From unknown Tue Aug 19 23:13:56 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#28387] [PATCH] gnu: tcpdump: Update to 4.9.2 [security fixes]. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 07 Sep 2017 19:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28387 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 28387@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.150481421214959 (code B ref -1); Thu, 07 Sep 2017 19:57:01 +0000 Received: (at submit) by debbugs.gnu.org; 7 Sep 2017 19:56:52 +0000 Received: from localhost ([127.0.0.1]:54713 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq2uu-0003t8-5r for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:56:52 -0400 Received: from eggs.gnu.org ([208.118.235.92]:40142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq2up-0003st-Kx for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:56:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dq2uf-0007Mv-30 for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:56:38 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:51164) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dq2ue-0007Mp-VW for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:56:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59297) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dq2uY-0004sn-Og for guix-patches@gnu.org; Thu, 07 Sep 2017 15:56:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dq2uT-0007H1-CZ for guix-patches@gnu.org; Thu, 07 Sep 2017 15:56:26 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40649) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dq2uT-0007Gj-8P for guix-patches@gnu.org; Thu, 07 Sep 2017 15:56:21 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 37D4C21470; Thu, 7 Sep 2017 15:56:20 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 07 Sep 2017 15:56:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=gH7hH66j6V/5IrPwjvVLiYyMv43 iOmoo+o+l/tCc/xA=; b=qRfEJdYkmXH7joe0dl1sq+BhhNkXPwFQo5xoSQB3qLT Xsd0LiMgpDGFTZ3G9lfSeLAN+NdZpuNsX4U5VrEITIHSQWI1Zk2OXZ9BwxZ9XaTf ysmbczbvD0zLpAxRhvf28byhHe7NYBoaFGHrDlqVlqA3sxnoRyz9ZnKfJsgEJBB8 = DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=gH7hH6 6j6V/5IrPwjvVLiYyMv43iOmoo+o+l/tCc/xA=; b=FU9+DVuH3DQzfEoQcXRThR EUHXoZfppYjy+rp9oTnj1xXTkoxG6lRbA/BBHK/KAL1pjiF8Q63qwqEBANy+B6xk uIVUma5r17bmvlI/1Yyi2Gm6jZfgyuvsBKO7WTcJexuRQ4Dboj4ZLsTLd+EuZxoZ AVkfDSYXtGsQHhy7hdEoWy34zKOVeKY1/Q3PSqsN45PAdgvboeJhUMn4ok+tpGDp copwIH7NtS0xJBF4APG5W2rChOCVAYsT13OTT0NdJw6mqKqDLm1vv8SLlo5ulGWa 49a1sna+SWOsbsDrJul/jqaMV+c/LwXVj02JaIaXpMPKPM8GZU98x7qYNRH+cNtQ == X-ME-Sender: X-Sasl-enc: U+IoTOrScKMx+LG7zHF+/lmdTaOBn3dNXA5oE69KY+Yg 1504814179 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id DBF407F980 for ; Thu, 7 Sep 2017 15:56:19 -0400 (EDT) From: Leo Famulari Date: Thu, 7 Sep 2017 15:56:15 -0400 Message-Id: <36ba9e7de8581353fb60ba72d687e123f6cfe5ef.1504814010.git.leo@famulari.name> X-Mailer: git-send-email 2.14.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,12902, 12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,12997, 12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010, 13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,13024, 13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,13037, 13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,13050, 13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}. * gnu/packages/admin.scm (tcpdump): Update to 4.9.2. [source]: Remove patches. * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, gnu/packages/patches/tcpdump-CVE-2017-11542.patch, gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 3 - gnu/packages/admin.scm | 7 +- gnu/packages/patches/tcpdump-CVE-2017-11541.patch | 47 -------------- gnu/packages/patches/tcpdump-CVE-2017-11542.patch | 37 ----------- gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 ----------------------- 5 files changed, 2 insertions(+), 171 deletions(-) delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11541.patch delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11542.patch delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11543.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9df17110b..2f8551076 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1034,9 +1034,6 @@ dist_patch_DATA = \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11541.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11542.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11543.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index f047bcaef..e6d5afe76 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -661,17 +661,14 @@ network statistics collection, security monitoring, network debugging, etc.") (define-public tcpdump (package (name "tcpdump") - (version "4.9.1") + (version "4.9.2") (source (origin (method url-fetch) (uri (string-append "http://www.tcpdump.org/release/tcpdump-" version ".tar.gz")) - (patches (search-patches "tcpdump-CVE-2017-11541.patch" - "tcpdump-CVE-2017-11542.patch" - "tcpdump-CVE-2017-11543.patch")) (sha256 (base32 - "1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r")))) + "0ygy0layzqaj838r5xd613iraz09wlfgpyh7pc6cwclql8v3b2vr")))) (build-system gnu-build-system) (inputs `(("libpcap" ,libpcap) ("openssl" ,openssl))) diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch deleted file mode 100644 index a9fc632dc..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2017-11541 - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 - -From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 7 Feb 2017 11:40:36 -0800 -Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before - checking for a NUL terminator. - -safeputs() doesn't do packet bounds checking of its own; it assumes that -the caller has checked the availability in the packet data of all maxlen -bytes of data. This means we should check that we're within the -specified limit before looking at the byte. - -This fixes a buffer over-read discovered by Kamil Frankowicz. - -Add a test using the capture file supplied by the reporter(s). ---- - tests/TESTLIST | 1 + - tests/hoobr_safeputs.out | 2 ++ - tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes - util-print.c | 2 +- - 4 files changed, 4 insertions(+), 1 deletion(-) - create mode 100644 tests/hoobr_safeputs.out - create mode 100644 tests/hoobr_safeputs.pcap - -diff --git a/util-print.c b/util-print.c -index 394e7d59..ec3e8de8 100644 ---- a/util-print.c -+++ b/util-print.c -@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo, - { - u_int idx = 0; - -- while (*s && idx < maxlen) { -+ while (idx < maxlen && *s) { - safeputchar(ndo, *s); - idx++; - s++; --- -2.14.1 - diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch deleted file mode 100644 index 24849d518..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2017-11542: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae - -From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 7 Feb 2017 11:10:04 -0800 -Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check. - -This fixes a buffer over-read discovered by Kamil Frankowicz. - -Add a test using the capture file supplied by the reporter(s). ---- - print-pim.c | 1 + - tests/TESTLIST | 1 + - tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++ - tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes - 4 files changed, 27 insertions(+) - create mode 100644 tests/hoobr_pimv1.out - create mode 100644 tests/hoobr_pimv1.pcap - -diff --git a/print-pim.c b/print-pim.c -index 25525953..ed880ae7 100644 ---- a/print-pim.c -+++ b/print-pim.c -@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo, - pimv1_join_prune_print(ndo, &bp[8], len - 8); - break; - } -+ ND_TCHECK(bp[4]); - if ((bp[4] >> 4) != 1) - ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); - return; diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch deleted file mode 100644 index c97350398..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch +++ /dev/null @@ -1,79 +0,0 @@ -Fix CVE-2017-11543: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 - -From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Fri, 17 Mar 2017 12:49:04 -0700 -Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid. - -Report if it's not, and don't use it as an out-of-bounds index into an -array. - -This fixes a buffer overflow discovered by Wilfried Kirsch. - -Add a test using the capture file supplied by the reporter(s), modified -so the capture file won't be rejected as an invalid capture. ---- - print-sl.c | 25 +++++++++++++++++++++++-- - tests/TESTLIST | 3 +++ - tests/slip-bad-direction.out | 1 + - tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes - 4 files changed, 27 insertions(+), 2 deletions(-) - create mode 100644 tests/slip-bad-direction.out - create mode 100644 tests/slip-bad-direction.pcap - -diff --git a/print-sl.c b/print-sl.c -index 3fd7e898..a02077b3 100644 ---- a/print-sl.c -+++ b/print-sl.c -@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, - u_int hlen; - - dir = p[SLX_DIR]; -- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); -+ switch (dir) { - -+ case SLIPDIR_IN: -+ ND_PRINT((ndo, "I ")); -+ break; -+ -+ case SLIPDIR_OUT: -+ ND_PRINT((ndo, "O ")); -+ break; -+ -+ default: -+ ND_PRINT((ndo, "Invalid direction %d ", dir)); -+ dir = -1; -+ break; -+ } - if (ndo->ndo_nflag) { - /* XXX just dump the header */ - register int i; -@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, - * has restored the IP header copy to IPPROTO_TCP. - */ - lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; -+ ND_PRINT((ndo, "utcp %d: ", lastconn)); -+ if (dir == -1) { -+ /* Direction is bogus, don't use it */ -+ return; -+ } - hlen = IP_HL(ip); - hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); - lastlen[dir][lastconn] = length - (hlen << 2); -- ND_PRINT((ndo, "utcp %d: ", lastconn)); - break; - - default: -+ if (dir == -1) { -+ /* Direction is bogus, don't use it */ -+ return; -+ } - if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { - compressed_sl_print(ndo, &p[SLX_CHDR], ip, - length, dir); -- 2.14.1 From unknown Tue Aug 19 23:13:56 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#28387] [PATCH] gnu: tcpdump: Update to 4.9.2 [security fixes] References: <36ba9e7de8581353fb60ba72d687e123f6cfe5ef.1504814010.git.leo@famulari.name> In-Reply-To: <36ba9e7de8581353fb60ba72d687e123f6cfe5ef.1504814010.git.leo@famulari.name> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 07 Sep 2017 20:00:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28387 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 28387@debbugs.gnu.org Received: via spool by 28387-submit@debbugs.gnu.org id=B28387.150481439915279 (code B ref 28387); Thu, 07 Sep 2017 20:00:02 +0000 Received: (at 28387) by debbugs.gnu.org; 7 Sep 2017 19:59:59 +0000 Received: from localhost ([127.0.0.1]:54723 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq2xz-0003yN-Jd for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:59:59 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:47105) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq2xy-0003yF-EM for 28387@debbugs.gnu.org; Thu, 07 Sep 2017 15:59:58 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id C04C021249; Thu, 7 Sep 2017 15:59:57 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 07 Sep 2017 15:59:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=Q6q 1EiX/N3dVX2JkuZDjxeqTuyrGGChosuSgMeARaB4=; b=vMcxZpPcuebO6OaFWY4 SHVInZ8W7PbS05MHcEUYlyTvPNPFXLpJ0yNzJTqIX3PNyJ3s+L23ISTT/N69/mun LoXt2HU4EhyIhPWkbuzKTf/AtP/trVC9VRy05uZoDv1CxUGje+9qQb5gYOemd3jb xnfy1f7PPATyXKiePWLhWWs4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=Q6q1EiX/N3dVX2JkuZDjxeqTuyrGGChosuSgMeARa B4=; b=r0RohpoK+GkDZbH6CSRUjJ9WoRVI0xgCigypkPIAByJoKbuCzbsiIAMxY kSUYTyVlSiMibrqgMaFjDIRvbj5aZ5YGdixnJoGTljlQ/MHAfjYfzG0aY2xZ64r4 gX6XJG54eTupCpNMuMr/AbDl1AcGTHvKwlng3ZyVUPP436N0vQJGVennWVSlUTiu YWw7CT1Y71CusShKuCzPQUEJrdkRUpgtbhyISbieOctyLHMKDE03ln/3jJI1xhJD ck4c2NhvBqRcNDB4N5jA/MAXNx/vOpfOexqPgpsMwgmhxgvaHuGRA2vBoz0oN96x AemQxZxz5/BidB2cqwPRjRsfmArMg== X-ME-Sender: X-Sasl-enc: Xi9UBSpggGj/3UDPeCzVOdGfCHJaPYZkI2wG69DWVqEK 1504814397 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 8052024785 for <28387@debbugs.gnu.org>; Thu, 7 Sep 2017 15:59:57 -0400 (EDT) Date: Thu, 7 Sep 2017 15:59:56 -0400 From: Leo Famulari Message-ID: <20170907195956.GA9995@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xgyAXRrhYN0wYx8y" Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --xgyAXRrhYN0wYx8y Content-Type: multipart/mixed; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This update was supposed to be "embargoed" until September 25. For some reason, Tcpdump 4.9.2 is already being distributed by other distros. This patch adds Arch Linux as a source because Tcpdump is still not distributing 4.9.2 publicly. However, the tarball from Arch is identical to the one distributed privately by Tcpdump. I've attached Tcpdump's signature so that you can confirm this for yourself. --7AUc2qLy4jB3hD7Z Content-Type: application/octet-stream Content-Disposition: attachment; filename="EMBARGOED-tcpdump-4.9.2.tar.gz.sig" Content-Transfer-Encoding: base64 iQG3BAABCAAdFiEEHxZqV0KrueAkmo0w4Ine8dnBXQ0FAlmtjxgACgkQ4Ine8dnBXQ1IOAwg qDUBJnmxsfTdpWd37XCGcpykFAAywLMUXDu4WqLB8I3j/d1/cotoZisNpCHc87B5F59tlJ1v YIXTZpM+hCNitTMdW752pOQFdowt3flf9++sYH3Q/WkWm7+LlKDBQ2PfKUWED9P4Pkmz2pRR OmgPguCifn1yk1BT6djeGQM34rdzGbYvaLCEylPq2hW1vNJFj0r58EjYsyZSg+gQ09ZGWnzY HUq6hdWEi7u1rfwETO82/VUP4GU4Zp3Zc9PzgE1qcQ1z0A82prNEdu97LvY35wEgzSnKN3yJ L9jNCQgd+1MAhHPCaONLsvSK611Hmw3n3eEr+6WWZOoieR4/QmAdFRV+MH2sJnJTlHl4AGgM Hx9QhQz8yf4L0zu+W0xuTWOA33sn65QkyqUFfskydAyvZGvdj8ClLZeeQlyKp45xi4VuQbfd UTtGK0X7bFN5yqwKIrjioBNm0KdLOikTQvO4873U9urGtLOTFfOgJ7nEJQad44REnlUZhCrh h9bPYDi2/KF+nQ== --7AUc2qLy4jB3hD7Z-- --xgyAXRrhYN0wYx8y Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmxpTwACgkQJkb6MLrK fwijSg/+MKXBacwAG8AlkYcicsabcfA5IzzA7p+eKAI7/4lbC1aAccw8n8ZtPb8B LcDmNAr4gDZTMi0M/rvQQyYjJ6QY14yfU68nSMs1b8UEWW2tkmNS31YB+bO06ytU SpZ1eoKM3gtQ0zPEQad3PftjsHlZR7qnca4+q/+c8S+Azp+uNjCT+UKP0UW0YIFy dihP4jVcHpTb6ZNONBSFy3t5sjjklXmS+bSlLtZ8wxcIhO5tUI7qzoK3CJtPC0dJ S7nHP4ZPX2APx37TYYl5cpZiH0+RVaZkY3bOTsg0BaONlhXga0mtxeIQdO+gnAG8 RGqfpUq1IpcHoyuBUnRlJz8SJNwp0tWGftEdYkGSA7zFQ8rneQZ5Q1QIwCZmpuRO 9h02/TqrvRddmENRSoXKZxV2UJpso2SXSAfnjSjfkWkbC0FwNDvJ40BuQC2lFBbi b/jlxYpndwL1QeAQHkdiHfQzgju9aOjgWrqqFKWusD/xGIfhmGIdAOMLFIAjksiU UozwB0m7GuwQi3H7uTTt/RCXdWIaBj/8qHmzxUN3/mXPpYMkMQ/D6aMWBL8mz4kK CEVEfBl+yRaKs8HGz4c4nE5tQNSDGQCteFiXXPmU2PXwlqQA3QcQjdbOSEVzp3mN 8j69mzNjRDss3Y3FZyOFe6wN/AB2THyojNQehViDFHLSQnxSfhU= =WtS3 -----END PGP SIGNATURE----- --xgyAXRrhYN0wYx8y-- From unknown Tue Aug 19 23:13:56 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#28387] [PATCH] gnu: tcpdump: Update to 4.9.2 [security fixes]. References: <36ba9e7de8581353fb60ba72d687e123f6cfe5ef.1504814010.git.leo@famulari.name> In-Reply-To: <36ba9e7de8581353fb60ba72d687e123f6cfe5ef.1504814010.git.leo@famulari.name> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 07 Sep 2017 20:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28387 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 28387@debbugs.gnu.org Received: via spool by 28387-submit@debbugs.gnu.org id=B28387.150481457922739 (code B ref 28387); Thu, 07 Sep 2017 20:03:02 +0000 Received: (at 28387) by debbugs.gnu.org; 7 Sep 2017 20:02:59 +0000 Received: from localhost ([127.0.0.1]:54730 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq30p-0005uZ-0V for submit@debbugs.gnu.org; Thu, 07 Sep 2017 16:02:59 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33715) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq30m-0005uR-6i for 28387@debbugs.gnu.org; Thu, 07 Sep 2017 16:02:54 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id F2D5C213B5; Thu, 7 Sep 2017 16:02:51 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 07 Sep 2017 16:02:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=dfTlZ0t8cEG7K5Jvj9UUZEh3OLH pc3YqQCETz1ledYg=; b=lF5rVJs+0Ao8eYbkbQqFddLjeXYeJpQUSqwbsdUfr29 d33G7tN+1kiSK1dJOYdYQ0EeCcgYhQQUc1d9EPYBWnbAQHGdXbPpB5Rm042cxQJP JknklHTjJ8UPiV+ps5lMNxs6IuUt0jrAYwic72nIN5t5OtyqpDC1A2himjLdW7yE = DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=dfTlZ0 t8cEG7K5Jvj9UUZEh3OLHpc3YqQCETz1ledYg=; b=G/4MW0raeNpKsd0jxMJjap uhHHu0jKBtF+jgoYkgm6WwhzUNmcSmELP7JriJzfjmYmq1GdyjA/QTn67Mn9bWYu noyrU84c7mFeMsW1pOIqqN+WwnT75S9dG1w7ElU0AUg3wW6/ab/AZk16ND0SRX8k 8azJfk32G6fCN9qZzcPte/8PBrVWFvwgTAQ/QYua67vhAbzbxG178qvKCXr0T7K4 W9nrybyd6Jb9hj8PhH3cBsdEGhxVNL9iGP59M35JmyAY5rJpxTEgM2FWhugIj6eg DIxT6T2ATyWnDW+NR2mVQf8bDalXL1evhosqZhnN/f1iOm3Xculn0I2XCp2dybaw == X-ME-Sender: X-Sasl-enc: xTyTFbLeIHXjCrJQ43n8pcMebhzKCGeNXOHmIaWiB4me 1504814571 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 8B53D7F982 for <28387@debbugs.gnu.org>; Thu, 7 Sep 2017 16:02:51 -0400 (EDT) From: Leo Famulari Date: Thu, 7 Sep 2017 16:02:47 -0400 Message-Id: <885fb40fb489ffda94c549f1ab8aab6379765b5d.1504814554.git.leo@famulari.name> X-Mailer: git-send-email 2.14.1 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) I messed up the last patch (missing the additional source URL). Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,12902, 12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,12997, 12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010, 13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,13024, 13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,13037, 13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,13050, 13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}. * gnu/packages/admin.scm (tcpdump): Update to 4.9.2. [source]: Remove patches. * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, gnu/packages/patches/tcpdump-CVE-2017-11542.patch, gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 3 - gnu/packages/admin.scm | 14 ++-- gnu/packages/patches/tcpdump-CVE-2017-11541.patch | 47 -------------- gnu/packages/patches/tcpdump-CVE-2017-11542.patch | 37 ----------- gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 ----------------------- 5 files changed, 7 insertions(+), 173 deletions(-) delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11541.patch delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11542.patch delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11543.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9df17110b..2f8551076 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1034,9 +1034,6 @@ dist_patch_DATA = \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11541.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11542.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11543.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index f047bcaef..08dcdd68d 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -661,17 +661,17 @@ network statistics collection, security monitoring, network debugging, etc.") (define-public tcpdump (package (name "tcpdump") - (version "4.9.1") + (version "4.9.2") (source (origin (method url-fetch) - (uri (string-append "http://www.tcpdump.org/release/tcpdump-" - version ".tar.gz")) - (patches (search-patches "tcpdump-CVE-2017-11541.patch" - "tcpdump-CVE-2017-11542.patch" - "tcpdump-CVE-2017-11543.patch")) + (uri (list (string-append "http://www.tcpdump.org/release/tcpdump-" + version ".tar.gz") + (string-append "https://sources.archlinux.org/other/" + "packages/tcpdump/tcpdump-" version + ".tar.gz"))) (sha256 (base32 - "1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r")))) + "0ygy0layzqaj838r5xd613iraz09wlfgpyh7pc6cwclql8v3b2vr")))) (build-system gnu-build-system) (inputs `(("libpcap" ,libpcap) ("openssl" ,openssl))) diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch deleted file mode 100644 index a9fc632dc..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2017-11541 - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 - -From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 7 Feb 2017 11:40:36 -0800 -Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before - checking for a NUL terminator. - -safeputs() doesn't do packet bounds checking of its own; it assumes that -the caller has checked the availability in the packet data of all maxlen -bytes of data. This means we should check that we're within the -specified limit before looking at the byte. - -This fixes a buffer over-read discovered by Kamil Frankowicz. - -Add a test using the capture file supplied by the reporter(s). ---- - tests/TESTLIST | 1 + - tests/hoobr_safeputs.out | 2 ++ - tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes - util-print.c | 2 +- - 4 files changed, 4 insertions(+), 1 deletion(-) - create mode 100644 tests/hoobr_safeputs.out - create mode 100644 tests/hoobr_safeputs.pcap - -diff --git a/util-print.c b/util-print.c -index 394e7d59..ec3e8de8 100644 ---- a/util-print.c -+++ b/util-print.c -@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo, - { - u_int idx = 0; - -- while (*s && idx < maxlen) { -+ while (idx < maxlen && *s) { - safeputchar(ndo, *s); - idx++; - s++; --- -2.14.1 - diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch deleted file mode 100644 index 24849d518..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2017-11542: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae - -From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 7 Feb 2017 11:10:04 -0800 -Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check. - -This fixes a buffer over-read discovered by Kamil Frankowicz. - -Add a test using the capture file supplied by the reporter(s). ---- - print-pim.c | 1 + - tests/TESTLIST | 1 + - tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++ - tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes - 4 files changed, 27 insertions(+) - create mode 100644 tests/hoobr_pimv1.out - create mode 100644 tests/hoobr_pimv1.pcap - -diff --git a/print-pim.c b/print-pim.c -index 25525953..ed880ae7 100644 ---- a/print-pim.c -+++ b/print-pim.c -@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo, - pimv1_join_prune_print(ndo, &bp[8], len - 8); - break; - } -+ ND_TCHECK(bp[4]); - if ((bp[4] >> 4) != 1) - ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); - return; diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch deleted file mode 100644 index c97350398..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch +++ /dev/null @@ -1,79 +0,0 @@ -Fix CVE-2017-11543: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 - -From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Fri, 17 Mar 2017 12:49:04 -0700 -Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid. - -Report if it's not, and don't use it as an out-of-bounds index into an -array. - -This fixes a buffer overflow discovered by Wilfried Kirsch. - -Add a test using the capture file supplied by the reporter(s), modified -so the capture file won't be rejected as an invalid capture. ---- - print-sl.c | 25 +++++++++++++++++++++++-- - tests/TESTLIST | 3 +++ - tests/slip-bad-direction.out | 1 + - tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes - 4 files changed, 27 insertions(+), 2 deletions(-) - create mode 100644 tests/slip-bad-direction.out - create mode 100644 tests/slip-bad-direction.pcap - -diff --git a/print-sl.c b/print-sl.c -index 3fd7e898..a02077b3 100644 ---- a/print-sl.c -+++ b/print-sl.c -@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, - u_int hlen; - - dir = p[SLX_DIR]; -- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); -+ switch (dir) { - -+ case SLIPDIR_IN: -+ ND_PRINT((ndo, "I ")); -+ break; -+ -+ case SLIPDIR_OUT: -+ ND_PRINT((ndo, "O ")); -+ break; -+ -+ default: -+ ND_PRINT((ndo, "Invalid direction %d ", dir)); -+ dir = -1; -+ break; -+ } - if (ndo->ndo_nflag) { - /* XXX just dump the header */ - register int i; -@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, - * has restored the IP header copy to IPPROTO_TCP. - */ - lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; -+ ND_PRINT((ndo, "utcp %d: ", lastconn)); -+ if (dir == -1) { -+ /* Direction is bogus, don't use it */ -+ return; -+ } - hlen = IP_HL(ip); - hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); - lastlen[dir][lastconn] = length - (hlen << 2); -- ND_PRINT((ndo, "utcp %d: ", lastconn)); - break; - - default: -+ if (dir == -1) { -+ /* Direction is bogus, don't use it */ -+ return; -+ } - if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { - compressed_sl_print(ndo, &p[SLX_CHDR], ip, - length, dir); -- 2.14.1 From unknown Tue Aug 19 23:13:56 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#28387: closed (Re: [PATCH] gnu: tcpdump: Update to 4.9.2 [security fixes].) Message-ID: References: <20170907214503.GA30341@jasmine.lan> <36ba9e7de8581353fb60ba72d687e123f6cfe5ef.1504814010.git.leo@famulari.name> X-Gnu-PR-Message: they-closed 28387 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 28387@debbugs.gnu.org Date: Thu, 07 Sep 2017 21:46:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1504820762-31893-1" This is a multi-part message in MIME format... ------------=_1504820762-31893-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #28387: [PATCH] gnu: tcpdump: Update to 4.9.2 [security fixes]. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 28387@debbugs.gnu.org. --=20 28387: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D28387 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1504820762-31893-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 28387-done) by debbugs.gnu.org; 7 Sep 2017 21:45:08 +0000 Received: from localhost ([127.0.0.1]:54805 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq4bj-0008HB-Qi for submit@debbugs.gnu.org; Thu, 07 Sep 2017 17:45:07 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:38335) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq4bg-0008H2-Ss for 28387-done@debbugs.gnu.org; Thu, 07 Sep 2017 17:45:07 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A97F220E79; Thu, 7 Sep 2017 17:45:04 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 07 Sep 2017 17:45:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=1TrRvQv6fQuVEPulsbJ7gdjcFAnXNjcpJSaMuD hfDTk=; b=izbHm6Cs1yJ+AxuKe7WvER/b+ayHQpDYcK0Th4wJHdqO9t6k64MTNA dSqTpUMmE9z1pY4XDNJTQ+lv5WpRsq4COXzucO4MRhpb70QZlaihOSqP+YaodFSi oE0bXby2AAi9HooEwXKc2mjzy15Hdg31EclRJbjBWKzI+64ZSQBao= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=1TrRvQv6fQuVEPulsb J7gdjcFAnXNjcpJSaMuDhfDTk=; b=NHNTutGEFP4J8sv2lqi3ZAopSIU5zImo9g Yy5DumhH8us1GLdU4smPkq5RAKPSGVHJSlf2fzo7ztzzGlWJ+szcHVsOJymA1on9 xwQWdTgh2Djv87LzQR9hkNRhNkGOev8mKMm9Z8I99oO+zyQvp2I7ZZeEy1wFqBbm L7xJ9o6x/FKQe+QrCxqm4U3df1Rm3AT76NjADw4y2DF535c/sTdzTht3d04z87Zk R6TS9pbgVbO7JtEFMTQWdHCWhlJk9AbU09Dj5xJsTQAlXR8Lkbg72jM70p6zer1v 1B3LL9q98lpcCfZ8Gjem3XgdZ/wcs79x7NDgQWq8GJx6igS2ChHQ== X-ME-Sender: X-Sasl-enc: y5QLessSXMF6+ArGO9nVppw58nSwWyzD65ur8pC3pBWh 1504820704 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 5FA4D244BB for <28387-done@debbugs.gnu.org>; Thu, 7 Sep 2017 17:45:04 -0400 (EDT) Date: Thu, 7 Sep 2017 17:45:03 -0400 From: Leo Famulari To: 28387-done@debbugs.gnu.org Subject: Re: [PATCH] gnu: tcpdump: Update to 4.9.2 [security fixes]. Message-ID: <20170907214503.GA30341@jasmine.lan> References: <885fb40fb489ffda94c549f1ab8aab6379765b5d.1504814554.git.leo@famulari.name> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: <885fb40fb489ffda94c549f1ab8aab6379765b5d.1504814554.git.leo@famulari.name> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28387-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 07, 2017 at 04:02:47PM -0400, Leo Famulari wrote: > I messed up the last patch (missing the additional source URL). >=20 > Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,129= 02, > 12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,1= 2997, > 12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,1= 3010, > 13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,1= 3024, > 13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,1= 3037, > 13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,1= 3050, > 13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}. >=20 > * gnu/packages/admin.scm (tcpdump): Update to 4.9.2. > [source]: Remove patches. > * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, > gnu/packages/patches/tcpdump-CVE-2017-11542.patch, > gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files. > * gnu/local.mk (dist_patch_DATA): Remove them. Pushed as 81635ad03ecb3a51b5248db65919621bde9039f4. --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmxvd8ACgkQJkb6MLrK fwiqEg//bcBMXiSrb7OFcmroGOmoWIdg6Q9LTN/thWSOpO/6t7I+dEVrTNlRVFVv ggHktYNZ1HBYuzit4aVMnudvU5ufwgmGyvGp4YJxSiaY/bC0hzccyHCmVR9atpqS NgY19m9Lsjpp8NT8AS11PBrg+iX0YqJaDa31LTO2OwQilurs4XnsZPBeFAHqqzC0 6kcKFCPtUSBHFOAOmj2pCP3GHTgv7ZxqdFpbwaVRjvBfyO6ik2x/6k8dQ61gXK6q Hyw8EUkmPT0eOgRpgEoK0gEmvQBDo1cX2djVgYLawZqqT/5BMyDbS1l0ApnGBrjX cx3CiY8jFsBqJ4O4AHBkpGnh9vVJQu9nEt+IGiQXFdFSOopuCOOoIyK7KknrR6hA SVerlJkSBhSRFqxeoRnjGqW04E/YWAsuVZSTTI0ta0KHNAL8G55T2vUA6+aR82NY KUafrFQic0sDAsVCcuYUNLuzD5DmWN/Lz4Yo759sYrzfV8NNlHHT+s5528u6BLAS 4mcnRwr9P3Ji0RMdUxvAp/eti0pRce04XmKXQlvYOOoFPtUtNhV7IRNAzcu03LkH 8zc8M0ho6SJ2YK5b0BWnVfOrqoloRMXt1qLHHwPqmWvM+kWEZQxsMcYdLViTZxKe PvHvFLGztA1/R4i492/wFNkRVexvf3pZiYtnTtQlhuT152zMiOY= =4Yia -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- ------------=_1504820762-31893-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 7 Sep 2017 19:56:52 +0000 Received: from localhost ([127.0.0.1]:54713 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq2uu-0003t8-5r for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:56:52 -0400 Received: from eggs.gnu.org ([208.118.235.92]:40142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq2up-0003st-Kx for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:56:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dq2uf-0007Mv-30 for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:56:38 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:51164) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dq2ue-0007Mp-VW for submit@debbugs.gnu.org; Thu, 07 Sep 2017 15:56:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59297) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dq2uY-0004sn-Og for guix-patches@gnu.org; Thu, 07 Sep 2017 15:56:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dq2uT-0007H1-CZ for guix-patches@gnu.org; Thu, 07 Sep 2017 15:56:26 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40649) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dq2uT-0007Gj-8P for guix-patches@gnu.org; Thu, 07 Sep 2017 15:56:21 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 37D4C21470; Thu, 7 Sep 2017 15:56:20 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 07 Sep 2017 15:56:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=gH7hH66j6V/5IrPwjvVLiYyMv43 iOmoo+o+l/tCc/xA=; b=qRfEJdYkmXH7joe0dl1sq+BhhNkXPwFQo5xoSQB3qLT Xsd0LiMgpDGFTZ3G9lfSeLAN+NdZpuNsX4U5VrEITIHSQWI1Zk2OXZ9BwxZ9XaTf ysmbczbvD0zLpAxRhvf28byhHe7NYBoaFGHrDlqVlqA3sxnoRyz9ZnKfJsgEJBB8 = DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=gH7hH6 6j6V/5IrPwjvVLiYyMv43iOmoo+o+l/tCc/xA=; b=FU9+DVuH3DQzfEoQcXRThR EUHXoZfppYjy+rp9oTnj1xXTkoxG6lRbA/BBHK/KAL1pjiF8Q63qwqEBANy+B6xk uIVUma5r17bmvlI/1Yyi2Gm6jZfgyuvsBKO7WTcJexuRQ4Dboj4ZLsTLd+EuZxoZ AVkfDSYXtGsQHhy7hdEoWy34zKOVeKY1/Q3PSqsN45PAdgvboeJhUMn4ok+tpGDp copwIH7NtS0xJBF4APG5W2rChOCVAYsT13OTT0NdJw6mqKqDLm1vv8SLlo5ulGWa 49a1sna+SWOsbsDrJul/jqaMV+c/LwXVj02JaIaXpMPKPM8GZU98x7qYNRH+cNtQ == X-ME-Sender: X-Sasl-enc: U+IoTOrScKMx+LG7zHF+/lmdTaOBn3dNXA5oE69KY+Yg 1504814179 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id DBF407F980 for ; Thu, 7 Sep 2017 15:56:19 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: tcpdump: Update to 4.9.2 [security fixes]. Date: Thu, 7 Sep 2017 15:56:15 -0400 Message-Id: <36ba9e7de8581353fb60ba72d687e123f6cfe5ef.1504814010.git.leo@famulari.name> X-Mailer: git-send-email 2.14.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,12902, 12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,12997, 12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010, 13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,13024, 13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,13037, 13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,13050, 13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}. * gnu/packages/admin.scm (tcpdump): Update to 4.9.2. [source]: Remove patches. * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, gnu/packages/patches/tcpdump-CVE-2017-11542.patch, gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 3 - gnu/packages/admin.scm | 7 +- gnu/packages/patches/tcpdump-CVE-2017-11541.patch | 47 -------------- gnu/packages/patches/tcpdump-CVE-2017-11542.patch | 37 ----------- gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 ----------------------- 5 files changed, 2 insertions(+), 171 deletions(-) delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11541.patch delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11542.patch delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11543.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9df17110b..2f8551076 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1034,9 +1034,6 @@ dist_patch_DATA = \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11541.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11542.patch \ - %D%/packages/patches/tcpdump-CVE-2017-11543.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index f047bcaef..e6d5afe76 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -661,17 +661,14 @@ network statistics collection, security monitoring, network debugging, etc.") (define-public tcpdump (package (name "tcpdump") - (version "4.9.1") + (version "4.9.2") (source (origin (method url-fetch) (uri (string-append "http://www.tcpdump.org/release/tcpdump-" version ".tar.gz")) - (patches (search-patches "tcpdump-CVE-2017-11541.patch" - "tcpdump-CVE-2017-11542.patch" - "tcpdump-CVE-2017-11543.patch")) (sha256 (base32 - "1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r")))) + "0ygy0layzqaj838r5xd613iraz09wlfgpyh7pc6cwclql8v3b2vr")))) (build-system gnu-build-system) (inputs `(("libpcap" ,libpcap) ("openssl" ,openssl))) diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch deleted file mode 100644 index a9fc632dc..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2017-11541 - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 - -From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 7 Feb 2017 11:40:36 -0800 -Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before - checking for a NUL terminator. - -safeputs() doesn't do packet bounds checking of its own; it assumes that -the caller has checked the availability in the packet data of all maxlen -bytes of data. This means we should check that we're within the -specified limit before looking at the byte. - -This fixes a buffer over-read discovered by Kamil Frankowicz. - -Add a test using the capture file supplied by the reporter(s). ---- - tests/TESTLIST | 1 + - tests/hoobr_safeputs.out | 2 ++ - tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes - util-print.c | 2 +- - 4 files changed, 4 insertions(+), 1 deletion(-) - create mode 100644 tests/hoobr_safeputs.out - create mode 100644 tests/hoobr_safeputs.pcap - -diff --git a/util-print.c b/util-print.c -index 394e7d59..ec3e8de8 100644 ---- a/util-print.c -+++ b/util-print.c -@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo, - { - u_int idx = 0; - -- while (*s && idx < maxlen) { -+ while (idx < maxlen && *s) { - safeputchar(ndo, *s); - idx++; - s++; --- -2.14.1 - diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch deleted file mode 100644 index 24849d518..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2017-11542: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae - -From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 7 Feb 2017 11:10:04 -0800 -Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check. - -This fixes a buffer over-read discovered by Kamil Frankowicz. - -Add a test using the capture file supplied by the reporter(s). ---- - print-pim.c | 1 + - tests/TESTLIST | 1 + - tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++ - tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes - 4 files changed, 27 insertions(+) - create mode 100644 tests/hoobr_pimv1.out - create mode 100644 tests/hoobr_pimv1.pcap - -diff --git a/print-pim.c b/print-pim.c -index 25525953..ed880ae7 100644 ---- a/print-pim.c -+++ b/print-pim.c -@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo, - pimv1_join_prune_print(ndo, &bp[8], len - 8); - break; - } -+ ND_TCHECK(bp[4]); - if ((bp[4] >> 4) != 1) - ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); - return; diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch deleted file mode 100644 index c97350398..000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch +++ /dev/null @@ -1,79 +0,0 @@ -Fix CVE-2017-11543: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 - -From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Fri, 17 Mar 2017 12:49:04 -0700 -Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid. - -Report if it's not, and don't use it as an out-of-bounds index into an -array. - -This fixes a buffer overflow discovered by Wilfried Kirsch. - -Add a test using the capture file supplied by the reporter(s), modified -so the capture file won't be rejected as an invalid capture. ---- - print-sl.c | 25 +++++++++++++++++++++++-- - tests/TESTLIST | 3 +++ - tests/slip-bad-direction.out | 1 + - tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes - 4 files changed, 27 insertions(+), 2 deletions(-) - create mode 100644 tests/slip-bad-direction.out - create mode 100644 tests/slip-bad-direction.pcap - -diff --git a/print-sl.c b/print-sl.c -index 3fd7e898..a02077b3 100644 ---- a/print-sl.c -+++ b/print-sl.c -@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, - u_int hlen; - - dir = p[SLX_DIR]; -- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); -+ switch (dir) { - -+ case SLIPDIR_IN: -+ ND_PRINT((ndo, "I ")); -+ break; -+ -+ case SLIPDIR_OUT: -+ ND_PRINT((ndo, "O ")); -+ break; -+ -+ default: -+ ND_PRINT((ndo, "Invalid direction %d ", dir)); -+ dir = -1; -+ break; -+ } - if (ndo->ndo_nflag) { - /* XXX just dump the header */ - register int i; -@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, - * has restored the IP header copy to IPPROTO_TCP. - */ - lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; -+ ND_PRINT((ndo, "utcp %d: ", lastconn)); -+ if (dir == -1) { -+ /* Direction is bogus, don't use it */ -+ return; -+ } - hlen = IP_HL(ip); - hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); - lastlen[dir][lastconn] = length - (hlen << 2); -- ND_PRINT((ndo, "utcp %d: ", lastconn)); - break; - - default: -+ if (dir == -1) { -+ /* Direction is bogus, don't use it */ -+ return; -+ } - if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { - compressed_sl_print(ndo, &p[SLX_CHDR], ip, - length, dir); -- 2.14.1 ------------=_1504820762-31893-1-- From unknown Tue Aug 19 23:13:56 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#28387] [PATCH] gnu: tcpdump: Update to 4.9.2 [security fixes]. Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 08 Sep 2017 12:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28387 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 28387@debbugs.gnu.org Cc: leo@famulari.name Received: via spool by 28387-submit@debbugs.gnu.org id=B28387.15048741123436 (code B ref 28387); Fri, 08 Sep 2017 12:36:02 +0000 Received: (at 28387) by debbugs.gnu.org; 8 Sep 2017 12:35:12 +0000 Received: from localhost ([127.0.0.1]:55455 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqIV6-0000tL-92 for submit@debbugs.gnu.org; Fri, 08 Sep 2017 08:35:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55632) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqIV1-0000t6-Om for 28387@debbugs.gnu.org; Fri, 08 Sep 2017 08:35:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dqIUs-0006Am-OQ for 28387@debbugs.gnu.org; Fri, 08 Sep 2017 08:35:02 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33447) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqIUn-00066f-5K; Fri, 08 Sep 2017 08:34:53 -0400 Received: from [193.50.110.231] (port=34008 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dqIUm-00042E-JS; Fri, 08 Sep 2017 08:34:52 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <885fb40fb489ffda94c549f1ab8aab6379765b5d.1504814554.git.leo@famulari.name> <20170907214503.GA30341@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 Fructidor an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Fri, 08 Sep 2017 14:34:49 +0200 In-Reply-To: <20170907214503.GA30341@jasmine.lan> (Leo Famulari's message of "Thu, 7 Sep 2017 17:45:03 -0400") Message-ID: <87zia5jrme.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > On Thu, Sep 07, 2017 at 04:02:47PM -0400, Leo Famulari wrote: >> I messed up the last patch (missing the additional source URL). >>=20 >> Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,12= 902, >> 12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,= 12997, >> 12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,= 13010, >> 13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,= 13024, >> 13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,= 13037, >> 13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,= 13050, >> 13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}. >>=20 >> * gnu/packages/admin.scm (tcpdump): Update to 4.9.2. >> [source]: Remove patches. >> * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, >> gnu/packages/patches/tcpdump-CVE-2017-11542.patch, >> gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files. >> * gnu/local.mk (dist_patch_DATA): Remove them. > > Pushed as 81635ad03ecb3a51b5248db65919621bde9039f4. Great work, thank you! Ludo=E2=80=99.