Browse Source

gnu: tcpdump: Fix CVE-2017-[11541,11542,11543].

* gnu/packages/patches/tcpdump-CVE-2017-11541.patch,
gnu/packages/patches/tcpdump-CVE-2017-11542.patch
gnu/packages/patches/tcpdump-CVE-2017-11543.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/admin.scm (tcpdump)[source]: Use them.
gn-latest-20200428
Leo Famulari 3 years ago
parent
commit
514c2f4806
No known key found for this signature in database GPG Key ID: 2646FA30BACA7F08
5 changed files with 169 additions and 0 deletions
  1. +3
    -0
      gnu/local.mk
  2. +3
    -0
      gnu/packages/admin.scm
  3. +47
    -0
      gnu/packages/patches/tcpdump-CVE-2017-11541.patch
  4. +37
    -0
      gnu/packages/patches/tcpdump-CVE-2017-11542.patch
  5. +79
    -0
      gnu/packages/patches/tcpdump-CVE-2017-11543.patch

+ 3
- 0
gnu/local.mk View File

@@ -1031,6 +1031,9 @@ dist_patch_DATA = \
%D%/packages/patches/tar-skip-unreliable-tests.patch \
%D%/packages/patches/tcl-mkindex-deterministic.patch \
%D%/packages/patches/tclxml-3.2-install.patch \
%D%/packages/patches/tcpdump-CVE-2017-11541.patch \
%D%/packages/patches/tcpdump-CVE-2017-11542.patch \
%D%/packages/patches/tcpdump-CVE-2017-11543.patch \
%D%/packages/patches/tcsh-fix-autotest.patch \
%D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \
%D%/packages/patches/teensy-loader-cli-help.patch \


+ 3
- 0
gnu/packages/admin.scm View File

@@ -666,6 +666,9 @@ network statistics collection, security monitoring, network debugging, etc.")
(method url-fetch)
(uri (string-append "http://www.tcpdump.org/release/tcpdump-"
version ".tar.gz"))
(patches (search-patches "tcpdump-CVE-2017-11541.patch"
"tcpdump-CVE-2017-11542.patch"
"tcpdump-CVE-2017-11543.patch"))
(sha256
(base32
"1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r"))))


+ 47
- 0
gnu/packages/patches/tcpdump-CVE-2017-11541.patch View File

@@ -0,0 +1,47 @@
Fix CVE-2017-11541

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541

Patch copied from upstream source repository:

https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280

From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 7 Feb 2017 11:40:36 -0800
Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
checking for a NUL terminator.

safeputs() doesn't do packet bounds checking of its own; it assumes that
the caller has checked the availability in the packet data of all maxlen
bytes of data. This means we should check that we're within the
specified limit before looking at the byte.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
---
tests/TESTLIST | 1 +
tests/hoobr_safeputs.out | 2 ++
tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
util-print.c | 2 +-
4 files changed, 4 insertions(+), 1 deletion(-)
create mode 100644 tests/hoobr_safeputs.out
create mode 100644 tests/hoobr_safeputs.pcap

diff --git a/util-print.c b/util-print.c
index 394e7d59..ec3e8de8 100644
--- a/util-print.c
+++ b/util-print.c
@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
{
u_int idx = 0;
- while (*s && idx < maxlen) {
+ while (idx < maxlen && *s) {
safeputchar(ndo, *s);
idx++;
s++;
--
2.14.1


+ 37
- 0
gnu/packages/patches/tcpdump-CVE-2017-11542.patch View File

@@ -0,0 +1,37 @@
Fix CVE-2017-11542:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542

Patch copied from upstream source repository:

https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae

From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 7 Feb 2017 11:10:04 -0800
Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
---
print-pim.c | 1 +
tests/TESTLIST | 1 +
tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
4 files changed, 27 insertions(+)
create mode 100644 tests/hoobr_pimv1.out
create mode 100644 tests/hoobr_pimv1.pcap

diff --git a/print-pim.c b/print-pim.c
index 25525953..ed880ae7 100644
--- a/print-pim.c
+++ b/print-pim.c
@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
pimv1_join_prune_print(ndo, &bp[8], len - 8);
break;
}
+ ND_TCHECK(bp[4]);
if ((bp[4] >> 4) != 1)
ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
return;

+ 79
- 0
gnu/packages/patches/tcpdump-CVE-2017-11543.patch View File

@@ -0,0 +1,79 @@
Fix CVE-2017-11543:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543

Patch copied from upstream source repository:

https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3

From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 17 Mar 2017 12:49:04 -0700
Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.

Report if it's not, and don't use it as an out-of-bounds index into an
array.

This fixes a buffer overflow discovered by Wilfried Kirsch.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
---
print-sl.c | 25 +++++++++++++++++++++++--
tests/TESTLIST | 3 +++
tests/slip-bad-direction.out | 1 +
tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
4 files changed, 27 insertions(+), 2 deletions(-)
create mode 100644 tests/slip-bad-direction.out
create mode 100644 tests/slip-bad-direction.pcap

diff --git a/print-sl.c b/print-sl.c
index 3fd7e898..a02077b3 100644
--- a/print-sl.c
+++ b/print-sl.c
@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
u_int hlen;
dir = p[SLX_DIR];
- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
+ switch (dir) {
+ case SLIPDIR_IN:
+ ND_PRINT((ndo, "I "));
+ break;
+
+ case SLIPDIR_OUT:
+ ND_PRINT((ndo, "O "));
+ break;
+
+ default:
+ ND_PRINT((ndo, "Invalid direction %d ", dir));
+ dir = -1;
+ break;
+ }
if (ndo->ndo_nflag) {
/* XXX just dump the header */
register int i;
@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
* has restored the IP header copy to IPPROTO_TCP.
*/
lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
+ ND_PRINT((ndo, "utcp %d: ", lastconn));
+ if (dir == -1) {
+ /* Direction is bogus, don't use it */
+ return;
+ }
hlen = IP_HL(ip);
hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
lastlen[dir][lastconn] = length - (hlen << 2);
- ND_PRINT((ndo, "utcp %d: ", lastconn));
break;
default:
+ if (dir == -1) {
+ /* Direction is bogus, don't use it */
+ return;
+ }
if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
compressed_sl_print(ndo, &p[SLX_CHDR], ip,
length, dir);

Loading…
Cancel
Save