gnu: tcpdump: Fix CVE-2017-[11541,11542,11543].

* gnu/packages/patches/tcpdump-CVE-2017-11541.patch, gnu/packages/patches/tcpdump-CVE-2017-11542.patch gnu/packages/patches/tcpdump-CVE-2017-11543.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/admin.scm (tcpdump)[source]: Use them.
2017-09-05 12:56:00 -04:00 · 2017-09-05 12:56:00 -04:00 · 514c2f4806
parent 0cae36b5e5
commit 514c2f4806
5 changed files with 169 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -1031,6 +1031,9 @@ dist_patch_DATA =						\
  %D%/packages/patches/tar-skip-unreliable-tests.patch		\
  %D%/packages/patches/tcl-mkindex-deterministic.patch		\
  %D%/packages/patches/tclxml-3.2-install.patch			\
  %D%/packages/patches/tcpdump-CVE-2017-11541.patch		\
  %D%/packages/patches/tcpdump-CVE-2017-11542.patch		\
  %D%/packages/patches/tcpdump-CVE-2017-11543.patch		\
  %D%/packages/patches/tcsh-fix-autotest.patch			\
  %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch	\
  %D%/packages/patches/teensy-loader-cli-help.patch		\
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@ -666,6 +666,9 @@ network statistics collection, security monitoring, network debugging, etc.")
              (method url-fetch)
              (uri (string-append "http://www.tcpdump.org/release/tcpdump-"
                                  version ".tar.gz"))
              (patches (search-patches "tcpdump-CVE-2017-11541.patch"
                                       "tcpdump-CVE-2017-11542.patch"
                                       "tcpdump-CVE-2017-11543.patch"))
              (sha256
               (base32
                "1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r"))))
--- a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch
@ -0,0 +1,47 @@
 Fix CVE-2017-11541
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
 Patch copied from upstream source repository:
 https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
 From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
 From: Guy Harris <guy@alum.mit.edu>
 Date: Tue, 7 Feb 2017 11:40:36 -0800
 Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
 checking for a NUL terminator.
 safeputs() doesn't do packet bounds checking of its own; it assumes that
 the caller has checked the availability in the packet data of all maxlen
 bytes of data.  This means we should check that we're within the
 specified limit before looking at the byte.
 This fixes a buffer over-read discovered by Kamil Frankowicz.
 Add a test using the capture file supplied by the reporter(s).
 ---
 tests/TESTLIST            |   1 +
 tests/hoobr_safeputs.out  |   2 ++
 tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
 util-print.c              |   2 +-
 4 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 tests/hoobr_safeputs.out
 create mode 100644 tests/hoobr_safeputs.pcap
 diff --git a/util-print.c b/util-print.c
 index 394e7d59..ec3e8de8 100644
 --- a/util-print.c
 +++ b/util-print.c
@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
 {
 	u_int idx = 0;
 -	while (*s && idx < maxlen) {
 +	while (idx < maxlen && *s) {
 		safeputchar(ndo, *s);
 		idx++;
 		s++;
 -- 
 2.14.1
--- a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch
@ -0,0 +1,37 @@
 Fix CVE-2017-11542:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542
 Patch copied from upstream source repository:
 https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
 From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
 From: Guy Harris <guy@alum.mit.edu>
 Date: Tue, 7 Feb 2017 11:10:04 -0800
 Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
 This fixes a buffer over-read discovered by Kamil Frankowicz.
 Add a test using the capture file supplied by the reporter(s).
 ---
 print-pim.c            |   1 +
 tests/TESTLIST         |   1 +
 tests/hoobr_pimv1.out  |  25 +++++++++++++++++++++++++
 tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
 4 files changed, 27 insertions(+)
 create mode 100644 tests/hoobr_pimv1.out
 create mode 100644 tests/hoobr_pimv1.pcap
 diff --git a/print-pim.c b/print-pim.c
 index 25525953..ed880ae7 100644
 --- a/print-pim.c
 +++ b/print-pim.c
@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
 			pimv1_join_prune_print(ndo, &bp[8], len - 8);
 		break;
 	}
 +	ND_TCHECK(bp[4]);
 	if ((bp[4] >> 4) != 1)
 		ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
 	return;
--- a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch
@ -0,0 +1,79 @@
 Fix CVE-2017-11543:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543
 Patch copied from upstream source repository:
 https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
 From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
 From: Guy Harris <guy@alum.mit.edu>
 Date: Fri, 17 Mar 2017 12:49:04 -0700
 Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
 Report if it's not, and don't use it as an out-of-bounds index into an
 array.
 This fixes a buffer overflow discovered by Wilfried Kirsch.
 Add a test using the capture file supplied by the reporter(s), modified
 so the capture file won't be rejected as an invalid capture.
 ---
 print-sl.c                    |  25 +++++++++++++++++++++++--
 tests/TESTLIST                |   3 +++
 tests/slip-bad-direction.out  |   1 +
 tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
 4 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 tests/slip-bad-direction.out
 create mode 100644 tests/slip-bad-direction.pcap
 diff --git a/print-sl.c b/print-sl.c
 index 3fd7e898..a02077b3 100644
 --- a/print-sl.c
 +++ b/print-sl.c
@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
 	u_int hlen;
 	dir = p[SLX_DIR];
 -	ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
 +	switch (dir) {
 +	case SLIPDIR_IN:
 +		ND_PRINT((ndo, "I "));
 +		break;
 +
 +	case SLIPDIR_OUT:
 +		ND_PRINT((ndo, "O "));
 +		break;
 +
 +	default:
 +		ND_PRINT((ndo, "Invalid direction %d ", dir));
 +		dir = -1;
 +		break;
 +	}
 	if (ndo->ndo_nflag) {
 		/* XXX just dump the header */
 		register int i;
@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
 		 * has restored the IP header copy to IPPROTO_TCP.
 		 */
 		lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
 +		ND_PRINT((ndo, "utcp %d: ", lastconn));
 +		if (dir == -1) {
 +			/* Direction is bogus, don't use it */
 +			return;
 +		}
 		hlen = IP_HL(ip);
 		hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
 		lastlen[dir][lastconn] = length - (hlen << 2);
 -		ND_PRINT((ndo, "utcp %d: ", lastconn));
 		break;
 	default:
 +		if (dir == -1) {
 +			/* Direction is bogus, don't use it */
 +			return;
 +		}
 		if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
 			compressed_sl_print(ndo, &p[SLX_CHDR], ip,
 			    length, dir);