The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of tcpdump: off-by-one via 802.11

Synthesis of the vulnerability 

An attacker can generate an off-by-one overflow in tcpdump by sending a malicious 802.11 frame.
Vulnerable software: Debian, Fedora, Mandriva Linux, NetBSD, RHEL, TurboLinux, Unix (platform) ~ not comprehensive.
Severity of this announce: 2/4.
Creation date: 02/03/2007.
Références of this computer vulnerability: BID-22772, CVE-2007-1218, DSA-1272-1, FEDORA-2007-347, FEDORA-2007-348, MDKSA-2007:056, NetBSD-SA2009-002, RHSA-2007:0368-03, RHSA-2007:0387-02, TLSA-2007-46, VIGILANCE-VUL-6601.

Description of the vulnerability 

The tcpdump program captures network frames and displays their contents.

The print-802_11.c file displays 802.11 frames. The parse_elements() function from this file checks size of frames using variable pbody->rates.length instead of pbody->tim.length, which permits to exploit an off-by-one overflow.

An attacker can therefore send a malicious 802.11 frame in order to generate a denial of service and eventually to execute code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Debian, Fedora, Mandriva Linux, NetBSD, RHEL, TurboLinux, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of LAN.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat 

Debian: new tcpdump packages.
New packages are available:
  AMD64 architecture:
    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge2_amd64.deb
      Size/MD5 checksum: 256526 c4ddd7019f02181e76b23343f0814896
  Intel IA-32 architecture:
    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge2_i386.deb
      Size/MD5 checksum: 238766 c6f34cfc4ae54d9014fb04170bfc5ff0
  Intel IA-64 architecture:
    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge2_ia64.deb
      Size/MD5 checksum: 352574 9051cb601e4c9af4b86f12d6277b902f

Fedora Core 5: new tcpdump packages.
New packages are available:
    http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/
d7ba48e09d7994b96652147676b2f37ad56e8cbc SRPMS/tcpdump-3.9.4-4.fc5.src.rpm
d7ba48e09d7994b96652147676b2f37ad56e8cbc noarch/tcpdump-3.9.4-4.fc5.src.rpm
a3d4abcee5ebb54941e832a5d9da0c34ac89509e ppc/libpcap-0.9.4-4.fc5.ppc.rpm
9cbd06d5487b558ddf70ac255c67db3cec081020 ppc/debug/tcpdump-debuginfo-3.9.4-4.fc5.ppc.rpm
ffa9745aaa2e06e406f4f105700a217a357003e1 ppc/arpwatch-2.1a13-15.fc5.ppc.rpm
3a17a7b9e95e4f2cfbb4c9f079ef1e793b59ba72 ppc/tcpdump-3.9.4-4.fc5.ppc.rpm
ba04e256a2c20c897e627d0340d3e242af978d45 x86_64/libpcap-0.9.4-4.fc5.x86_64.rpm
2c9c1e30beef4b7781d2889696c32bfe4ae395cc x86_64/tcpdump-3.9.4-4.fc5.x86_64.rpm
561427aee56f32681704984d83df1d48fb6460a1 x86_64/arpwatch-2.1a13-15.fc5.x86_64.rpm
43ca82d842c173460ec6dae8f5413e445fa2f539 x86_64/debug/tcpdump-debuginfo-3.9.4-4.fc5.x86_64.rpm
dcc4cb141907967dacd3678f0f17dfd4743f75c7 i386/tcpdump-3.9.4-4.fc5.i386.rpm
44cfb923721a8a87c3bf2747a91d90802ecf78c1 i386/arpwatch-2.1a13-15.fc5.i386.rpm
315f39baeae2f0880b1ec91879838268d9fb9aa6 i386/debug/tcpdump-debuginfo-3.9.4-4.fc5.i386.rpm
216013956355d2d2c7006dbf60124212776bf162 i386/libpcap-0.9.4-4.fc5.i386.rpm

Fedora Core 6: new tcpdump packages.
New packages are available:
    http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/
d70fc204d160c153a7e0c2eaecffe03c64b6f98f SRPMS/tcpdump-3.9.4-10.fc6.src.rpm
d70fc204d160c153a7e0c2eaecffe03c64b6f98f noarch/tcpdump-3.9.4-10.fc6.src.rpm
78d280c690b81cb43cfc1114f7d352744d72f2c6 ppc/arpwatch-2.1a13-17.fc6.ppc.rpm
282e470e1a18d1502a55771e1956dc0fd4ed510d ppc/debug/tcpdump-debuginfo-3.9.4-10.fc6.ppc.rpm
6ccffc5016fcac9dd377b186c27fb0aabb83c298 ppc/tcpdump-3.9.4-10.fc6.ppc.rpm
0bac5510dafca986bad39b46ff82f65c7e2efa25 ppc/libpcap-0.9.4-10.fc6.ppc.rpm
3a9b8f7276921a146750bdf87734e354c4ce7074 ppc/libpcap-devel-0.9.4-10.fc6.ppc.rpm
0242836290534f5a513601c7f5fdb2987a127c1c x86_64/libpcap-0.9.4-10.fc6.x86_64.rpm
6b850c13ce89b3b435ce2b12c0bbb7973261cf9c x86_64/libpcap-devel-0.9.4-10.fc6.x86_64.rpm
64017eab83d54f1224cea8f8894f6adac8c67d91 x86_64/tcpdump-3.9.4-10.fc6.x86_64.rpm
4d0cc9863515ae05ed83a2bc052c18882ef19797 x86_64/debug/tcpdump-debuginfo-3.9.4-10.fc6.x86_64.rpm
9ed990c85424e7696530b32196fc6cb01c547cc7 x86_64/arpwatch-2.1a13-17.fc6.x86_64.rpm
ffd384b9d15aac0f3c6f0f900813e6bc2110514f i386/arpwatch-2.1a13-17.fc6.i386.rpm
b800f281187f03a9b3d6242b99d128e925b4f5b9 i386/tcpdump-3.9.4-10.fc6.i386.rpm
cd126685bef09b529aa928fee7809590ce906137 i386/libpcap-devel-0.9.4-10.fc6.i386.rpm
f21c20de322c490de9df03d3a28b4f74e329ba58 i386/debug/tcpdump-debuginfo-3.9.4-10.fc6.i386.rpm
21867d4d9331c474cf65586b508db6195dfeacc5 i386/libpcap-0.9.4-10.fc6.i386.rpm

Mandriva: new tcpdump packages.
New packages are available:
 Mandriva Linux 2006.0:
 d92b272b29238545670818ca1d03b171 2006.0/i586/tcpdump-3.9.3-1.3.20060mdk.i586.rpm
 66d13291c325f4c08725ee28fd57c21d 2006.0/SRPMS/tcpdump-3.9.3-1.3.20060mdk.src.rpm
 Mandriva Linux 2006.0/X86_64:
 9a66f32f4fd622c3986a80dd447bad10 2006.0/x86_64/tcpdump-3.9.3-1.3.20060mdk.x86_64.rpm
 66d13291c325f4c08725ee28fd57c21d 2006.0/SRPMS/tcpdump-3.9.3-1.3.20060mdk.src.rpm
 Mandriva Linux 2007.0:
 34629bcb6e9ee83b6e9163bd0e3ab889 2007.0/i586/tcpdump-3.9.4-1.1mdv2007.0.i586.rpm
 ba39819805f0935af53e2ec77b302d14 2007.0/SRPMS/tcpdump-3.9.4-1.1mdv2007.0.src.rpm
 Mandriva Linux 2007.0/X86_64:
 e0c4b35447b06600387db895f2ecee54 2007.0/x86_64/tcpdump-3.9.4-1.1mdv2007.0.x86_64.rpm
 ba39819805f0935af53e2ec77b302d14 2007.0/SRPMS/tcpdump-3.9.4-1.1mdv2007.0.src.rpm
 Corporate 3.0:
 f6dc96b67852e9a31868433020500ea1 corporate/3.0/i586/tcpdump-3.8.1-1.3.C30mdk.i586.rpm
 978aeb218783686a74e4d2a6e1b772fb corporate/3.0/SRPMS/tcpdump-3.8.1-1.3.C30mdk.src.rpm
 Corporate 3.0/X86_64:
 b3440b61b1aaca36fb7426d2108d5a99 corporate/3.0/x86_64/tcpdump-3.8.1-1.3.C30mdk.x86_64.rpm
 978aeb218783686a74e4d2a6e1b772fb corporate/3.0/SRPMS/tcpdump-3.8.1-1.3.C30mdk.src.rpm
 Corporate 4.0:
 b0d581c7c0166447c32019849638002e corporate/4.0/i586/tcpdump-3.9.3-1.3.20060mlcs4.i586.rpm
 d849293ac434f50fb2159bf0298a9921 corporate/4.0/SRPMS/tcpdump-3.9.3-1.3.20060mlcs4.src.rpm
 Corporate 4.0/X86_64:
 a0955040cd81b0d5189e2b72fdddf459 corporate/4.0/x86_64/tcpdump-3.9.3-1.3.20060mlcs4.x86_64.rpm
 d849293ac434f50fb2159bf0298a9921 corporate/4.0/SRPMS/tcpdump-3.9.3-1.3.20060mlcs4.src.rpm

NetBSD: patch for tcpdump.
A patch is available in information sources.

RHEL 4: new tcpdump packages.
New packages are available:
Red Hat Enterprise Linux version 4: tcpdump-3.8.2-12.el4

RHEL 5: new tcpdump packages.
New packages are available:
Red Hat Enterprise Linux version 5 : tcpdump-3.9.4-11.el5

Turbolinux: new tcpdump packages.
New packages are available:
Turbolinux Appliance Server 2.0 : tcpdump-3.8.3-7
Turbolinux FUJI : tcpdump-3.9.1-2
Turbolinux 10 Server x64 Edition : tcpdump-3.9.1-2
Turbolinux Appliance Server 1.0 : tcpdump-3.8.3-7
Turbolinux 10 Server : tcpdump-3.8.3-7
Turbolinux 10 Desktop : tcpdump-3.8.3-7
Turbolinux 8 Server : tcpdump-3.8.3-7
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities watch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.