GNU bug report logs -
#28361
[PATCH] gnu: tcpdump: Fix CVE-2017-[11541,11542,11543].
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Tue, 5 Sep 2017 17:00:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28361 in the body.
You can then email your comments to 28361 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#28361; Package
guix-patches.
(Tue, 05 Sep 2017 17:00:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 05 Sep 2017 17:00:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/tcpdump-CVE-2017-11541.patch,
gnu/packages/patches/tcpdump-CVE-2017-11542.patch
gnu/packages/patches/tcpdump-CVE-2017-11543.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/admin.scm (tcpdump)[source]: Use them.
---
gnu/local.mk | 3 +
gnu/packages/admin.scm | 3 +
gnu/packages/patches/tcpdump-CVE-2017-11541.patch | 47 ++++++++++++++
gnu/packages/patches/tcpdump-CVE-2017-11542.patch | 37 +++++++++++
gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 +++++++++++++++++++++++
5 files changed, 169 insertions(+)
create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11541.patch
create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11542.patch
create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11543.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 643a88db8..edfecc778 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1031,6 +1031,9 @@ dist_patch_DATA = \
%D%/packages/patches/tar-skip-unreliable-tests.patch \
%D%/packages/patches/tcl-mkindex-deterministic.patch \
%D%/packages/patches/tclxml-3.2-install.patch \
+ %D%/packages/patches/tcpdump-CVE-2017-11541.patch \
+ %D%/packages/patches/tcpdump-CVE-2017-11542.patch \
+ %D%/packages/patches/tcpdump-CVE-2017-11543.patch \
%D%/packages/patches/tcsh-fix-autotest.patch \
%D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \
%D%/packages/patches/teensy-loader-cli-help.patch \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index ea71de6f5..f047bcaef 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -666,6 +666,9 @@ network statistics collection, security monitoring, network debugging, etc.")
(method url-fetch)
(uri (string-append "http://www.tcpdump.org/release/tcpdump-"
version ".tar.gz"))
+ (patches (search-patches "tcpdump-CVE-2017-11541.patch"
+ "tcpdump-CVE-2017-11542.patch"
+ "tcpdump-CVE-2017-11543.patch"))
(sha256
(base32
"1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r"))))
diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch
new file mode 100644
index 000000000..a9fc632dc
--- /dev/null
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch
@@ -0,0 +1,47 @@
+Fix CVE-2017-11541
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
+
+Patch copied from upstream source repository:
+
+https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
+
+From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy <at> alum.mit.edu>
+Date: Tue, 7 Feb 2017 11:40:36 -0800
+Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
+ checking for a NUL terminator.
+
+safeputs() doesn't do packet bounds checking of its own; it assumes that
+the caller has checked the availability in the packet data of all maxlen
+bytes of data. This means we should check that we're within the
+specified limit before looking at the byte.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+---
+ tests/TESTLIST | 1 +
+ tests/hoobr_safeputs.out | 2 ++
+ tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
+ util-print.c | 2 +-
+ 4 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 tests/hoobr_safeputs.out
+ create mode 100644 tests/hoobr_safeputs.pcap
+
+diff --git a/util-print.c b/util-print.c
+index 394e7d59..ec3e8de8 100644
+--- a/util-print.c
++++ b/util-print.c
+@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
+ {
+ u_int idx = 0;
+
+- while (*s && idx < maxlen) {
++ while (idx < maxlen && *s) {
+ safeputchar(ndo, *s);
+ idx++;
+ s++;
+--
+2.14.1
+
diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch
new file mode 100644
index 000000000..24849d518
--- /dev/null
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch
@@ -0,0 +1,37 @@
+Fix CVE-2017-11542:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542
+
+Patch copied from upstream source repository:
+
+https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
+
+From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy <at> alum.mit.edu>
+Date: Tue, 7 Feb 2017 11:10:04 -0800
+Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+---
+ print-pim.c | 1 +
+ tests/TESTLIST | 1 +
+ tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
+ tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
+ 4 files changed, 27 insertions(+)
+ create mode 100644 tests/hoobr_pimv1.out
+ create mode 100644 tests/hoobr_pimv1.pcap
+
+diff --git a/print-pim.c b/print-pim.c
+index 25525953..ed880ae7 100644
+--- a/print-pim.c
++++ b/print-pim.c
+@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
+ pimv1_join_prune_print(ndo, &bp[8], len - 8);
+ break;
+ }
++ ND_TCHECK(bp[4]);
+ if ((bp[4] >> 4) != 1)
+ ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
+ return;
diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch
new file mode 100644
index 000000000..c97350398
--- /dev/null
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch
@@ -0,0 +1,79 @@
+Fix CVE-2017-11543:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543
+
+Patch copied from upstream source repository:
+
+https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
+
+From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy <at> alum.mit.edu>
+Date: Fri, 17 Mar 2017 12:49:04 -0700
+Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
+
+Report if it's not, and don't use it as an out-of-bounds index into an
+array.
+
+This fixes a buffer overflow discovered by Wilfried Kirsch.
+
+Add a test using the capture file supplied by the reporter(s), modified
+so the capture file won't be rejected as an invalid capture.
+---
+ print-sl.c | 25 +++++++++++++++++++++++--
+ tests/TESTLIST | 3 +++
+ tests/slip-bad-direction.out | 1 +
+ tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
+ 4 files changed, 27 insertions(+), 2 deletions(-)
+ create mode 100644 tests/slip-bad-direction.out
+ create mode 100644 tests/slip-bad-direction.pcap
+
+diff --git a/print-sl.c b/print-sl.c
+index 3fd7e898..a02077b3 100644
+--- a/print-sl.c
++++ b/print-sl.c
+@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
+ u_int hlen;
+
+ dir = p[SLX_DIR];
+- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
++ switch (dir) {
+
++ case SLIPDIR_IN:
++ ND_PRINT((ndo, "I "));
++ break;
++
++ case SLIPDIR_OUT:
++ ND_PRINT((ndo, "O "));
++ break;
++
++ default:
++ ND_PRINT((ndo, "Invalid direction %d ", dir));
++ dir = -1;
++ break;
++ }
+ if (ndo->ndo_nflag) {
+ /* XXX just dump the header */
+ register int i;
+@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
+ * has restored the IP header copy to IPPROTO_TCP.
+ */
+ lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
++ ND_PRINT((ndo, "utcp %d: ", lastconn));
++ if (dir == -1) {
++ /* Direction is bogus, don't use it */
++ return;
++ }
+ hlen = IP_HL(ip);
+ hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
+ lastlen[dir][lastconn] = length - (hlen << 2);
+- ND_PRINT((ndo, "utcp %d: ", lastconn));
+ break;
+
+ default:
++ if (dir == -1) {
++ /* Direction is bogus, don't use it */
++ return;
++ }
+ if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
+ compressed_sl_print(ndo, &p[SLX_CHDR], ip,
+ length, dir);
--
2.14.1
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Tue, 05 Sep 2017 18:56:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Tue, 05 Sep 2017 18:56:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 28361-done <at> debbugs.gnu.org (full text, mbox):
On Tue, Sep 05, 2017 at 12:58:44PM -0400, Leo Famulari wrote:
> * gnu/packages/patches/tcpdump-CVE-2017-11541.patch,
> gnu/packages/patches/tcpdump-CVE-2017-11542.patch
> gnu/packages/patches/tcpdump-CVE-2017-11543.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/admin.scm (tcpdump)[source]: Use them.
Pushed as 514c2f480643c3481498b4a3ad32d6e6351260ff.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 04 Oct 2017 11:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 320 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.