gnu: tcpdump: Update to 4.9.2 [security fixes].
Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,12902,
12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,12997,
12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010,
13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,13024,
13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,13037,
13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,13050,
13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}.
* gnu/packages/admin.scm (tcpdump): Update to 4.9.2.
[source]: Remove patches and add alternate source URL.
* gnu/packages/patches/tcpdump-CVE-2017-11541.patch,
gnu/packages/patches/tcpdump-CVE-2017-11542.patch,
gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
5 files changed, 10 insertions(+), 173 deletions(-) M gnu/local.mk M gnu/packages/admin.scm D gnu/packages/patches/tcpdump-CVE-2017-11541.patch D gnu/packages/patches/tcpdump-CVE-2017-11542.patch D gnu/packages/patches/tcpdump-CVE-2017-11543.patch
M gnu/local.mk => gnu/local.mk +0 -3
@@ 1034,9 1034,6 @@ dist_patch_DATA = \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ %D%/packages/patches/tcpdump-CVE-2017-11541.patch \ %D%/packages/patches/tcpdump-CVE-2017-11542.patch \ %D%/packages/patches/tcpdump-CVE-2017-11543.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \
M gnu/packages/admin.scm => gnu/packages/admin.scm +10 -7
@@ 661,17 661,20 @@ network statistics collection, security monitoring, network debugging, etc.") (define-public tcpdump (package (name "tcpdump") (version "4.9.1") (version "4.9.2") (source (origin (method url-fetch) (uri (string-append "http://www.tcpdump.org/release/tcpdump-" version ".tar.gz")) (patches (search-patches "tcpdump-CVE-2017-11541.patch" "tcpdump-CVE-2017-11542.patch" "tcpdump-CVE-2017-11543.patch")) (uri (list (string-append "http://www.tcpdump.org/release/tcpdump-" version ".tar.gz") ;; The tarball is not yet distributed from tcpdump.org, ;; so we fetch it from Arch. For more information see ;; <https://bugs.gnu.org/28387>. (string-append "https://sources.archlinux.org/other/" "packages/tcpdump/tcpdump-" version ".tar.gz"))) (sha256 (base32 "1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r")))) "0ygy0layzqaj838r5xd613iraz09wlfgpyh7pc6cwclql8v3b2vr")))) (build-system gnu-build-system) (inputs `(("libpcap" ,libpcap) ("openssl" ,openssl)))
D gnu/packages/patches/tcpdump-CVE-2017-11541.patch => gnu/packages/patches/tcpdump-CVE-2017-11541.patch +0 -47
@@ 1,47 0,0 @@ Fix CVE-2017-11541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 Patch copied from upstream source repository: https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001 From: Guy Harris <guy@alum.mit.edu> Date: Tue, 7 Feb 2017 11:40:36 -0800 Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before checking for a NUL terminator. safeputs() doesn't do packet bounds checking of its own; it assumes that the caller has checked the availability in the packet data of all maxlen bytes of data. This means we should check that we're within the specified limit before looking at the byte. This fixes a buffer over-read discovered by Kamil Frankowicz. Add a test using the capture file supplied by the reporter(s). --- tests/TESTLIST | 1 + tests/hoobr_safeputs.out | 2 ++ tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes util-print.c | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 tests/hoobr_safeputs.out create mode 100644 tests/hoobr_safeputs.pcap diff --git a/util-print.c b/util-print.c index 394e7d59..ec3e8de8 100644 --- a/util-print.c +++ b/util-print.c @@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo, { u_int idx = 0; - while (*s && idx < maxlen) { + while (idx < maxlen && *s) { safeputchar(ndo, *s); idx++; s++; -- 2.14.1
D gnu/packages/patches/tcpdump-CVE-2017-11542.patch => gnu/packages/patches/tcpdump-CVE-2017-11542.patch +0 -37
@@ 1,37 0,0 @@ Fix CVE-2017-11542: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 Patch copied from upstream source repository: https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001 From: Guy Harris <guy@alum.mit.edu> Date: Tue, 7 Feb 2017 11:10:04 -0800 Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check. This fixes a buffer over-read discovered by Kamil Frankowicz. Add a test using the capture file supplied by the reporter(s). --- print-pim.c | 1 + tests/TESTLIST | 1 + tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++ tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes 4 files changed, 27 insertions(+) create mode 100644 tests/hoobr_pimv1.out create mode 100644 tests/hoobr_pimv1.pcap diff --git a/print-pim.c b/print-pim.c index 25525953..ed880ae7 100644 --- a/print-pim.c +++ b/print-pim.c @@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo, pimv1_join_prune_print(ndo, &bp[8], len - 8); break; } + ND_TCHECK(bp[4]); if ((bp[4] >> 4) != 1) ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); return;
D gnu/packages/patches/tcpdump-CVE-2017-11543.patch => gnu/packages/patches/tcpdump-CVE-2017-11543.patch +0 -79
@@ 1,79 0,0 @@ Fix CVE-2017-11543: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 Patch copied from upstream source repository: https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 From: Guy Harris <guy@alum.mit.edu> Date: Fri, 17 Mar 2017 12:49:04 -0700 Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid. Report if it's not, and don't use it as an out-of-bounds index into an array. This fixes a buffer overflow discovered by Wilfried Kirsch. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture. --- print-sl.c | 25 +++++++++++++++++++++++-- tests/TESTLIST | 3 +++ tests/slip-bad-direction.out | 1 + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes 4 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 tests/slip-bad-direction.out create mode 100644 tests/slip-bad-direction.pcap diff --git a/print-sl.c b/print-sl.c index 3fd7e898..a02077b3 100644 --- a/print-sl.c +++ b/print-sl.c @@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, u_int hlen; dir = p[SLX_DIR]; - ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); + switch (dir) { + case SLIPDIR_IN: + ND_PRINT((ndo, "I ")); + break; + + case SLIPDIR_OUT: + ND_PRINT((ndo, "O ")); + break; + + default: + ND_PRINT((ndo, "Invalid direction %d ", dir)); + dir = -1; + break; + } if (ndo->ndo_nflag) { /* XXX just dump the header */ register int i; @@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, * has restored the IP header copy to IPPROTO_TCP. */ lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; + ND_PRINT((ndo, "utcp %d: ", lastconn)); + if (dir == -1) { + /* Direction is bogus, don't use it */ + return; + } hlen = IP_HL(ip); hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); lastlen[dir][lastconn] = length - (hlen << 2); - ND_PRINT((ndo, "utcp %d: ", lastconn)); break; default: + if (dir == -1) { + /* Direction is bogus, don't use it */ + return; + } if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { compressed_sl_print(ndo, &p[SLX_CHDR], ip, length, dir);