From 81635ad03ecb3a51b5248db65919621bde9039f4 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 5 Sep 2017 14:57:21 -0400 Subject: gnu: tcpdump: Update to 4.9.2 [security fixes]. Fixes CVE-2017-{12893,12894,12895,12896,12897,12898,12899,12900,12901,12902, 12985,12986,12987,12988,12989,12990,12991,12992,12993,12994,12995,12996,12997, 12998,12999,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010, 13012,13013,13014,13015,13016,13017,13018,13019,13020,13021,13022,13023,13024, 13025,13026,13027,13028,13029,13030,13031,13032,13033,13034,13035,13036,13037, 13038,13039,13040,13041,13042,13043,13044,13045,13046,13047,13048,13049,13050, 13051,13052,13053,13054,13055,13687,13688,13689,13690,13725}. * gnu/packages/admin.scm (tcpdump): Update to 4.9.2. [source]: Remove patches and add alternate source URL. * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, gnu/packages/patches/tcpdump-CVE-2017-11542.patch, gnu/packages/patches/tcpdump-CVE-2017-11543.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/packages/patches/tcpdump-CVE-2017-11541.patch | 47 -------------- gnu/packages/patches/tcpdump-CVE-2017-11542.patch | 37 ----------- gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 ----------------------- 3 files changed, 163 deletions(-) delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11541.patch delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11542.patch delete mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11543.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch deleted file mode 100644 index a9fc632dc2..0000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2017-11541 - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 - -From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 7 Feb 2017 11:40:36 -0800 -Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before - checking for a NUL terminator. - -safeputs() doesn't do packet bounds checking of its own; it assumes that -the caller has checked the availability in the packet data of all maxlen -bytes of data. This means we should check that we're within the -specified limit before looking at the byte. - -This fixes a buffer over-read discovered by Kamil Frankowicz. - -Add a test using the capture file supplied by the reporter(s). ---- - tests/TESTLIST | 1 + - tests/hoobr_safeputs.out | 2 ++ - tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes - util-print.c | 2 +- - 4 files changed, 4 insertions(+), 1 deletion(-) - create mode 100644 tests/hoobr_safeputs.out - create mode 100644 tests/hoobr_safeputs.pcap - -diff --git a/util-print.c b/util-print.c -index 394e7d59..ec3e8de8 100644 ---- a/util-print.c -+++ b/util-print.c -@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo, - { - u_int idx = 0; - -- while (*s && idx < maxlen) { -+ while (idx < maxlen && *s) { - safeputchar(ndo, *s); - idx++; - s++; --- -2.14.1 - diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch deleted file mode 100644 index 24849d5187..0000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2017-11542: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae - -From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 7 Feb 2017 11:10:04 -0800 -Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check. - -This fixes a buffer over-read discovered by Kamil Frankowicz. - -Add a test using the capture file supplied by the reporter(s). ---- - print-pim.c | 1 + - tests/TESTLIST | 1 + - tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++ - tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes - 4 files changed, 27 insertions(+) - create mode 100644 tests/hoobr_pimv1.out - create mode 100644 tests/hoobr_pimv1.pcap - -diff --git a/print-pim.c b/print-pim.c -index 25525953..ed880ae7 100644 ---- a/print-pim.c -+++ b/print-pim.c -@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo, - pimv1_join_prune_print(ndo, &bp[8], len - 8); - break; - } -+ ND_TCHECK(bp[4]); - if ((bp[4] >> 4) != 1) - ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); - return; diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch deleted file mode 100644 index c973503983..0000000000 --- a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch +++ /dev/null @@ -1,79 +0,0 @@ -Fix CVE-2017-11543: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 - -Patch copied from upstream source repository: - -https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 - -From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Fri, 17 Mar 2017 12:49:04 -0700 -Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid. - -Report if it's not, and don't use it as an out-of-bounds index into an -array. - -This fixes a buffer overflow discovered by Wilfried Kirsch. - -Add a test using the capture file supplied by the reporter(s), modified -so the capture file won't be rejected as an invalid capture. ---- - print-sl.c | 25 +++++++++++++++++++++++-- - tests/TESTLIST | 3 +++ - tests/slip-bad-direction.out | 1 + - tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes - 4 files changed, 27 insertions(+), 2 deletions(-) - create mode 100644 tests/slip-bad-direction.out - create mode 100644 tests/slip-bad-direction.pcap - -diff --git a/print-sl.c b/print-sl.c -index 3fd7e898..a02077b3 100644 ---- a/print-sl.c -+++ b/print-sl.c -@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, - u_int hlen; - - dir = p[SLX_DIR]; -- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); -+ switch (dir) { - -+ case SLIPDIR_IN: -+ ND_PRINT((ndo, "I ")); -+ break; -+ -+ case SLIPDIR_OUT: -+ ND_PRINT((ndo, "O ")); -+ break; -+ -+ default: -+ ND_PRINT((ndo, "Invalid direction %d ", dir)); -+ dir = -1; -+ break; -+ } - if (ndo->ndo_nflag) { - /* XXX just dump the header */ - register int i; -@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, - * has restored the IP header copy to IPPROTO_TCP. - */ - lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; -+ ND_PRINT((ndo, "utcp %d: ", lastconn)); -+ if (dir == -1) { -+ /* Direction is bogus, don't use it */ -+ return; -+ } - hlen = IP_HL(ip); - hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); - lastlen[dir][lastconn] = length - (hlen << 2); -- ND_PRINT((ndo, "utcp %d: ", lastconn)); - break; - - default: -+ if (dir == -1) { -+ /* Direction is bogus, don't use it */ -+ return; -+ } - if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { - compressed_sl_print(ndo, &p[SLX_CHDR], ip, - length, dir); -- cgit 1.4.1