Hi, On Mon, Mar 16, 2015 at 11:42:37AM +0100, Raphael Hertzog wrote: > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. Ok, here's a tested debdiff against the previous squeeze-lts version, please take care of the upload for me. -- Romain Francoise <rfrancoise@debian.org> http://people.debian.org/~rfrancoise/
diffstat for tcpdump-4.1.1 tcpdump-4.1.1
changelog | 10 +++++++
patches/60_cve-2015-0261.diff | 56 ++++++++++++++++++++++++++++++++++++++++++
patches/60_cve-2015-2154.diff | 23 +++++++++++++++++
patches/60_cve-2015-2155.diff | 28 +++++++++++++++++++++
patches/series | 3 ++
5 files changed, 120 insertions(+)
diff -Nru tcpdump-4.1.1/debian/changelog tcpdump-4.1.1/debian/changelog
--- tcpdump-4.1.1/debian/changelog 2014-12-08 19:08:04.000000000 +0100
+++ tcpdump-4.1.1/debian/changelog 2015-03-16 21:19:54.000000000 +0100
@@ -1,3 +1,13 @@
+tcpdump (4.1.1-1+deb6u2) squeeze-lts; urgency=low
+
+ * Cherry-pick changes from upstream Git to fix the following security
+ issues:
+ + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer.
+ + CVE-2015-2154: missing bounds checks in ISOCLNS printer.
+ + CVE-2015-2155: missing bounds checks in ForCES printer.
+
+ -- Romain Francoise <rfrancoise@debian.org> Mon, 16 Mar 2015 21:19:54 +0100
+
tcpdump (4.1.1-1+deb6u1) squeeze-lts; urgency=low
* Non-maintainer upload by the Squeeze LTS Team.
diff -Nru tcpdump-4.1.1/debian/patches/60_cve-2015-0261.diff tcpdump-4.1.1/debian/patches/60_cve-2015-0261.diff
--- tcpdump-4.1.1/debian/patches/60_cve-2015-0261.diff 1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.1.1/debian/patches/60_cve-2015-0261.diff 2015-03-16 21:14:34.000000000 +0100
@@ -0,0 +1,56 @@
+diff --git a/print-mobility.c b/print-mobility.c
+index 1490b72..535f04b 100644
+--- a/print-mobility.c
++++ b/print-mobility.c
+@@ -74,6 +74,18 @@ struct ip6_mobility {
+ #define IP6M_BINDING_UPDATE 5 /* Binding Update */
+ #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */
+ #define IP6M_BINDING_ERROR 7 /* Binding Error */
++#define IP6M_MAX 7
++
++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
++ IP6M_MINLEN, /* IP6M_BINDING_REQUEST */
++ IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */
++ IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */
++ IP6M_MINLEN + 16, /* IP6M_HOME_TEST */
++ IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */
++ IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */
++ IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */
++ IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */
++};
+
+ /* Mobility Header Options */
+ #define IP6MOPT_MINLEN 2
+@@ -95,16 +107,20 @@ mobility_opt_print(const u_char *bp, int len)
+ int optlen;
+
+ for (i = 0; i < len; i += optlen) {
++ TCHECK(bp[i]);
+ if (bp[i] == IP6MOPT_PAD1)
+ optlen = 1;
+ else {
+- if (i + 1 < len)
++ if (i + 1 < len) {
++ TCHECK(bp[i + 1]);
+ optlen = bp[i + 1] + 2;
++ }
+ else
+ goto trunc;
+ }
+ if (i + optlen > len)
+ goto trunc;
++ TCHECK(bp[i + optlen]);
+
+ switch (bp[i]) {
+ case IP6MOPT_PAD1:
+@@ -201,6 +217,10 @@ mobility_print(const u_char *bp, const u_char *bp2 _U_)
+
+ TCHECK(mh->ip6m_type);
+ type = mh->ip6m_type;
++ if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
++ printf("(header length %u is too small for type %u)", mhlen, type);
++ goto trunc;
++ }
+ switch (type) {
+ case IP6M_BINDING_REQUEST:
+ printf("mobility: BRR");
diff -Nru tcpdump-4.1.1/debian/patches/60_cve-2015-2154.diff tcpdump-4.1.1/debian/patches/60_cve-2015-2154.diff
--- tcpdump-4.1.1/debian/patches/60_cve-2015-2154.diff 1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.1.1/debian/patches/60_cve-2015-2154.diff 2015-03-16 21:14:34.000000000 +0100
@@ -0,0 +1,23 @@
+diff --git a/print-isoclns.c b/print-isoclns.c
+index 5763705..4b81605 100644
+--- a/print-isoclns.c
++++ b/print-isoclns.c
+@@ -2741,9 +2741,15 @@ osi_print_cksum (const u_int8_t *pptr, u_int16_t checksum,
+ u_int checksum_offset, u_int length)
+ {
+ u_int16_t calculated_checksum;
+-
+- /* do not attempt to verify the checksum if it is zero */
+- if (!checksum) {
++ /* do not attempt to verify the checksum if it is zero,
++ * if the total length is nonsense,
++ * if the offset is nonsense,
++ * or the base pointer is not sane
++ */
++ if (!checksum
++ || length > snaplen
++ || checksum_offset > snaplen
++ || checksum_offset > length) {
+ printf("(unverified)");
+ } else {
+ calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
diff -Nru tcpdump-4.1.1/debian/patches/60_cve-2015-2155.diff tcpdump-4.1.1/debian/patches/60_cve-2015-2155.diff
--- tcpdump-4.1.1/debian/patches/60_cve-2015-2155.diff 1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.1.1/debian/patches/60_cve-2015-2155.diff 2015-03-16 21:18:33.000000000 +0100
@@ -0,0 +1,28 @@
+--- a/print-forces.c.orig 2010-03-12 02:56:44.000000000 +0100
++++ b/print-forces.c 2015-03-16 21:16:57.380588066 +0100
+@@ -282,9 +282,11 @@
+
+ chk_op_type(type, op_msk, ops->op_msk);
+
+- rc = ops->print((const u_char *)pdtlv,
+- tll + pad + TLV_HDRL, op_msk,
+- indent + 2);
++ if (ops->print) {
++ rc = ops->print((const u_char *)pdtlv,
++ tll + pad + TLV_HDRL, op_msk,
++ indent + 2);
++ }
+ } else {
+ printf("Invalid path data content type 0x%x len %d\n",
+ type, EXTRACT_16BITS(&pdtlv->length));
+@@ -491,7 +493,9 @@
+
+ }
+
+- rc = ops->print(dp, tll, ops->op_msk, indent + 1);
++ if(ops->print) {
++ rc = ops->print(dp, tll, ops->op_msk, indent + 1);
++ }
+ return rc;
+
+ trunc:
diff -Nru tcpdump-4.1.1/debian/patches/series tcpdump-4.1.1/debian/patches/series
--- tcpdump-4.1.1/debian/patches/series 2014-12-08 19:08:14.000000000 +0100
+++ tcpdump-4.1.1/debian/patches/series 2015-03-16 21:19:06.000000000 +0100
@@ -7,3 +7,6 @@
60_cve-2014-8767.diff
60_cve-2014-8769.diff
60_cve-2014-9140.diff
+60_cve-2015-0261.diff
+60_cve-2015-2154.diff
+60_cve-2015-2155.diff
Attachment:
signature.asc
Description: PGP signature