tcpdump: CVE-2018-14879 - buffer overflow in tcpdump.c:get_next_file()

The release of tcpdump 4.9.3 brought many bug fixes, including one I submitted, CVE-2018-14879. `The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().` ``` ==2288==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe363769bf at pc 0x56336d544e69 bp 0x7ffe36376260 sp 0x7ffe36376258 READ of size 1 at 0x7ffe363769bf thread T0 #0 0x56336d544e68 in get_next_file tcpdump.c:853 #1 0x56336d53ab63 in main tcpdump.c:1956 #2 0x7f83cae7c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #3 0x56336d543169 in _start (/root/tcpdump/tcpdump+0x16d169) Address 0x7ffe363769bf is located in stack of thread T0 at offset 1727 in frame #0 0x56336d53828f in main tcpdump.c:1411 This frame has 15 object(s): [32, 36) 'localnet' [96, 100) 'netmask' [160, 168) 'endp' [224, 232) 'end' [288, 296) 'devlist' [352, 360) 'end' [416, 424) 'dlts' [480, 496) 'fcode' [544, 576) 'timer' [608, 648) 'dumpinfo' [704, 848) 'buf' [896, 1096) 'Ndo' [1152, 1408) 'ebuf' [1440, 1696) 'ebuf' [1728, 5825) 'VFileLine' <== Memory access at offset 1727 underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow tcpdump.c:853 in get_next_file ``` Reported: 2018 May 14 (via email to [email protected]) Fix Released: 2018 September 30 CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-14879 Credit: https://www.tcpdump.org/public-cve-list.txt ``` CVSS v3.1 Severity and Metrics: Base Score: 9.8 CRITICAL Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3.1 legend) Impact Score: 5.9 Exploitability Score: 3.9 ``` ## Impact Stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. If the affected program is running with special privileges, or accepts data from untrusted network hosts (e.g. a webserver) then the bug is a potential security vulnerability. If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process. This is one of the oldest and more reliable methods for attackers to gain unauthorized access to a computer.