Bug 1166972 (CVE-2018-19325)

Summary: VUL-0: CVE-2018-19325: tcpdump: prone to a heap-based buffer over-read in the EXTRACT_32BITS function due to improper serviceId
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: atoptsoglou, pmonrealgonzalez, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/255169/
Whiteboard: CVSSv2:NVD:CVE-2018-19325:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3.1:NVD:CVE-2018-19325:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2018-19325:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: PoC file from the reporter

Description Robert Frohl 2020-03-18 13:00:13 UTC

tcpdump 4.9.2 (and probably lower versions) is prone to a heap-based buffer
over-read in the EXTRACT_32BITS function (extract.h, called from the
rx_cache_find function, print-rx.c) due to improper serviceId sanitization.

Comment 1 Pedro Monreal Gonzalez 2020-03-21 11:26:27 UTC
Created attachment 833559 [details]
PoC file from the reporter

It doesn't crash in Factory x86_64.
Comment 2 Pedro Monreal Gonzalez 2020-04-13 16:04:12 UTC
CVE rejected as duplicated. Please, use CVE-2018-14466 instead.

Fix already submitted in:
Comment 4 Alexandros Toptsoglou 2020-05-25 08:20:16 UTC
Closing as invalid