[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780574: marked as done (unblock: tcpdump/4.6.2-4)



Your message dated Mon, 16 Mar 2015 19:08:20 +0000
with message-id <1426532900.1658.11.camel@adam-barratt.org.uk>
and subject line Re: Bug#780574: unblock: tcpdump/4.6.2-4
has caused the Debian Bug report #780574,
regarding unblock: tcpdump/4.6.2-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780574: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780574
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock tcpdump 4.6.2-4, it includes four security fixes that are
not tracked in the BTS, but have CVE identifiers. Full debdiff attached.
Thanks!

unblock tcpdump/4.6.2-4

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (650, 'testing'), (600, 'unstable'), (550, 'experimental'), (550, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.1-ore (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for tcpdump-4.6.2 tcpdump-4.6.2

 changelog                     |   11 ++++++++
 patches/60_cve-2015-0261.diff |   56 ++++++++++++++++++++++++++++++++++++++++++
 patches/60_cve-2015-2153.diff |   24 ++++++++++++++++++
 patches/60_cve-2015-2154.diff |   31 +++++++++++++++++++++++
 patches/60_cve-2015-2155.diff |   15 +++++++++++
 patches/series                |    4 +++
 6 files changed, 141 insertions(+)

diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog
--- tcpdump-4.6.2/debian/changelog	2014-11-29 12:24:11.000000000 +0100
+++ tcpdump-4.6.2/debian/changelog	2015-03-14 18:43:44.000000000 +0100
@@ -1,3 +1,14 @@
+tcpdump (4.6.2-4) unstable; urgency=high
+
+  * Cherry-pick changes from upstream Git to fix the following security
+    issues:
+    + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer.
+    + CVE-2015-2153: missing bounds checks in RPKI/RTR printer.
+    + CVE-2015-2154: missing bounds checks in ISOCLNS printer.
+    + CVE-2015-2155: missing bounds checks in ForCES printer.
+
+ -- Romain Francoise <rfrancoise@debian.org>  Sat, 14 Mar 2015 18:43:44 +0100
+
 tcpdump (4.6.2-3) unstable; urgency=high
 
   * Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,56 @@
+diff --git a/print-mobility.c b/print-mobility.c
+index 83447cf..b6fa61e 100644
+--- a/print-mobility.c
++++ b/print-mobility.c
+@@ -69,6 +69,18 @@ struct ip6_mobility {
+ #define IP6M_BINDING_UPDATE	5	/* Binding Update */
+ #define IP6M_BINDING_ACK	6	/* Binding Acknowledgement */
+ #define IP6M_BINDING_ERROR	7	/* Binding Error */
++#define IP6M_MAX		7
++
++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
++	IP6M_MINLEN,      /* IP6M_BINDING_REQUEST  */
++	IP6M_MINLEN + 8,  /* IP6M_HOME_TEST_INIT   */
++	IP6M_MINLEN + 8,  /* IP6M_CAREOF_TEST_INIT */
++	IP6M_MINLEN + 16, /* IP6M_HOME_TEST        */
++	IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST      */
++	IP6M_MINLEN + 4,  /* IP6M_BINDING_UPDATE   */
++	IP6M_MINLEN + 4,  /* IP6M_BINDING_ACK      */
++	IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR    */
++};
+ 
+ /* XXX: unused */
+ #define IP6MOPT_BU_MINLEN	10
+@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo,
+ 	unsigned i, optlen;
+ 
+ 	for (i = 0; i < len; i += optlen) {
++		ND_TCHECK(bp[i]);
+ 		if (bp[i] == IP6MOPT_PAD1)
+ 			optlen = 1;
+ 		else {
+-			if (i + 1 < len)
++			if (i + 1 < len) {
++				ND_TCHECK(bp[i + 1]);
+ 				optlen = bp[i + 1] + 2;
++			}
+ 			else
+ 				goto trunc;
+ 		}
+ 		if (i + optlen > len)
+ 			goto trunc;
++		ND_TCHECK(bp[i + optlen]);
+ 
+ 		switch (bp[i]) {
+ 		case IP6MOPT_PAD1:
+@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo,
+ 
+ 	ND_TCHECK(mh->ip6m_type);
+ 	type = mh->ip6m_type;
++	if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
++		ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
++		goto trunc;
++	}
+ 	switch (type) {
+ 	case IP6M_BINDING_REQUEST:
+ 		ND_PRINT((ndo, "mobility: BRR"));
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,24 @@
+diff --git a/print-rpki-rtr.c b/print-rpki-rtr.c
+index 5bb5df7..8847c53 100644
+--- a/print-rpki-rtr.c
++++ b/print-rpki-rtr.c
+@@ -178,6 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+     pdu_header = (rpki_rtr_pdu *)tptr;
+     pdu_type = pdu_header->pdu_type;
+     pdu_len = EXTRACT_32BITS(pdu_header->length);
++    ND_TCHECK2(tptr, pdu_len);
+     hexdump = FALSE;
+ 
+     ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -306,6 +307,11 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+     if (ndo->ndo_vflag > 1 || (ndo->ndo_vflag && hexdump)) {
+ 	print_unknown_data(ndo,tptr,"\n\t  ", pdu_len);
+     }
++    return;
++
++ trunc:
++    ND_PRINT((ndo, "|trunc"));
++    return;
+ }
+ 
+ void
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,31 @@
+diff --git a/print-isoclns.c b/print-isoclns.c
+index bc710e4..54eed7c 100644
+--- a/print-isoclns.c
++++ b/print-isoclns.c
+@@ -1057,7 +1057,7 @@ esis_print(netdissect_options *ndo,
+ 
+ 	if (li < sizeof(struct esis_header_t) + 2) {
+             ND_PRINT((ndo, " length indicator < min PDU size %d:", li));
+-            while (--length != 0)
++            while (pptr < ndo->ndo_snapend)
+                 ND_PRINT((ndo, "%02X", *pptr++));
+             return;
+ 	}
+@@ -3084,8 +3084,15 @@ osi_print_cksum(netdissect_options *ndo,
+ {
+         uint16_t calculated_checksum;
+ 
+-        /* do not attempt to verify the checksum if it is zero */
+-        if (!checksum) {
++        /* do not attempt to verify the checksum if it is zero,
++         * if the total length is nonsense,
++         * if the offset is nonsense,
++         * or the base pointer is not sane
++         */
++        if (!checksum
++            || length > ndo->ndo_snaplen
++            || checksum_offset > ndo->ndo_snaplen
++            || checksum_offset > length) {
+                 ND_PRINT((ndo, "(unverified)"));
+         } else {
+                 calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,15 @@
+diff --git a/print-forces.c b/print-forces.c
+index 45bd74f..c5ec13c 100644
+--- a/print-forces.c
++++ b/print-forces.c
+@@ -1203,7 +1203,9 @@ otlv_print(netdissect_options *ndo,
+ 
+ 	}
+ 
+-	rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1);
++        if(ops->print) {
++                rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1);
++        }
+ 	return rc;
+ 
+ trunc:
diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series
--- tcpdump-4.6.2/debian/patches/series	2014-11-29 12:19:11.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/series	2015-03-14 18:44:30.000000000 +0100
@@ -8,3 +8,7 @@
 60_cve-2014-8768.diff
 60_cve-2014-8769.diff
 60_cve-2014-9140.diff
+60_cve-2015-0261.diff
+60_cve-2015-2153.diff
+60_cve-2015-2154.diff
+60_cve-2015-2155.diff

--- End Message ---
--- Begin Message ---
On Mon, 2015-03-16 at 08:39 +0100, Romain Francoise wrote:
> Please unblock tcpdump 4.6.2-4, it includes four security fixes that are
> not tracked in the BTS, but have CVE identifiers. Full debdiff attached.

Unblocked, thanks.

Regards,

Adam

--- End Message ---

Reply to: