From 195618c8aa768078359e8a2374120050c4cb2d40f2c882d3a838d0dc9d04931f Mon Sep 17 00:00:00 2001 From: Michal Kubecek Date: Thu, 20 Nov 2025 07:08:11 +0100 Subject: [PATCH] upgrade to upstream version 4.5.2 - multiple security fixes - AF_XDP socket support - IPv6 frag extension handling - SLL2 support --- tcpreplay-4.4.4.tar.xz | 3 --- tcpreplay-4.4.4.tar.xz.asc | 11 ----------- tcpreplay-4.5.2.tar.xz | 3 +++ tcpreplay-4.5.2.tar.xz.asc | 11 +++++++++++ tcpreplay-CVE-2025-8746.patch | 14 ++++++++++++++ tcpreplay.changes | 30 ++++++++++++++++++++++++++++++ tcpreplay.spec | 11 +++++------ 7 files changed, 63 insertions(+), 20 deletions(-) delete mode 100644 tcpreplay-4.4.4.tar.xz delete mode 100644 tcpreplay-4.4.4.tar.xz.asc create mode 100644 tcpreplay-4.5.2.tar.xz create mode 100644 tcpreplay-4.5.2.tar.xz.asc create mode 100644 tcpreplay-CVE-2025-8746.patch diff --git a/tcpreplay-4.4.4.tar.xz b/tcpreplay-4.4.4.tar.xz deleted file mode 100644 index d9048e1..0000000 --- a/tcpreplay-4.4.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3ff9753cc43bb15e77832cee657e3030dbcdd957fa247e6abacc605689e24051 -size 748344 diff --git a/tcpreplay-4.4.4.tar.xz.asc b/tcpreplay-4.4.4.tar.xz.asc deleted file mode 100644 index d4b874c..0000000 --- a/tcpreplay-4.4.4.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQFKBAABCgA0FiEEhOT6IVyTSn2X3HbV6eIUl5O94X4FAmSGDcIWHHRjcHJlcGxh -eUBhcHBuZXRhLmNvbQAKCRDp4hSXk73hfkScB/kBMmRAe/4PSAzX6olgFxcG2A2q -zqVi3UZrpdHROZ80Bar9ZFOYTSovJihW8VuH4+TyF/wUJjC0Lj/6tcULeRTL2eU6 -Qpkez+EpdSi/pa+p+gkix8YdMEqhI5Vydejf5wuA1GGwnnBwxAHKl9ctUeKRId4M -3XtYA3P9kuu/cohSmj9G5eu8RT2gxVpihOPrWQQAKhzLOSH9fy8ypnKbaXNbyEdE -zc0l2RKdFRn1FKMdCnYDZzTH93XSKdI6mIGijd4/KWdVk19RW8nwG9k3uHWzCjsg -exsXHTa8JyOInug8w8uFAm2A5V0sRGLJ5zS2rn9a68EBcBotIQ/tygsbJyTz -=MGgL ------END PGP SIGNATURE----- diff --git a/tcpreplay-4.5.2.tar.xz b/tcpreplay-4.5.2.tar.xz new file mode 100644 index 0000000..eac0d98 --- /dev/null +++ b/tcpreplay-4.5.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2df15bc6d49f96a77617d137049f998193bbae95c1a31b04ca02856a24cbf384 +size 818824 diff --git a/tcpreplay-4.5.2.tar.xz.asc b/tcpreplay-4.5.2.tar.xz.asc new file mode 100644 index 0000000..ae8467a --- /dev/null +++ b/tcpreplay-4.5.2.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQFKBAABCgA0FiEEhOT6IVyTSn2X3HbV6eIUl5O94X4FAmiucVgWHHRjcHJlcGxh +eUBhcHBuZXRhLmNvbQAKCRDp4hSXk73hfmrCB/44WWbB9m0lG/QvVqGcfxG5f/kW +RsLrEyKwpesQXHQHOgQFJWUxhkx9BEWwxGpWRlw0yJtSZ3+MueGncxPgWJ4zw+TP +Pr+gByphN3Nz3ul+WFFg03AX8Mvx5uPpTgdCVZIOuAvE68a0QfGjAedFCrLVhoj8 +AZ3KtWkbkD+JT1M2kwq1/jF5FCa6PFidUQRhC6HsuxcnuRaa1mRQSDsMjNxeJPVS +oU0tDSjdLQeNgCXEZqn13txdl+cO54KEnZ0ekuKCPQrIbblHE3VKhZcM9FIHYg4b +LKcO70sDcv9A2uOCBosY6RN7QPF97QngtwfU9qweFtSyMFUDj3H7Dxgsf5FJ +=tn7q +-----END PGP SIGNATURE----- diff --git a/tcpreplay-CVE-2025-8746.patch b/tcpreplay-CVE-2025-8746.patch new file mode 100644 index 0000000..0653655 --- /dev/null +++ b/tcpreplay-CVE-2025-8746.patch @@ -0,0 +1,14 @@ +Index: tcpreplay-4.5.1/libopts/save.c +=================================================================== +--- tcpreplay-4.5.1.orig/libopts/save.c ++++ tcpreplay-4.5.1/libopts/save.c +@@ -495,6 +495,9 @@ remove_settings(tOptions * opts, char co + char * text = text_mmap(fname, PROT_READ|PROT_WRITE, MAP_PRIVATE, &map_info); + char * scan = text; + ++ if (TEXT_MMAP_FAILED_ADDR(text)) ++ goto leave; ++ + for (;;) { + char * next = scan = strstr(scan, zCfgProg); + if (scan == NULL) diff --git a/tcpreplay.changes b/tcpreplay.changes index d4e219b..49669c7 100644 --- a/tcpreplay.changes +++ b/tcpreplay.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Thu Nov 13 00:28:00 UTC 2025 - Michal Kubecek + +- update to 4.5.2: + * features added since 4.4.4 + - fix/recalculate header checksum for ipv6-frag + - IPv6 frag checksum support + - AF_XDP socket support + - tcpreplay -w (write into a pcap file) + - tcpreplay --fixhdrlen + - --include and --exclude options + - SLL2 support + - Haiku support + * security fixes reported for 4.4.4 fixed in 4.5.2 + - CVE-2023-4256 / bsc#1218249 + - CVE-2023-43279 / bsc#1221324 + - CVE-2024-3024 / bsc#1222131 (likely) + - CVE-2024-22654 / bsc#1243845 + - CVE-2025-9157 / bsc#1248322 + - CVE-2025-9384 / bsc#1248595 + - CVE-2025-9385 / bsc#1248596 + - CVE-2025-9386 / bsc#1248597 + - CVE-2025-9649 / bsc#1248964 + - CVE-2025-51006 / bsc#1250356 + - see https://github.com/appneta/tcpreplay/compare/v4.4.4...v4.5.2 + for full changelog +- security fix for CVE-2025-8746 / bsc#1247919 + * tcpreplay-CVE-2025-8746.patch +- drop SLE11 build workaround (not needed in Leap package) + ------------------------------------------------------------------- Tue Jul 11 16:31:05 UTC 2023 - Martin Hauke diff --git a/tcpreplay.spec b/tcpreplay.spec index fde1130..08e4d59 100644 --- a/tcpreplay.spec +++ b/tcpreplay.spec @@ -17,7 +17,7 @@ Name: tcpreplay -Version: 4.4.4 +Version: 4.5.2 Release: 0 Summary: Network analysis and testing tools License: GPL-3.0-only @@ -26,17 +26,14 @@ URL: https://tcpreplay.appneta.com/ Source0: https://github.com/appneta/tcpreplay/releases/download/v%{version}/%{name}-%{version}.tar.xz Source1: https://github.com/appneta/tcpreplay/releases/download/v%{version}/%{name}-%{version}.tar.xz.asc Source2: %{name}.keyring +# CVE-2025-8746 [bsc#1247917], improper input validation and memory bounds checking when processing certain malformed configuration files +Patch0: tcpreplay-CVE-2025-8746.patch BuildRequires: dbus-1-devel BuildRequires: libdnet-devel BuildRequires: libpcap-devel BuildRequires: tcpdump Requires: tcpdump -%if 0%{?suse_version} >= 1130 BuildRequires: libnl3-devel -%else -# only needed for suse_version < 1130 (i.e. SLE11) -BuildRequires: xz -%endif %description Tcpreplay is a suite of utilities for editing and replaying @@ -47,8 +44,10 @@ supports switches, routers and IP Flow/NetFlow appliances. %prep %setup -q +%patch -P 0 -p1 %build +export CFLAGS="%{optflags} -std=gnu11" %configure \ --enable-dynamic-link %make_build -- 2.51.1