Bug 1166972 (CVE-2018-19325)

Summary: VUL-0: CVE-2018-19325: tcpdump: prone to a heap-based buffer over-read in the EXTRACT_32BITS function due to improper serviceId
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: atoptsoglou, pmonrealgonzalez, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/255169/
Whiteboard: CVSSv2:NVD:CVE-2018-19325:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3.1:NVD:CVE-2018-19325:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2018-19325:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: PoC file from the reporter

Description Robert Frohl 2020-03-18 13:00:13 UTC
CVE-2018-19325

tcpdump 4.9.2 (and probably lower versions) is prone to a heap-based buffer
over-read in the EXTRACT_32BITS function (extract.h, called from the
rx_cache_find function, print-rx.c) due to improper serviceId sanitization.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19325
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19325.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19325
https://docs.google.com/document/d/1ifs3lREn98UC5XTXt02BGAYNddoGAX1BXQQvOviaYaI/edit
Comment 1 Pedro Monreal Gonzalez 2020-03-21 11:26:27 UTC
Created attachment 833559 [details]
PoC file from the reporter

It doesn't crash in Factory x86_64.
Comment 2 Pedro Monreal Gonzalez 2020-04-13 16:04:12 UTC
CVE rejected as duplicated. Please, use CVE-2018-14466 instead.

Fix already submitted in:
   https://bugzilla.suse.com/show_bug.cgi?id=1153098
Comment 4 Alexandros Toptsoglou 2020-05-25 08:20:16 UTC
Closing as invalid