--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock tcpdump 4.6.2-4, it includes four security fixes that are
not tracked in the BTS, but have CVE identifiers. Full debdiff attached.
Thanks!
unblock tcpdump/4.6.2-4
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (650, 'testing'), (600, 'unstable'), (550, 'experimental'), (550, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.1-ore (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for tcpdump-4.6.2 tcpdump-4.6.2
changelog | 11 ++++++++
patches/60_cve-2015-0261.diff | 56 ++++++++++++++++++++++++++++++++++++++++++
patches/60_cve-2015-2153.diff | 24 ++++++++++++++++++
patches/60_cve-2015-2154.diff | 31 +++++++++++++++++++++++
patches/60_cve-2015-2155.diff | 15 +++++++++++
patches/series | 4 +++
6 files changed, 141 insertions(+)
diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog
--- tcpdump-4.6.2/debian/changelog 2014-11-29 12:24:11.000000000 +0100
+++ tcpdump-4.6.2/debian/changelog 2015-03-14 18:43:44.000000000 +0100
@@ -1,3 +1,14 @@
+tcpdump (4.6.2-4) unstable; urgency=high
+
+ * Cherry-pick changes from upstream Git to fix the following security
+ issues:
+ + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer.
+ + CVE-2015-2153: missing bounds checks in RPKI/RTR printer.
+ + CVE-2015-2154: missing bounds checks in ISOCLNS printer.
+ + CVE-2015-2155: missing bounds checks in ForCES printer.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 14 Mar 2015 18:43:44 +0100
+
tcpdump (4.6.2-3) unstable; urgency=high
* Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff 1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff 2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,56 @@
+diff --git a/print-mobility.c b/print-mobility.c
+index 83447cf..b6fa61e 100644
+--- a/print-mobility.c
++++ b/print-mobility.c
+@@ -69,6 +69,18 @@ struct ip6_mobility {
+ #define IP6M_BINDING_UPDATE 5 /* Binding Update */
+ #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */
+ #define IP6M_BINDING_ERROR 7 /* Binding Error */
++#define IP6M_MAX 7
++
++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
++ IP6M_MINLEN, /* IP6M_BINDING_REQUEST */
++ IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */
++ IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */
++ IP6M_MINLEN + 16, /* IP6M_HOME_TEST */
++ IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */
++ IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */
++ IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */
++ IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */
++};
+
+ /* XXX: unused */
+ #define IP6MOPT_BU_MINLEN 10
+@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo,
+ unsigned i, optlen;
+
+ for (i = 0; i < len; i += optlen) {
++ ND_TCHECK(bp[i]);
+ if (bp[i] == IP6MOPT_PAD1)
+ optlen = 1;
+ else {
+- if (i + 1 < len)
++ if (i + 1 < len) {
++ ND_TCHECK(bp[i + 1]);
+ optlen = bp[i + 1] + 2;
++ }
+ else
+ goto trunc;
+ }
+ if (i + optlen > len)
+ goto trunc;
++ ND_TCHECK(bp[i + optlen]);
+
+ switch (bp[i]) {
+ case IP6MOPT_PAD1:
+@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo,
+
+ ND_TCHECK(mh->ip6m_type);
+ type = mh->ip6m_type;
++ if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
++ ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
++ goto trunc;
++ }
+ switch (type) {
+ case IP6M_BINDING_REQUEST:
+ ND_PRINT((ndo, "mobility: BRR"));
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff 1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff 2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,24 @@
+diff --git a/print-rpki-rtr.c b/print-rpki-rtr.c
+index 5bb5df7..8847c53 100644
+--- a/print-rpki-rtr.c
++++ b/print-rpki-rtr.c
+@@ -178,6 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+ pdu_header = (rpki_rtr_pdu *)tptr;
+ pdu_type = pdu_header->pdu_type;
+ pdu_len = EXTRACT_32BITS(pdu_header->length);
++ ND_TCHECK2(tptr, pdu_len);
+ hexdump = FALSE;
+
+ ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -306,6 +307,11 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+ if (ndo->ndo_vflag > 1 || (ndo->ndo_vflag && hexdump)) {
+ print_unknown_data(ndo,tptr,"\n\t ", pdu_len);
+ }
++ return;
++
++ trunc:
++ ND_PRINT((ndo, "|trunc"));
++ return;
+ }
+
+ void
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff 1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff 2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,31 @@
+diff --git a/print-isoclns.c b/print-isoclns.c
+index bc710e4..54eed7c 100644
+--- a/print-isoclns.c
++++ b/print-isoclns.c
+@@ -1057,7 +1057,7 @@ esis_print(netdissect_options *ndo,
+
+ if (li < sizeof(struct esis_header_t) + 2) {
+ ND_PRINT((ndo, " length indicator < min PDU size %d:", li));
+- while (--length != 0)
++ while (pptr < ndo->ndo_snapend)
+ ND_PRINT((ndo, "%02X", *pptr++));
+ return;
+ }
+@@ -3084,8 +3084,15 @@ osi_print_cksum(netdissect_options *ndo,
+ {
+ uint16_t calculated_checksum;
+
+- /* do not attempt to verify the checksum if it is zero */
+- if (!checksum) {
++ /* do not attempt to verify the checksum if it is zero,
++ * if the total length is nonsense,
++ * if the offset is nonsense,
++ * or the base pointer is not sane
++ */
++ if (!checksum
++ || length > ndo->ndo_snaplen
++ || checksum_offset > ndo->ndo_snaplen
++ || checksum_offset > length) {
+ ND_PRINT((ndo, "(unverified)"));
+ } else {
+ calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff 1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff 2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,15 @@
+diff --git a/print-forces.c b/print-forces.c
+index 45bd74f..c5ec13c 100644
+--- a/print-forces.c
++++ b/print-forces.c
+@@ -1203,7 +1203,9 @@ otlv_print(netdissect_options *ndo,
+
+ }
+
+- rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1);
++ if(ops->print) {
++ rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1);
++ }
+ return rc;
+
+ trunc:
diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series
--- tcpdump-4.6.2/debian/patches/series 2014-11-29 12:19:11.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/series 2015-03-14 18:44:30.000000000 +0100
@@ -8,3 +8,7 @@
60_cve-2014-8768.diff
60_cve-2014-8769.diff
60_cve-2014-9140.diff
+60_cve-2015-0261.diff
+60_cve-2015-2153.diff
+60_cve-2015-2154.diff
+60_cve-2015-2155.diff
--- End Message ---