Hi, On Mon, Mar 16, 2015 at 11:42:37AM +0100, Raphael Hertzog wrote: > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. Ok, here's a tested debdiff against the previous squeeze-lts version, please take care of the upload for me. -- Romain Francoise <rfrancoise@debian.org> http://people.debian.org/~rfrancoise/
diffstat for tcpdump-4.1.1 tcpdump-4.1.1 changelog | 10 +++++++ patches/60_cve-2015-0261.diff | 56 ++++++++++++++++++++++++++++++++++++++++++ patches/60_cve-2015-2154.diff | 23 +++++++++++++++++ patches/60_cve-2015-2155.diff | 28 +++++++++++++++++++++ patches/series | 3 ++ 5 files changed, 120 insertions(+) diff -Nru tcpdump-4.1.1/debian/changelog tcpdump-4.1.1/debian/changelog --- tcpdump-4.1.1/debian/changelog 2014-12-08 19:08:04.000000000 +0100 +++ tcpdump-4.1.1/debian/changelog 2015-03-16 21:19:54.000000000 +0100 @@ -1,3 +1,13 @@ +tcpdump (4.1.1-1+deb6u2) squeeze-lts; urgency=low + + * Cherry-pick changes from upstream Git to fix the following security + issues: + + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer. + + CVE-2015-2154: missing bounds checks in ISOCLNS printer. + + CVE-2015-2155: missing bounds checks in ForCES printer. + + -- Romain Francoise <rfrancoise@debian.org> Mon, 16 Mar 2015 21:19:54 +0100 + tcpdump (4.1.1-1+deb6u1) squeeze-lts; urgency=low * Non-maintainer upload by the Squeeze LTS Team. diff -Nru tcpdump-4.1.1/debian/patches/60_cve-2015-0261.diff tcpdump-4.1.1/debian/patches/60_cve-2015-0261.diff --- tcpdump-4.1.1/debian/patches/60_cve-2015-0261.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.1.1/debian/patches/60_cve-2015-0261.diff 2015-03-16 21:14:34.000000000 +0100 @@ -0,0 +1,56 @@ +diff --git a/print-mobility.c b/print-mobility.c +index 1490b72..535f04b 100644 +--- a/print-mobility.c ++++ b/print-mobility.c +@@ -74,6 +74,18 @@ struct ip6_mobility { + #define IP6M_BINDING_UPDATE 5 /* Binding Update */ + #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */ + #define IP6M_BINDING_ERROR 7 /* Binding Error */ ++#define IP6M_MAX 7 ++ ++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = { ++ IP6M_MINLEN, /* IP6M_BINDING_REQUEST */ ++ IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */ ++ IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */ ++ IP6M_MINLEN + 16, /* IP6M_HOME_TEST */ ++ IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */ ++ IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */ ++ IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */ ++ IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */ ++}; + + /* Mobility Header Options */ + #define IP6MOPT_MINLEN 2 +@@ -95,16 +107,20 @@ mobility_opt_print(const u_char *bp, int len) + int optlen; + + for (i = 0; i < len; i += optlen) { ++ TCHECK(bp[i]); + if (bp[i] == IP6MOPT_PAD1) + optlen = 1; + else { +- if (i + 1 < len) ++ if (i + 1 < len) { ++ TCHECK(bp[i + 1]); + optlen = bp[i + 1] + 2; ++ } + else + goto trunc; + } + if (i + optlen > len) + goto trunc; ++ TCHECK(bp[i + optlen]); + + switch (bp[i]) { + case IP6MOPT_PAD1: +@@ -201,6 +217,10 @@ mobility_print(const u_char *bp, const u_char *bp2 _U_) + + TCHECK(mh->ip6m_type); + type = mh->ip6m_type; ++ if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) { ++ printf("(header length %u is too small for type %u)", mhlen, type); ++ goto trunc; ++ } + switch (type) { + case IP6M_BINDING_REQUEST: + printf("mobility: BRR"); diff -Nru tcpdump-4.1.1/debian/patches/60_cve-2015-2154.diff tcpdump-4.1.1/debian/patches/60_cve-2015-2154.diff --- tcpdump-4.1.1/debian/patches/60_cve-2015-2154.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.1.1/debian/patches/60_cve-2015-2154.diff 2015-03-16 21:14:34.000000000 +0100 @@ -0,0 +1,23 @@ +diff --git a/print-isoclns.c b/print-isoclns.c +index 5763705..4b81605 100644 +--- a/print-isoclns.c ++++ b/print-isoclns.c +@@ -2741,9 +2741,15 @@ osi_print_cksum (const u_int8_t *pptr, u_int16_t checksum, + u_int checksum_offset, u_int length) + { + u_int16_t calculated_checksum; +- +- /* do not attempt to verify the checksum if it is zero */ +- if (!checksum) { ++ /* do not attempt to verify the checksum if it is zero, ++ * if the total length is nonsense, ++ * if the offset is nonsense, ++ * or the base pointer is not sane ++ */ ++ if (!checksum ++ || length > snaplen ++ || checksum_offset > snaplen ++ || checksum_offset > length) { + printf("(unverified)"); + } else { + calculated_checksum = create_osi_cksum(pptr, checksum_offset, length); diff -Nru tcpdump-4.1.1/debian/patches/60_cve-2015-2155.diff tcpdump-4.1.1/debian/patches/60_cve-2015-2155.diff --- tcpdump-4.1.1/debian/patches/60_cve-2015-2155.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.1.1/debian/patches/60_cve-2015-2155.diff 2015-03-16 21:18:33.000000000 +0100 @@ -0,0 +1,28 @@ +--- a/print-forces.c.orig 2010-03-12 02:56:44.000000000 +0100 ++++ b/print-forces.c 2015-03-16 21:16:57.380588066 +0100 +@@ -282,9 +282,11 @@ + + chk_op_type(type, op_msk, ops->op_msk); + +- rc = ops->print((const u_char *)pdtlv, +- tll + pad + TLV_HDRL, op_msk, +- indent + 2); ++ if (ops->print) { ++ rc = ops->print((const u_char *)pdtlv, ++ tll + pad + TLV_HDRL, op_msk, ++ indent + 2); ++ } + } else { + printf("Invalid path data content type 0x%x len %d\n", + type, EXTRACT_16BITS(&pdtlv->length)); +@@ -491,7 +493,9 @@ + + } + +- rc = ops->print(dp, tll, ops->op_msk, indent + 1); ++ if(ops->print) { ++ rc = ops->print(dp, tll, ops->op_msk, indent + 1); ++ } + return rc; + + trunc: diff -Nru tcpdump-4.1.1/debian/patches/series tcpdump-4.1.1/debian/patches/series --- tcpdump-4.1.1/debian/patches/series 2014-12-08 19:08:14.000000000 +0100 +++ tcpdump-4.1.1/debian/patches/series 2015-03-16 21:19:06.000000000 +0100 @@ -7,3 +7,6 @@ 60_cve-2014-8767.diff 60_cve-2014-8769.diff 60_cve-2014-9140.diff +60_cve-2015-0261.diff +60_cve-2015-2154.diff +60_cve-2015-2155.diff
Attachment:
signature.asc
Description: PGP signature