CVE-2019-1010142

Advisory

Scapy 2.4.1 includes a fix for CVE-2019-1010142: Denial of Service. The impact is infinite loop, resource consumption and program unresponsive. The component affected component is '_RADIUSAttrPacketListField.getfield(self..)'. The attack vector is over the network or a malicious pcap.
https://github.com/secdev/scapy/pull/1409/commits/0d7ae2b039f650a40e511d09eb961c782da025d9

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Main changes

- Gabriel Potter is officially part of the Scapy maintainers team
- PEP08 compliance (see 1277)
- Speed improvements (see 642)

Core

- 253 merged pull requests since v2.4.0
- Python 3.7 support
- Enhanced Windows support
- unit testing is now 100% tox based

Layers

Major changes

- Many automotive related layers added (ISO-TP...)

New

- EtherCat
- OPCDA
- SOCKS
- USBpcap
- RPKI

Improved

- MACsec, MQTT, MPLS, DNS, ARP, Dot15d4, Zigbee, Bluetooth4LE, RadioTap ...
- Enhanced monitor mode support

Other

- addresses [a v2.4.0 vulnerability](https://github.com/secdev/scapy/security/advisories/GHSA-q5wg-mj9r-hp59)

Resources

• https://pypi.org/project/scapy
• https://pyup.io/changelogs/scapy/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010142
• https://github.com/secdev/scapy/pull/1409/files#diff-441eff981e466959968111fc6314fe93L1058
• https://github.com/secdev/scapy/pull/1409
• https://www.imperva.com/blog/scapy-sploit-python-network-tool-is-vulnerable-to-denial-of-service-dos-attack-cve-pending/
• http://www.securityfocus.com/bid/106674
• https://lists.fedoraproject.org/archives/list/[email protected]/message/T46XW4S5BCA3VV3JT3C5Q6LBEXSIACLN/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/42NRPMC3NS2QVFNIXYP6WV2T3LMLLY7E/