[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780574: unblock: tcpdump/4.6.2-4

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock tcpdump 4.6.2-4, it includes four security fixes that are
not tracked in the BTS, but have CVE identifiers. Full debdiff attached.
Thanks!

unblock tcpdump/4.6.2-4

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (650, 'testing'), (600, 'unstable'), (550, 'experimental'), (550, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.1-ore (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diffstat for tcpdump-4.6.2 tcpdump-4.6.2

 changelog                     |   11 ++++++++
 patches/60_cve-2015-0261.diff |   56 ++++++++++++++++++++++++++++++++++++++++++
 patches/60_cve-2015-2153.diff |   24 ++++++++++++++++++
 patches/60_cve-2015-2154.diff |   31 +++++++++++++++++++++++
 patches/60_cve-2015-2155.diff |   15 +++++++++++
 patches/series                |    4 +++
 6 files changed, 141 insertions(+)

diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog
--- tcpdump-4.6.2/debian/changelog	2014-11-29 12:24:11.000000000 +0100
+++ tcpdump-4.6.2/debian/changelog	2015-03-14 18:43:44.000000000 +0100
@@ -1,3 +1,14 @@
+tcpdump (4.6.2-4) unstable; urgency=high
+
+  * Cherry-pick changes from upstream Git to fix the following security
+    issues:
+    + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer.
+    + CVE-2015-2153: missing bounds checks in RPKI/RTR printer.
+    + CVE-2015-2154: missing bounds checks in ISOCLNS printer.
+    + CVE-2015-2155: missing bounds checks in ForCES printer.
+
+ -- Romain Francoise <rfrancoise@debian.org>  Sat, 14 Mar 2015 18:43:44 +0100
+
 tcpdump (4.6.2-3) unstable; urgency=high
 
   * Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,56 @@
+diff --git a/print-mobility.c b/print-mobility.c
+index 83447cf..b6fa61e 100644
+--- a/print-mobility.c
++++ b/print-mobility.c
+@@ -69,6 +69,18 @@ struct ip6_mobility {
+ #define IP6M_BINDING_UPDATE	5	/* Binding Update */
+ #define IP6M_BINDING_ACK	6	/* Binding Acknowledgement */
+ #define IP6M_BINDING_ERROR	7	/* Binding Error */
++#define IP6M_MAX		7
++
++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
++	IP6M_MINLEN,      /* IP6M_BINDING_REQUEST  */
++	IP6M_MINLEN + 8,  /* IP6M_HOME_TEST_INIT   */
++	IP6M_MINLEN + 8,  /* IP6M_CAREOF_TEST_INIT */
++	IP6M_MINLEN + 16, /* IP6M_HOME_TEST        */
++	IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST      */
++	IP6M_MINLEN + 4,  /* IP6M_BINDING_UPDATE   */
++	IP6M_MINLEN + 4,  /* IP6M_BINDING_ACK      */
++	IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR    */
++};
+ 
+ /* XXX: unused */
+ #define IP6MOPT_BU_MINLEN	10
+@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo,
+ 	unsigned i, optlen;
+ 
+ 	for (i = 0; i < len; i += optlen) {
++		ND_TCHECK(bp[i]);
+ 		if (bp[i] == IP6MOPT_PAD1)
+ 			optlen = 1;
+ 		else {
+-			if (i + 1 < len)
++			if (i + 1 < len) {
++				ND_TCHECK(bp[i + 1]);
+ 				optlen = bp[i + 1] + 2;
++			}
+ 			else
+ 				goto trunc;
+ 		}
+ 		if (i + optlen > len)
+ 			goto trunc;
++		ND_TCHECK(bp[i + optlen]);
+ 
+ 		switch (bp[i]) {
+ 		case IP6MOPT_PAD1:
+@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo,
+ 
+ 	ND_TCHECK(mh->ip6m_type);
+ 	type = mh->ip6m_type;
++	if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
++		ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
++		goto trunc;
++	}
+ 	switch (type) {
+ 	case IP6M_BINDING_REQUEST:
+ 		ND_PRINT((ndo, "mobility: BRR"));
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,24 @@
+diff --git a/print-rpki-rtr.c b/print-rpki-rtr.c
+index 5bb5df7..8847c53 100644
+--- a/print-rpki-rtr.c
++++ b/print-rpki-rtr.c
+@@ -178,6 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+     pdu_header = (rpki_rtr_pdu *)tptr;
+     pdu_type = pdu_header->pdu_type;
+     pdu_len = EXTRACT_32BITS(pdu_header->length);
++    ND_TCHECK2(tptr, pdu_len);
+     hexdump = FALSE;
+ 
+     ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -306,6 +307,11 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+     if (ndo->ndo_vflag > 1 || (ndo->ndo_vflag && hexdump)) {
+ 	print_unknown_data(ndo,tptr,"\n\t  ", pdu_len);
+     }
++    return;
++
++ trunc:
++    ND_PRINT((ndo, "|trunc"));
++    return;
+ }
+ 
+ void
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,31 @@
+diff --git a/print-isoclns.c b/print-isoclns.c
+index bc710e4..54eed7c 100644
+--- a/print-isoclns.c
++++ b/print-isoclns.c
+@@ -1057,7 +1057,7 @@ esis_print(netdissect_options *ndo,
+ 
+ 	if (li < sizeof(struct esis_header_t) + 2) {
+             ND_PRINT((ndo, " length indicator < min PDU size %d:", li));
+-            while (--length != 0)
++            while (pptr < ndo->ndo_snapend)
+                 ND_PRINT((ndo, "%02X", *pptr++));
+             return;
+ 	}
+@@ -3084,8 +3084,15 @@ osi_print_cksum(netdissect_options *ndo,
+ {
+         uint16_t calculated_checksum;
+ 
+-        /* do not attempt to verify the checksum if it is zero */
+-        if (!checksum) {
++        /* do not attempt to verify the checksum if it is zero,
++         * if the total length is nonsense,
++         * if the offset is nonsense,
++         * or the base pointer is not sane
++         */
++        if (!checksum
++            || length > ndo->ndo_snaplen
++            || checksum_offset > ndo->ndo_snaplen
++            || checksum_offset > length) {
+                 ND_PRINT((ndo, "(unverified)"));
+         } else {
+                 calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,15 @@
+diff --git a/print-forces.c b/print-forces.c
+index 45bd74f..c5ec13c 100644
+--- a/print-forces.c
++++ b/print-forces.c
+@@ -1203,7 +1203,9 @@ otlv_print(netdissect_options *ndo,
+ 
+ 	}
+ 
+-	rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1);
++        if(ops->print) {
++                rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1);
++        }
+ 	return rc;
+ 
+ trunc:
diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series
--- tcpdump-4.6.2/debian/patches/series	2014-11-29 12:19:11.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/series	2015-03-14 18:44:30.000000000 +0100
@@ -8,3 +8,7 @@
 60_cve-2014-8768.diff
 60_cve-2014-8769.diff
 60_cve-2014-9140.diff
+60_cve-2015-0261.diff
+60_cve-2015-2153.diff
+60_cve-2015-2154.diff
+60_cve-2015-2155.diff
Reply to: