gnu: tcpdump: Update to 4.9.2 [security fixes].
Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,12902, 12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,12997, 12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010, 13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,13024, 13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,13037, 13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,13050, 13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}. * gnu/packages/admin.scm (tcpdump): Update to 4.9.2. [source]: Remove patches and add alternate source URL. * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, gnu/packages/patches/tcpdump-CVE-2017-11542.patch, gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
parent
3b2802f8c4
commit
81635ad03e
|
@ -1034,9 +1034,6 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/tar-skip-unreliable-tests.patch \
|
||||
%D%/packages/patches/tcl-mkindex-deterministic.patch \
|
||||
%D%/packages/patches/tclxml-3.2-install.patch \
|
||||
%D%/packages/patches/tcpdump-CVE-2017-11541.patch \
|
||||
%D%/packages/patches/tcpdump-CVE-2017-11542.patch \
|
||||
%D%/packages/patches/tcpdump-CVE-2017-11543.patch \
|
||||
%D%/packages/patches/tcsh-fix-autotest.patch \
|
||||
%D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \
|
||||
%D%/packages/patches/teensy-loader-cli-help.patch \
|
||||
|
|
|
@ -661,17 +661,20 @@ network statistics collection, security monitoring, network debugging, etc.")
|
|||
(define-public tcpdump
|
||||
(package
|
||||
(name "tcpdump")
|
||||
(version "4.9.1")
|
||||
(version "4.9.2")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "http://www.tcpdump.org/release/tcpdump-"
|
||||
version ".tar.gz"))
|
||||
(patches (search-patches "tcpdump-CVE-2017-11541.patch"
|
||||
"tcpdump-CVE-2017-11542.patch"
|
||||
"tcpdump-CVE-2017-11543.patch"))
|
||||
(uri (list (string-append "http://www.tcpdump.org/release/tcpdump-"
|
||||
version ".tar.gz")
|
||||
;; The tarball is not yet distributed from tcpdump.org,
|
||||
;; so we fetch it from Arch. For more information see
|
||||
;; <https://bugs.gnu.org/28387>.
|
||||
(string-append "https://sources.archlinux.org/other/"
|
||||
"packages/tcpdump/tcpdump-" version
|
||||
".tar.gz")))
|
||||
(sha256
|
||||
(base32
|
||||
"1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r"))))
|
||||
"0ygy0layzqaj838r5xd613iraz09wlfgpyh7pc6cwclql8v3b2vr"))))
|
||||
(build-system gnu-build-system)
|
||||
(inputs `(("libpcap" ,libpcap)
|
||||
("openssl" ,openssl)))
|
||||
|
|
|
@ -1,47 +0,0 @@
|
|||
Fix CVE-2017-11541
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
|
||||
|
||||
From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
|
||||
From: Guy Harris <guy@alum.mit.edu>
|
||||
Date: Tue, 7 Feb 2017 11:40:36 -0800
|
||||
Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
|
||||
checking for a NUL terminator.
|
||||
|
||||
safeputs() doesn't do packet bounds checking of its own; it assumes that
|
||||
the caller has checked the availability in the packet data of all maxlen
|
||||
bytes of data. This means we should check that we're within the
|
||||
specified limit before looking at the byte.
|
||||
|
||||
This fixes a buffer over-read discovered by Kamil Frankowicz.
|
||||
|
||||
Add a test using the capture file supplied by the reporter(s).
|
||||
---
|
||||
tests/TESTLIST | 1 +
|
||||
tests/hoobr_safeputs.out | 2 ++
|
||||
tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
|
||||
util-print.c | 2 +-
|
||||
4 files changed, 4 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/hoobr_safeputs.out
|
||||
create mode 100644 tests/hoobr_safeputs.pcap
|
||||
|
||||
diff --git a/util-print.c b/util-print.c
|
||||
index 394e7d59..ec3e8de8 100644
|
||||
--- a/util-print.c
|
||||
+++ b/util-print.c
|
||||
@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
|
||||
{
|
||||
u_int idx = 0;
|
||||
|
||||
- while (*s && idx < maxlen) {
|
||||
+ while (idx < maxlen && *s) {
|
||||
safeputchar(ndo, *s);
|
||||
idx++;
|
||||
s++;
|
||||
--
|
||||
2.14.1
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
Fix CVE-2017-11542:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
|
||||
|
||||
From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
|
||||
From: Guy Harris <guy@alum.mit.edu>
|
||||
Date: Tue, 7 Feb 2017 11:10:04 -0800
|
||||
Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
|
||||
|
||||
This fixes a buffer over-read discovered by Kamil Frankowicz.
|
||||
|
||||
Add a test using the capture file supplied by the reporter(s).
|
||||
---
|
||||
print-pim.c | 1 +
|
||||
tests/TESTLIST | 1 +
|
||||
tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
|
||||
tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
|
||||
4 files changed, 27 insertions(+)
|
||||
create mode 100644 tests/hoobr_pimv1.out
|
||||
create mode 100644 tests/hoobr_pimv1.pcap
|
||||
|
||||
diff --git a/print-pim.c b/print-pim.c
|
||||
index 25525953..ed880ae7 100644
|
||||
--- a/print-pim.c
|
||||
+++ b/print-pim.c
|
||||
@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
|
||||
pimv1_join_prune_print(ndo, &bp[8], len - 8);
|
||||
break;
|
||||
}
|
||||
+ ND_TCHECK(bp[4]);
|
||||
if ((bp[4] >> 4) != 1)
|
||||
ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
|
||||
return;
|
|
@ -1,79 +0,0 @@
|
|||
Fix CVE-2017-11543:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
|
||||
|
||||
From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
|
||||
From: Guy Harris <guy@alum.mit.edu>
|
||||
Date: Fri, 17 Mar 2017 12:49:04 -0700
|
||||
Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
|
||||
|
||||
Report if it's not, and don't use it as an out-of-bounds index into an
|
||||
array.
|
||||
|
||||
This fixes a buffer overflow discovered by Wilfried Kirsch.
|
||||
|
||||
Add a test using the capture file supplied by the reporter(s), modified
|
||||
so the capture file won't be rejected as an invalid capture.
|
||||
---
|
||||
print-sl.c | 25 +++++++++++++++++++++++--
|
||||
tests/TESTLIST | 3 +++
|
||||
tests/slip-bad-direction.out | 1 +
|
||||
tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
|
||||
4 files changed, 27 insertions(+), 2 deletions(-)
|
||||
create mode 100644 tests/slip-bad-direction.out
|
||||
create mode 100644 tests/slip-bad-direction.pcap
|
||||
|
||||
diff --git a/print-sl.c b/print-sl.c
|
||||
index 3fd7e898..a02077b3 100644
|
||||
--- a/print-sl.c
|
||||
+++ b/print-sl.c
|
||||
@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
|
||||
u_int hlen;
|
||||
|
||||
dir = p[SLX_DIR];
|
||||
- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
|
||||
+ switch (dir) {
|
||||
|
||||
+ case SLIPDIR_IN:
|
||||
+ ND_PRINT((ndo, "I "));
|
||||
+ break;
|
||||
+
|
||||
+ case SLIPDIR_OUT:
|
||||
+ ND_PRINT((ndo, "O "));
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ ND_PRINT((ndo, "Invalid direction %d ", dir));
|
||||
+ dir = -1;
|
||||
+ break;
|
||||
+ }
|
||||
if (ndo->ndo_nflag) {
|
||||
/* XXX just dump the header */
|
||||
register int i;
|
||||
@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
|
||||
* has restored the IP header copy to IPPROTO_TCP.
|
||||
*/
|
||||
lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
|
||||
+ ND_PRINT((ndo, "utcp %d: ", lastconn));
|
||||
+ if (dir == -1) {
|
||||
+ /* Direction is bogus, don't use it */
|
||||
+ return;
|
||||
+ }
|
||||
hlen = IP_HL(ip);
|
||||
hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
|
||||
lastlen[dir][lastconn] = length - (hlen << 2);
|
||||
- ND_PRINT((ndo, "utcp %d: ", lastconn));
|
||||
break;
|
||||
|
||||
default:
|
||||
+ if (dir == -1) {
|
||||
+ /* Direction is bogus, don't use it */
|
||||
+ return;
|
||||
+ }
|
||||
if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
|
||||
compressed_sl_print(ndo, &p[SLX_CHDR], ip,
|
||||
length, dir);
|
Loading…
Reference in New Issue