Date: Tue, 3 Sep 2024 19:44:26 +0800
From: James Watt <crispy.james.watt@gmail.com>
To: freebsd-security@freebsd.org
Subject: Security Vulnerability - Action Required: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability may in your project
Message-ID: <CADUHo-Xgk8HCo7bLUQXGNC%2BxNR6yNrZRVFk=zBxvRYgPLEyc_w@mail.gmail.com>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Hi, there
we have detected that your project may be vulnerable to ILoop with
Unreachable Exit Condition ('Infinite Loop') in the function of ` ppp_hdlc
` in the file of ` contrib/tcpdump/print-ppp.c ` . It shares similarities
to a recent CVE disclosure [CVE-2024-2397](
https://nvd.nist.gov/vuln/detail/CVE-2024-2397) in the
https://github.com/the-tcpdump-group/tcpdump
**The source vulnerability information is as follows:**
> Vulnerability Detail:
> CVE Identifier: CVE-2024-2397
> Description: Due to a bug in packet data buffers management, the PPP
printer in tcpdump can enter an infinite loop when reading a crafted
DLT_PPP_SERIAL .pcap savefile. This problem does not affect any tcpdump
release, but it affected the git master branch from 2023-06-05 to
2024-03-21.
> Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-2397
> Patch:
https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2
Would you help to check if this bug is true? If it's true, I'd like to open
a PR for that if necessary. Thank you for your effort and patience!
Best regards,
James
[-- Attachment #2 --]
<div dir="ltr">Hi, there<br> we have detected that your project may be vulnerable to ILoop with Unreachable Exit Condition ('Infinite Loop') in the function of ` ppp_hdlc ` in the file of ` contrib/tcpdump/print-ppp.c ` . It shares similarities to a recent CVE disclosure [CVE-2024-2397](<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-2397" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2024-2397</a>) in the <a href="https://github.com/the-tcpdump-group/tcpdump" target="_blank">https://github.com/the-tcpdump-group/tcpdump</a><br><br>**The source vulnerability information is as follows:**<br><br>> Vulnerability Detail:<br>> CVE Identifier: CVE-2024-2397<br>> Description: Due to a bug in packet data buffers management, the PPP printer in tcpdump can enter an infinite loop when reading a crafted DLT_PPP_SERIAL .pcap savefile. This problem does not affect any tcpdump release, but it affected the git master branch from 2023-06-05 to 2024-03-21.<br>> Reference: <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-2397" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2024-2397</a><br>> Patch: <a href="https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2" target="_blank">https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2</a><div><br></div><div><br>Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!</div><div><br></div><div>Best regards,</div><div>James </div><img width="0" height="0" class="mailtrack-img" alt="" style="display:flex" src="https://mailtrack.io/trace/mail/9f68279a8de0f7ba6a0beb2000f890de76baee1d.png?u=8536293"></div>;
home |
help
![https://mailtrack.io/trace/mail/9f68279a8de0f7ba6a0beb2000f890de76baee1d.png?u=8536293"></div>](https://mailtrack.io/trace/mail/9f68279a8de0f7ba6a0beb2000f890de76baee1d.png?u=8536293"></div){kind=link}
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADUHo-Xgk8HCo7bLUQXGNC%2BxNR6yNrZRVFk=zBxvRYgPLEyc_w>