Fedora has issued an advisory on September 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EFRZCT4UN4QXFPROASMGHI2MZ7OWZVZ2/ Mageia 5 is also affected.
The issue is fixed upstream in 1.5.0.
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing three pretty recent committers, and fedya who once imported this package. @ fedya Just in case you find time again to contribute & learn to now become a full packager: if your password wasn't reset since the end of February, then a sysadmin needs to reset it first. If the ssh key that you used to commit is a dsa key, then a sysadmin needs to replace your public key in identity with the public rsa key that you provide to him. You can privately mail all our sysadmins by sending a mail to sysadmin AT group DOT mageia DOT org :-)
CC: (none) => alexander, cjw, geiger.david68210, guillomovitch, marja11Assignee: bugsquad => pkg-bugs
Updated package uploaded for Mageia 6. Advisory: ======================== Updated tcpflow package fixes security vulnerability: An issue was discovered in wifipcap/wifipcap.cpp in TCPFLOW through 1.5.0-alpha. There is an integer overflow in the function handle_prism during caplen processing. If the caplen is less than 144, one can cause an integer overflow in the function handle_80211, which will result in an out-of-bounds read and may allow access to sensitive memory or a denial of service (CVE-2018-14938). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14938 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EFRZCT4UN4QXFPROASMGHI2MZ7OWZVZ2/ ======================== Updated packages in core/updates_testing: ======================== tcpflow-1.5.0-1.mga6 from tcpflow-1.5.0-1.mga6.src.rpm
CC: (none) => mramboAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2018-14938
Installed and tested without issues. Tests included capturing HTTP(S), IMAP(S), POP3(S), MySQL to files or terminal. The output seems correct. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ lspcidrake | grep NET r8169 : Realtek Semiconductor Co., Ltd.|RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [NETWORK_ETHERNET] (rev: 02) $ rpm -q tcpflow tcpflow-1.5.0-1.mga6 $ tcpflow -a -i lo reportfilename: ./report.xml tcpflow: listening on lo ^C $ tcpflow -a reportfilename: ./report.xml tcpflow: listening on enp2s0 ^C
CC: (none) => mageiaWhiteboard: (none) => MGA6-64-OK
Validating. Suggested advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0401.html
Status: NEW => RESOLVEDResolution: (none) => FIXED