From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 05 12:59:20 2017 Received: (at submit) by debbugs.gnu.org; 5 Sep 2017 16:59:20 +0000 Received: from localhost ([127.0.0.1]:51698 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpHBy-0000f4-Sp for submit@debbugs.gnu.org; Tue, 05 Sep 2017 12:59:19 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45686) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpHBw-0000ep-1x for submit@debbugs.gnu.org; Tue, 05 Sep 2017 12:59:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpHBl-0001Gm-CP for submit@debbugs.gnu.org; Tue, 05 Sep 2017 12:59:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:50218) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dpHBl-0001GP-8i for submit@debbugs.gnu.org; Tue, 05 Sep 2017 12:59:01 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36567) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpHBf-0007uk-KY for guix-patches@gnu.org; Tue, 05 Sep 2017 12:59:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpHBa-00016j-4H for guix-patches@gnu.org; Tue, 05 Sep 2017 12:58:55 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:45015) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dpHBZ-00015h-U7 for guix-patches@gnu.org; Tue, 05 Sep 2017 12:58:50 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 16F8220B78; Tue, 5 Sep 2017 12:58:49 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Tue, 05 Sep 2017 12:58:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=/cHhvvUHQlpeI1/c50rVs+ibCEW RbPk6Gk7XnVHR/Mc=; b=eaJ2jdRaApLceAFCq18S4/0EOmEGmO2Tx1MXZnMs5Qy 0J2wdmgcwJkxHVLRqFjk4iLdVg/WhZhmrzJB89N8u5PDNMjnmiLqpXLtETPURzVm Ly/NL0qTPTM/nWC1FOVZKyEQ6IkctfMXu/ry5FAm4hEwUQA9X8WwL+PrJwx5ZQhI = DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=/cHhvv UHQlpeI1/c50rVs+ibCEWRbPk6Gk7XnVHR/Mc=; b=Y8A3av26L/nuFRge7yMm2q zqb29aR4Jnv6+O9eW/FF1XDZe5wjNS8/rJULZDeohf1dzCEoECmHcjhd5hcm8PuX mF5u3NyfYTBMwxF0X7RiuQWQOGbqfNB2876IXu0NPs39ImdHDHxS7pZ0OQbPkpOc fcQix7f3qd7nt1NZyZVG96XZlLW+yPWaZ0ZaP9czYGYX6KRmCl9lWcw2q7NbqYlR 0BULNQ/7ZQ9GLrM2sacce/lqYnvvmt7neWJI9iydF4I0BG6JT9siS1IkkyWH1m9F NbPvGbXjBKv3uSMJrEvLn3rNmmDZNtSdT2md3syfx/GdYdRPNK6ayk/ousYzoDqA == X-ME-Sender: X-Sasl-enc: hKHqFtxG8y9BvEJn0gHUSrhd9KEZ56uFBPNIC2VMQL7/ 1504630728 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id AFD527FA84 for ; Tue, 5 Sep 2017 12:58:48 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: tcpdump: Fix CVE-2017-[11541,11542,11543]. Date: Tue, 5 Sep 2017 12:58:44 -0400 Message-Id: <40f214dfcb7d7bad4ce7d9770d8475290c283a03.1504630724.git.leo@famulari.name> X-Mailer: git-send-email 2.14.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, gnu/packages/patches/tcpdump-CVE-2017-11542.patch gnu/packages/patches/tcpdump-CVE-2017-11543.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/admin.scm (tcpdump)[source]: Use them. --- gnu/local.mk | 3 + gnu/packages/admin.scm | 3 + gnu/packages/patches/tcpdump-CVE-2017-11541.patch | 47 ++++++++++++++ gnu/packages/patches/tcpdump-CVE-2017-11542.patch | 37 +++++++++++ gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 +++++++++++++++++++++++ 5 files changed, 169 insertions(+) create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11541.patch create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11542.patch create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11543.patch diff --git a/gnu/local.mk b/gnu/local.mk index 643a88db8..edfecc778 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1031,6 +1031,9 @@ dist_patch_DATA = \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ + %D%/packages/patches/tcpdump-CVE-2017-11541.patch \ + %D%/packages/patches/tcpdump-CVE-2017-11542.patch \ + %D%/packages/patches/tcpdump-CVE-2017-11543.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index ea71de6f5..f047bcaef 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -666,6 +666,9 @@ network statistics collection, security monitoring, network debugging, etc.") (method url-fetch) (uri (string-append "http://www.tcpdump.org/release/tcpdump-" version ".tar.gz")) + (patches (search-patches "tcpdump-CVE-2017-11541.patch" + "tcpdump-CVE-2017-11542.patch" + "tcpdump-CVE-2017-11543.patch")) (sha256 (base32 "1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r")))) diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch new file mode 100644 index 000000000..a9fc632dc --- /dev/null +++ b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch @@ -0,0 +1,47 @@ +Fix CVE-2017-11541 + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 + +Patch copied from upstream source repository: + +https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 + +From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 7 Feb 2017 11:40:36 -0800 +Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before + checking for a NUL terminator. + +safeputs() doesn't do packet bounds checking of its own; it assumes that +the caller has checked the availability in the packet data of all maxlen +bytes of data. This means we should check that we're within the +specified limit before looking at the byte. + +This fixes a buffer over-read discovered by Kamil Frankowicz. + +Add a test using the capture file supplied by the reporter(s). +--- + tests/TESTLIST | 1 + + tests/hoobr_safeputs.out | 2 ++ + tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes + util-print.c | 2 +- + 4 files changed, 4 insertions(+), 1 deletion(-) + create mode 100644 tests/hoobr_safeputs.out + create mode 100644 tests/hoobr_safeputs.pcap + +diff --git a/util-print.c b/util-print.c +index 394e7d59..ec3e8de8 100644 +--- a/util-print.c ++++ b/util-print.c +@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo, + { + u_int idx = 0; + +- while (*s && idx < maxlen) { ++ while (idx < maxlen && *s) { + safeputchar(ndo, *s); + idx++; + s++; +-- +2.14.1 + diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch new file mode 100644 index 000000000..24849d518 --- /dev/null +++ b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch @@ -0,0 +1,37 @@ +Fix CVE-2017-11542: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 + +Patch copied from upstream source repository: + +https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae + +From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 7 Feb 2017 11:10:04 -0800 +Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check. + +This fixes a buffer over-read discovered by Kamil Frankowicz. + +Add a test using the capture file supplied by the reporter(s). +--- + print-pim.c | 1 + + tests/TESTLIST | 1 + + tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++ + tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes + 4 files changed, 27 insertions(+) + create mode 100644 tests/hoobr_pimv1.out + create mode 100644 tests/hoobr_pimv1.pcap + +diff --git a/print-pim.c b/print-pim.c +index 25525953..ed880ae7 100644 +--- a/print-pim.c ++++ b/print-pim.c +@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo, + pimv1_join_prune_print(ndo, &bp[8], len - 8); + break; + } ++ ND_TCHECK(bp[4]); + if ((bp[4] >> 4) != 1) + ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); + return; diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch new file mode 100644 index 000000000..c97350398 --- /dev/null +++ b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch @@ -0,0 +1,79 @@ +Fix CVE-2017-11543: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 + +Patch copied from upstream source repository: + +https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 + +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Fri, 17 Mar 2017 12:49:04 -0700 +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid. + +Report if it's not, and don't use it as an out-of-bounds index into an +array. + +This fixes a buffer overflow discovered by Wilfried Kirsch. + +Add a test using the capture file supplied by the reporter(s), modified +so the capture file won't be rejected as an invalid capture. +--- + print-sl.c | 25 +++++++++++++++++++++++-- + tests/TESTLIST | 3 +++ + tests/slip-bad-direction.out | 1 + + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes + 4 files changed, 27 insertions(+), 2 deletions(-) + create mode 100644 tests/slip-bad-direction.out + create mode 100644 tests/slip-bad-direction.pcap + +diff --git a/print-sl.c b/print-sl.c +index 3fd7e898..a02077b3 100644 +--- a/print-sl.c ++++ b/print-sl.c +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, + u_int hlen; + + dir = p[SLX_DIR]; +- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); ++ switch (dir) { + ++ case SLIPDIR_IN: ++ ND_PRINT((ndo, "I ")); ++ break; ++ ++ case SLIPDIR_OUT: ++ ND_PRINT((ndo, "O ")); ++ break; ++ ++ default: ++ ND_PRINT((ndo, "Invalid direction %d ", dir)); ++ dir = -1; ++ break; ++ } + if (ndo->ndo_nflag) { + /* XXX just dump the header */ + register int i; +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, + * has restored the IP header copy to IPPROTO_TCP. + */ + lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; ++ ND_PRINT((ndo, "utcp %d: ", lastconn)); ++ if (dir == -1) { ++ /* Direction is bogus, don't use it */ ++ return; ++ } + hlen = IP_HL(ip); + hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); + lastlen[dir][lastconn] = length - (hlen << 2); +- ND_PRINT((ndo, "utcp %d: ", lastconn)); + break; + + default: ++ if (dir == -1) { ++ /* Direction is bogus, don't use it */ ++ return; ++ } + if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { + compressed_sl_print(ndo, &p[SLX_CHDR], ip, + length, dir); -- 2.14.1 From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 05 14:55:19 2017 Received: (at 28361-done) by debbugs.gnu.org; 5 Sep 2017 18:55:19 +0000 Received: from localhost ([127.0.0.1]:51798 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpJ0J-0003WF-5x for submit@debbugs.gnu.org; Tue, 05 Sep 2017 14:55:19 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33225) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpJ0F-0003W5-O2 for 28361-done@debbugs.gnu.org; Tue, 05 Sep 2017 14:55:18 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 328CD20CF7; Tue, 5 Sep 2017 14:55:15 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Tue, 05 Sep 2017 14:55:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=C1BtGFfvxQUlbGYdt3DL+TzxX3nddecQehN9w4 YgV80=; b=krghgx1cMTGO5qG+f+8B0rJCYalYEVMg4AhQoErWXQwZrYV2PV5hba BWEbUAgc/uTEnkr1mp+E7qmuvu2aHininA1TJewzlYlQX5FKl4tcXqEAmaYvBOKR pLxf/NkVPtLuy8SoLsjpzKV91n8xhlGyV9FfhK3s9fWgqqxmn1nLo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=C1BtGFfvxQUlbGYdt3 DL+TzxX3nddecQehN9w4YgV80=; b=qY0SFlTvnfbAmVgY1OY6v0lYGsNoVYfGfk jUAdHLpA9xItlnPz96OaNwXigo+5PLvhZTV7FD3mFne62oX4xXWQLPLxR1cF1kOd v4sCm5d03JDugkVMw06oT3hpIPOVurqBI/WVMlQKksLTX5uPDBLkQd2saFWGYDUr U0ASzsASxBMJm5w0tIishaNBDnScUyCIsY+qZxAdBb/V2tlLDZMkbWaQ0uBH5r3o KE8yO0aCWdATMo1ccmqbZ0CYYi3NDo2FJNtOxlXW7AG7f5KRy4jqzcby3MsmzMVL atTguge0w0kD0AjkdW226tqrnuDXTatfu9W1TOv+hMmwY7BR7KOg== X-ME-Sender: X-Sasl-enc: cBNodQEUhLTk8b+95Zvp2ZSLzk2Yo9xUFYNcT868//e9 1504637714 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id D370624335 for <28361-done@debbugs.gnu.org>; Tue, 5 Sep 2017 14:55:14 -0400 (EDT) Date: Tue, 5 Sep 2017 14:55:13 -0400 From: Leo Famulari To: 28361-done@debbugs.gnu.org Subject: Re: [PATCH] gnu: tcpdump: Fix CVE-2017-[11541,11542,11543]. Message-ID: <20170905185513.GA24786@jasmine.lan> References: <40f214dfcb7d7bad4ce7d9770d8475290c283a03.1504630724.git.leo@famulari.name> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40f214dfcb7d7bad4ce7d9770d8475290c283a03.1504630724.git.leo@famulari.name> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28361-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Tue, Sep 05, 2017 at 12:58:44PM -0400, Leo Famulari wrote: > * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, > gnu/packages/patches/tcpdump-CVE-2017-11542.patch > gnu/packages/patches/tcpdump-CVE-2017-11543.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/admin.scm (tcpdump)[source]: Use them. Pushed as 514c2f480643c3481498b4a3ad32d6e6351260ff. From unknown Tue Aug 19 02:51:59 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 04 Oct 2017 11:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator