gnu: tcpdump: Update to 4.9.2 [security fixes].

Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,12902,
12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,12997,
12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010,
13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,13024,
13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,13037,
13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,13050,
13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}.

* gnu/packages/admin.scm (tcpdump): Update to 4.9.2.
[source]: Remove patches and add alternate source URL.
* gnu/packages/patches/tcpdump-CVE-2017-11541.patch,
gnu/packages/patches/tcpdump-CVE-2017-11542.patch,
gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
Leo Famulari 2017-09-05 14:57:21 -04:00
parent 3b2802f8c4
commit 81635ad03e
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
5 changed files with 10 additions and 173 deletions

View File

@ -1034,9 +1034,6 @@ dist_patch_DATA = \
%D%/packages/patches/tar-skip-unreliable-tests.patch \
%D%/packages/patches/tcl-mkindex-deterministic.patch \
%D%/packages/patches/tclxml-3.2-install.patch \
%D%/packages/patches/tcpdump-CVE-2017-11541.patch \
%D%/packages/patches/tcpdump-CVE-2017-11542.patch \
%D%/packages/patches/tcpdump-CVE-2017-11543.patch \
%D%/packages/patches/tcsh-fix-autotest.patch \
%D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \
%D%/packages/patches/teensy-loader-cli-help.patch \

View File

@ -661,17 +661,20 @@ network statistics collection, security monitoring, network debugging, etc.")
(define-public tcpdump
(package
(name "tcpdump")
(version "4.9.1")
(version "4.9.2")
(source (origin
(method url-fetch)
(uri (string-append "http://www.tcpdump.org/release/tcpdump-"
version ".tar.gz"))
(patches (search-patches "tcpdump-CVE-2017-11541.patch"
"tcpdump-CVE-2017-11542.patch"
"tcpdump-CVE-2017-11543.patch"))
(uri (list (string-append "http://www.tcpdump.org/release/tcpdump-"
version ".tar.gz")
;; The tarball is not yet distributed from tcpdump.org,
;; so we fetch it from Arch. For more information see
;; <https://bugs.gnu.org/28387>.
(string-append "https://sources.archlinux.org/other/"
"packages/tcpdump/tcpdump-" version
".tar.gz")))
(sha256
(base32
"1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r"))))
"0ygy0layzqaj838r5xd613iraz09wlfgpyh7pc6cwclql8v3b2vr"))))
(build-system gnu-build-system)
(inputs `(("libpcap" ,libpcap)
("openssl" ,openssl)))

View File

@ -1,47 +0,0 @@
Fix CVE-2017-11541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
Patch copied from upstream source repository:
https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 7 Feb 2017 11:40:36 -0800
Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
checking for a NUL terminator.
safeputs() doesn't do packet bounds checking of its own; it assumes that
the caller has checked the availability in the packet data of all maxlen
bytes of data. This means we should check that we're within the
specified limit before looking at the byte.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
---
tests/TESTLIST | 1 +
tests/hoobr_safeputs.out | 2 ++
tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
util-print.c | 2 +-
4 files changed, 4 insertions(+), 1 deletion(-)
create mode 100644 tests/hoobr_safeputs.out
create mode 100644 tests/hoobr_safeputs.pcap
diff --git a/util-print.c b/util-print.c
index 394e7d59..ec3e8de8 100644
--- a/util-print.c
+++ b/util-print.c
@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
{
u_int idx = 0;
- while (*s && idx < maxlen) {
+ while (idx < maxlen && *s) {
safeputchar(ndo, *s);
idx++;
s++;
--
2.14.1

View File

@ -1,37 +0,0 @@
Fix CVE-2017-11542:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542
Patch copied from upstream source repository:
https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 7 Feb 2017 11:10:04 -0800
Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
---
print-pim.c | 1 +
tests/TESTLIST | 1 +
tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
4 files changed, 27 insertions(+)
create mode 100644 tests/hoobr_pimv1.out
create mode 100644 tests/hoobr_pimv1.pcap
diff --git a/print-pim.c b/print-pim.c
index 25525953..ed880ae7 100644
--- a/print-pim.c
+++ b/print-pim.c
@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
pimv1_join_prune_print(ndo, &bp[8], len - 8);
break;
}
+ ND_TCHECK(bp[4]);
if ((bp[4] >> 4) != 1)
ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
return;

View File

@ -1,79 +0,0 @@
Fix CVE-2017-11543:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543
Patch copied from upstream source repository:
https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 17 Mar 2017 12:49:04 -0700
Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
Report if it's not, and don't use it as an out-of-bounds index into an
array.
This fixes a buffer overflow discovered by Wilfried Kirsch.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
---
print-sl.c | 25 +++++++++++++++++++++++--
tests/TESTLIST | 3 +++
tests/slip-bad-direction.out | 1 +
tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
4 files changed, 27 insertions(+), 2 deletions(-)
create mode 100644 tests/slip-bad-direction.out
create mode 100644 tests/slip-bad-direction.pcap
diff --git a/print-sl.c b/print-sl.c
index 3fd7e898..a02077b3 100644
--- a/print-sl.c
+++ b/print-sl.c
@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
u_int hlen;
dir = p[SLX_DIR];
- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
+ switch (dir) {
+ case SLIPDIR_IN:
+ ND_PRINT((ndo, "I "));
+ break;
+
+ case SLIPDIR_OUT:
+ ND_PRINT((ndo, "O "));
+ break;
+
+ default:
+ ND_PRINT((ndo, "Invalid direction %d ", dir));
+ dir = -1;
+ break;
+ }
if (ndo->ndo_nflag) {
/* XXX just dump the header */
register int i;
@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
* has restored the IP header copy to IPPROTO_TCP.
*/
lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
+ ND_PRINT((ndo, "utcp %d: ", lastconn));
+ if (dir == -1) {
+ /* Direction is bogus, don't use it */
+ return;
+ }
hlen = IP_HL(ip);
hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
lastlen[dir][lastconn] = length - (hlen << 2);
- ND_PRINT((ndo, "utcp %d: ", lastconn));
break;
default:
+ if (dir == -1) {
+ /* Direction is bogus, don't use it */
+ return;
+ }
if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
compressed_sl_print(ndo, &p[SLX_CHDR], ip,
length, dir);