CVE-2012-0698: Input Validation

Published Jan 14, 2012
·
Updated

From Andy Lutomirski

The attached Python script will segfault tcsd.

This particular vulnerability is a read from an attacker-controlled address, so getting anything more severe than information disclosure out of it may be difficult. But there is a lot of fishy input validation, and it may be possible to persuade the code to write out of bounds as well. It is certainly possible to cause memory allocation failures, but I haven't seen one that's unchecked yet.

Upstream report (currently private) here: https://sourceforge.net/tracker/?func=detail&atid=704358&aid=3473554&groupid=126012

Other sources

tcsd in TrouSerS before 0.3.10 allows remote attackers to cause a denial of service (daemon crash) via a crafted typeoffset value in a TCP packet to port 30003.

MITRE

Affected Software

15 affected componentsFixes available
redhat/trousers<0.3.9
0.3.9
Trustedcomputinggroup Trousers<=0.3.9
Trustedcomputinggroup Trousers=0.2.8
Trustedcomputinggroup Trousers=0.2.9
Trustedcomputinggroup Trousers=0.2.9.1
Trustedcomputinggroup Trousers=0.2.9.2
Trustedcomputinggroup Trousers=0.3.0
Trustedcomputinggroup Trousers=0.3.1
Trustedcomputinggroup Trousers=0.3.2
Trustedcomputinggroup Trousers=0.3.3
Trustedcomputinggroup Trousers=0.3.4
Trustedcomputinggroup Trousers=0.3.5
Trustedcomputinggroup Trousers=0.3.6
Trustedcomputinggroup Trousers=0.3.7
Trustedcomputinggroup Trousers=0.3.8

Remediation

Patch Available

http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=50dd06a6f639b76b3bb629606ef71b2dc5407601

Patch Available

http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786

Event History

Nov 26, 2012
CVE Published
via MITRE·11:00 AM
Data Sourced
via MITRE·11:00 AM
Description
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2012-0698?

CVE-2012-0698 has a low severity due to its limited impact primarily resulting in a segmentation fault.

2

How do I fix CVE-2012-0698?

To fix CVE-2012-0698, update the TrouSerS package to version 0.3.9 or later.

3

What software is affected by CVE-2012-0698?

CVE-2012-0698 affects multiple versions of the TrouSerS package, specifically versions up to 0.3.9.

4

Can CVE-2012-0698 lead to data loss?

CVE-2012-0698 does not appear to facilitate data loss but may result in an application crash.

5

Is CVE-2012-0698 remotely exploitable?

CVE-2012-0698 is not considered remotely exploitable since it requires local access to trigger the vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203