> On Dec 28, 2018, at 1:12 PM, Salvatore Bonaccorso <car...@debian.org> wrote:
>
> Source: tcpreplay
> Version: 4.2.6-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/appneta/tcpreplay/issues/530
>
> Hi,
>
> The following vulnerabilities were published for tcpreplay.
>
> CVE-2018-20552[0]:
> | Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tree
> | in tree.c.
>
> CVE-2018-20553[1]:
> | Tcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len
> | in common/get.c.
>
> Unless I'm completely mistaken, I think the issues are at least
> present in 4.2.6, but please double check to be on safe side.
>
I also believe the issue exists in version 3.4.4. The issue is fixed in 4.3.1.
Let me know if you need assistance with a 3.4.4 patch.
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-20552
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20552
> [1] https://security-tracker.debian.org/tracker/CVE-2018-20553
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20553
> [2] https://github.com/appneta/tcpreplay/issues/530
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
