guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: tcpdump: Fix CVE-2017-[11541,11542,11543].


From: Leo Famulari
Subject: 01/01: gnu: tcpdump: Fix CVE-2017-[11541,11542,11543].
Date: Tue, 5 Sep 2017 14:54:29 -0400 (EDT)

lfam pushed a commit to branch master
in repository guix.

commit 514c2f480643c3481498b4a3ad32d6e6351260ff
Author: Leo Famulari <address@hidden>
Date:   Tue Sep 5 12:56:00 2017 -0400

    gnu: tcpdump: Fix CVE-2017-[11541,11542,11543].
    
    * gnu/packages/patches/tcpdump-CVE-2017-11541.patch,
    gnu/packages/patches/tcpdump-CVE-2017-11542.patch
    gnu/packages/patches/tcpdump-CVE-2017-11543.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/admin.scm (tcpdump)[source]: Use them.
---
 gnu/local.mk                                      |  3 +
 gnu/packages/admin.scm                            |  3 +
 gnu/packages/patches/tcpdump-CVE-2017-11541.patch | 47 ++++++++++++++
 gnu/packages/patches/tcpdump-CVE-2017-11542.patch | 37 +++++++++++
 gnu/packages/patches/tcpdump-CVE-2017-11543.patch | 79 +++++++++++++++++++++++
 5 files changed, 169 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index 643a88d..edfecc7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1031,6 +1031,9 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/tar-skip-unreliable-tests.patch         \
   %D%/packages/patches/tcl-mkindex-deterministic.patch         \
   %D%/packages/patches/tclxml-3.2-install.patch                        \
+  %D%/packages/patches/tcpdump-CVE-2017-11541.patch            \
+  %D%/packages/patches/tcpdump-CVE-2017-11542.patch            \
+  %D%/packages/patches/tcpdump-CVE-2017-11543.patch            \
   %D%/packages/patches/tcsh-fix-autotest.patch                 \
   %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch       \
   %D%/packages/patches/teensy-loader-cli-help.patch            \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index ea71de6..f047bca 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -666,6 +666,9 @@ network statistics collection, security monitoring, network 
debugging, etc.")
               (method url-fetch)
               (uri (string-append "http://www.tcpdump.org/release/tcpdump-";
                                   version ".tar.gz"))
+              (patches (search-patches "tcpdump-CVE-2017-11541.patch"
+                                       "tcpdump-CVE-2017-11542.patch"
+                                       "tcpdump-CVE-2017-11543.patch"))
               (sha256
                (base32
                 "1wyqbg7bkmgqyslf1ns0xx9fcqi66hvcfm9nf77rl15jvvs8qi7r"))))
diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11541.patch 
b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch
new file mode 100644
index 0000000..a9fc632
--- /dev/null
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11541.patch
@@ -0,0 +1,47 @@
+Fix CVE-2017-11541
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
+
+Patch copied from upstream source repository:
+
+https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
+
+From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
+From: Guy Harris <address@hidden>
+Date: Tue, 7 Feb 2017 11:40:36 -0800
+Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
+ checking for a NUL terminator.
+
+safeputs() doesn't do packet bounds checking of its own; it assumes that
+the caller has checked the availability in the packet data of all maxlen
+bytes of data.  This means we should check that we're within the
+specified limit before looking at the byte.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+---
+ tests/TESTLIST            |   1 +
+ tests/hoobr_safeputs.out  |   2 ++
+ tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
+ util-print.c              |   2 +-
+ 4 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 tests/hoobr_safeputs.out
+ create mode 100644 tests/hoobr_safeputs.pcap
+
+diff --git a/util-print.c b/util-print.c
+index 394e7d59..ec3e8de8 100644
+--- a/util-print.c
++++ b/util-print.c
+@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
+ {
+       u_int idx = 0;
+ 
+-      while (*s && idx < maxlen) {
++      while (idx < maxlen && *s) {
+               safeputchar(ndo, *s);
+               idx++;
+               s++;
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11542.patch 
b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch
new file mode 100644
index 0000000..24849d5
--- /dev/null
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11542.patch
@@ -0,0 +1,37 @@
+Fix CVE-2017-11542:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542
+
+Patch copied from upstream source repository:
+
+https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
+
+From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
+From: Guy Harris <address@hidden>
+Date: Tue, 7 Feb 2017 11:10:04 -0800
+Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+---
+ print-pim.c            |   1 +
+ tests/TESTLIST         |   1 +
+ tests/hoobr_pimv1.out  |  25 +++++++++++++++++++++++++
+ tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
+ 4 files changed, 27 insertions(+)
+ create mode 100644 tests/hoobr_pimv1.out
+ create mode 100644 tests/hoobr_pimv1.pcap
+
+diff --git a/print-pim.c b/print-pim.c
+index 25525953..ed880ae7 100644
+--- a/print-pim.c
++++ b/print-pim.c
+@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
+                       pimv1_join_prune_print(ndo, &bp[8], len - 8);
+               break;
+       }
++      ND_TCHECK(bp[4]);
+       if ((bp[4] >> 4) != 1)
+               ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
+       return;
diff --git a/gnu/packages/patches/tcpdump-CVE-2017-11543.patch 
b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch
new file mode 100644
index 0000000..c973503
--- /dev/null
+++ b/gnu/packages/patches/tcpdump-CVE-2017-11543.patch
@@ -0,0 +1,79 @@
+Fix CVE-2017-11543:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543
+
+Patch copied from upstream source repository:
+
+https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
+
+From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
+From: Guy Harris <address@hidden>
+Date: Fri, 17 Mar 2017 12:49:04 -0700
+Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
+
+Report if it's not, and don't use it as an out-of-bounds index into an
+array.
+
+This fixes a buffer overflow discovered by Wilfried Kirsch.
+
+Add a test using the capture file supplied by the reporter(s), modified
+so the capture file won't be rejected as an invalid capture.
+---
+ print-sl.c                    |  25 +++++++++++++++++++++++--
+ tests/TESTLIST                |   3 +++
+ tests/slip-bad-direction.out  |   1 +
+ tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
+ 4 files changed, 27 insertions(+), 2 deletions(-)
+ create mode 100644 tests/slip-bad-direction.out
+ create mode 100644 tests/slip-bad-direction.pcap
+
+diff --git a/print-sl.c b/print-sl.c
+index 3fd7e898..a02077b3 100644
+--- a/print-sl.c
++++ b/print-sl.c
+@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
+       u_int hlen;
+ 
+       dir = p[SLX_DIR];
+-      ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
++      switch (dir) {
+ 
++      case SLIPDIR_IN:
++              ND_PRINT((ndo, "I "));
++              break;
++
++      case SLIPDIR_OUT:
++              ND_PRINT((ndo, "O "));
++              break;
++
++      default:
++              ND_PRINT((ndo, "Invalid direction %d ", dir));
++              dir = -1;
++              break;
++      }
+       if (ndo->ndo_nflag) {
+               /* XXX just dump the header */
+               register int i;
+@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
+                * has restored the IP header copy to IPPROTO_TCP.
+                */
+               lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
++              ND_PRINT((ndo, "utcp %d: ", lastconn));
++              if (dir == -1) {
++                      /* Direction is bogus, don't use it */
++                      return;
++              }
+               hlen = IP_HL(ip);
+               hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
+               lastlen[dir][lastconn] = length - (hlen << 2);
+-              ND_PRINT((ndo, "utcp %d: ", lastconn));
+               break;
+ 
+       default:
++              if (dir == -1) {
++                      /* Direction is bogus, don't use it */
++                      return;
++              }
+               if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
+                       compressed_sl_print(ndo, &p[SLX_CHDR], ip,
+                           length, dir);



reply via email to

[Prev in Thread] Current Thread [Next in Thread]