tcpdump mailing list archives
Re: CVE-2020-8037: memory allocation in ppp decapsulator
From: Bill Fenner via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Mon, 30 Nov 2020 13:24:38 -0500
--- Begin Message --- From: Bill Fenner <fenner () gmail com>
Date: Mon, 30 Nov 2020 13:24:38 -0500
On Mon, Nov 30, 2020 at 12:59 PM Michael Richardson <mcr () sandelman ca> wrote:Hi, CVE-2020-8037 causes a big amount of memory to be allocated (then freed), it does not cause an attack.That's helpful information. (On a low-memory device that actually requires memory at malloc time, it might cause tcpdump to crash due to failure to allocate memory, but on a system using, e.g., glibc, it won't). I think changing the availability impact from A:H to A:N results in reducing the CVSS score from 7.5 to 0, which is probably worth pursuing if you want people to not be freaking out about the severity here. I think that you are on the security@ list, and I think that this did gothrough that list at the time.I'm not receiving any messages from security@, but let's take this off-list. Bill
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- CVE-2020-8037: memory allocation in ppp decapsulator Bill Fenner via tcpdump-workers (Nov 30)
- Re: CVE-2020-8037: memory allocation in ppp decapsulator Michael Richardson via tcpdump-workers (Nov 30)
- Message not available
- Re: CVE-2020-8037: memory allocation in ppp decapsulator Bill Fenner via tcpdump-workers (Nov 30)