA.

Regards,
Salvatore

Hi Salvatore,

That's already on my list.

Best,
Sven

Hi Salvatore,

Meanwhile I looked deeper into this and found that the buffer overflow
was already reported in Apr 2013 with bug #705894 [1] and fixed in Oct
2014 with version arpwatch/2.1a15-1.3, available as patch [2] since
arpwatch/2.1a15-2. Only the buffer size was not increased resulting in
long host names being truncated, however no overflows could happen
anymore. Thus, in my opinion, uploads to trixie and bookworm are not
required.

Let me know if you concur or not.

Regards
Sven

[1] https://bugs.debian.org/705894
[2] https://sources.debian.org/src/arpwatch/2.1a15-2/debian/patches/41_bug705894-long-hostnames