From 514c2f480643c3481498b4a3ad32d6e6351260ff Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 5 Sep 2017 12:56:00 -0400 Subject: gnu: tcpdump: Fix CVE-2017-[11541,11542,11543]. * gnu/packages/patches/tcpdump-CVE-2017-11541.patch, gnu/packages/patches/tcpdump-CVE-2017-11542.patch gnu/packages/patches/tcpdump-CVE-2017-11543.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/admin.scm (tcpdump)[source]: Use them. --- gnu/local.mk | 3 + gnu/packages/admin.scm | 3 + gnu/packages/patches/tcpdump-CVE-2017-11541.patch | 47 ++++++++++++++ gnu/packages/patches/tcpdump-CVE-2017-11542.patch | 37 +++++++++++ gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 +++++++++++++++++++++++ 5 files changed, 169 insertions(+) create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11541.patch create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11542.patch create mode 100644 gnu/packages/patches/tcpdump-CVE-2017-11543.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 643a88db81..edfecc7783 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1031,6 +1031,9 @@ dist_patch_DATA = \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ + %D%/packages/patches/tcpdump-CVE-2017-11541.patch \ + %D%/packages/patches/tcpdump-CVE-2017-11542.patch \ + %D%/packages/patches/tcpdump-CVE-2017-11543.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index ea71de6f57..f047bcaef3 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -666,6 +666,9 @@ network statistics collection, security monitoring, network debugging, etc.") (method url-fetch) (uri (string-append "http://www.tcpdump.org/release/tcpdump-" version ".tar.gz")) + (patches (search-patches "tcpdump-CVE-2017-11541.patch" + "tcpdump-CVE-2017-11542.patch" + "tcpdump-CVE-2017-11543.patch")) (sha256 (base32 "1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r")))) diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch new file mode 100644 index 0000000000..a9fc632dc2 --- /dev/null +++ b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch @@ -0,0 +1,47 @@ +Fix CVE-2017-11541 + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 + +Patch copied from upstream source repository: + +https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 + +From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 7 Feb 2017 11:40:36 -0800 +Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before + checking for a NUL terminator. + +safeputs() doesn't do packet bounds checking of its own; it assumes that +the caller has checked the availability in the packet data of all maxlen +bytes of data. This means we should check that we're within the +specified limit before looking at the byte. + +This fixes a buffer over-read discovered by Kamil Frankowicz. + +Add a test using the capture file supplied by the reporter(s). +--- + tests/TESTLIST | 1 + + tests/hoobr_safeputs.out | 2 ++ + tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes + util-print.c | 2 +- + 4 files changed, 4 insertions(+), 1 deletion(-) + create mode 100644 tests/hoobr_safeputs.out + create mode 100644 tests/hoobr_safeputs.pcap + +diff --git a/util-print.c b/util-print.c +index 394e7d59..ec3e8de8 100644 +--- a/util-print.c ++++ b/util-print.c +@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo, + { + u_int idx = 0; + +- while (*s && idx < maxlen) { ++ while (idx < maxlen && *s) { + safeputchar(ndo, *s); + idx++; + s++; +-- +2.14.1 + diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch new file mode 100644 index 0000000000..24849d5187 --- /dev/null +++ b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch @@ -0,0 +1,37 @@ +Fix CVE-2017-11542: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 + +Patch copied from upstream source repository: + +https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae + +From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 7 Feb 2017 11:10:04 -0800 +Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check. + +This fixes a buffer over-read discovered by Kamil Frankowicz. + +Add a test using the capture file supplied by the reporter(s). +--- + print-pim.c | 1 + + tests/TESTLIST | 1 + + tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++ + tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes + 4 files changed, 27 insertions(+) + create mode 100644 tests/hoobr_pimv1.out + create mode 100644 tests/hoobr_pimv1.pcap + +diff --git a/print-pim.c b/print-pim.c +index 25525953..ed880ae7 100644 +--- a/print-pim.c ++++ b/print-pim.c +@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo, + pimv1_join_prune_print(ndo, &bp[8], len - 8); + break; + } ++ ND_TCHECK(bp[4]); + if ((bp[4] >> 4) != 1) + ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); + return; diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch new file mode 100644 index 0000000000..c973503983 --- /dev/null +++ b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch @@ -0,0 +1,79 @@ +Fix CVE-2017-11543: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 + +Patch copied from upstream source repository: + +https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 + +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Fri, 17 Mar 2017 12:49:04 -0700 +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid. + +Report if it's not, and don't use it as an out-of-bounds index into an +array. + +This fixes a buffer overflow discovered by Wilfried Kirsch. + +Add a test using the capture file supplied by the reporter(s), modified +so the capture file won't be rejected as an invalid capture. +--- + print-sl.c | 25 +++++++++++++++++++++++-- + tests/TESTLIST | 3 +++ + tests/slip-bad-direction.out | 1 + + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes + 4 files changed, 27 insertions(+), 2 deletions(-) + create mode 100644 tests/slip-bad-direction.out + create mode 100644 tests/slip-bad-direction.pcap + +diff --git a/print-sl.c b/print-sl.c +index 3fd7e898..a02077b3 100644 +--- a/print-sl.c ++++ b/print-sl.c +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, + u_int hlen; + + dir = p[SLX_DIR]; +- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); ++ switch (dir) { + ++ case SLIPDIR_IN: ++ ND_PRINT((ndo, "I ")); ++ break; ++ ++ case SLIPDIR_OUT: ++ ND_PRINT((ndo, "O ")); ++ break; ++ ++ default: ++ ND_PRINT((ndo, "Invalid direction %d ", dir)); ++ dir = -1; ++ break; ++ } + if (ndo->ndo_nflag) { + /* XXX just dump the header */ + register int i; +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, + * has restored the IP header copy to IPPROTO_TCP. + */ + lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; ++ ND_PRINT((ndo, "utcp %d: ", lastconn)); ++ if (dir == -1) { ++ /* Direction is bogus, don't use it */ ++ return; ++ } + hlen = IP_HL(ip); + hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); + lastlen[dir][lastconn] = length - (hlen << 2); +- ND_PRINT((ndo, "utcp %d: ", lastconn)); + break; + + default: ++ if (dir == -1) { ++ /* Direction is bogus, don't use it */ ++ return; ++ } + if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { + compressed_sl_print(ndo, &p[SLX_CHDR], ip, + length, dir); -- cgit 1.4.1