[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#973917: marked as done (buster-pu: package tcpdump/4.9.3-1~deb10u2)



Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #973917,
regarding buster-pu: package tcpdump/4.9.3-1~deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
973917: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973917
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I am seeking permission to upload a new version of tcpdump to
stable-proposed-updates to address CVE-2020-8037 (bug #973877).

Full debdiff attached.

Thanks,
diffstat for tcpdump-4.9.3 tcpdump-4.9.3

 changelog                        |    7 ++++
 patches/series                   |    1 
 patches/upstream-32027e1993.diff |   61 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+)

diff -Nru tcpdump-4.9.3/debian/changelog tcpdump-4.9.3/debian/changelog
--- tcpdump-4.9.3/debian/changelog	2019-10-19 16:55:18.000000000 +0200
+++ tcpdump-4.9.3/debian/changelog	2020-11-07 13:36:24.000000000 +0100
@@ -1,3 +1,10 @@
+tcpdump (4.9.3-1~deb10u2) buster; urgency=high
+
+  * Cherry-pick commit 32027e1993 from the upstream tcpdump-4.9 branch to fix
+    untrusted input issue in the PPP printer (CVE-2020-8037, closes: #973877).
+
+ -- Romain Francoise <rfrancoise@debian.org>  Sat, 07 Nov 2020 13:36:24 +0100
+
 tcpdump (4.9.3-1~deb10u1) buster-security; urgency=high
 
   * New upstream release, with fixes for 24 different CVEs (closes: #941698).
diff -Nru tcpdump-4.9.3/debian/patches/series tcpdump-4.9.3/debian/patches/series
--- tcpdump-4.9.3/debian/patches/series	2019-10-19 00:20:22.000000000 +0200
+++ tcpdump-4.9.3/debian/patches/series	2020-11-07 13:34:47.000000000 +0100
@@ -2,3 +2,4 @@
 man-section.diff
 platform-quirks.diff
 disable-tests.diff
+upstream-32027e1993.diff
diff -Nru tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff
--- tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff	2020-11-07 13:34:39.000000000 +0100
@@ -0,0 +1,61 @@
+commit 32027e199368dad9508965aae8cd8de5b6ab5231
+Author: Guy Harris <guy@alum.mit.edu>
+Date:   Sat Apr 18 14:04:59 2020 -0700
+
+    PPP: When un-escaping, don't allocate a too-large buffer.
+    
+    The buffer should be big enough to hold the captured data, but it
+    doesn't need to be big enough to hold the entire on-the-network packet,
+    if we haven't captured all of it.
+    
+    (backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 891761728b..33fb034127 100644
+--- a/print-ppp.c
++++ b/print-ppp.c
+@@ -1367,19 +1367,29 @@ trunc:
+ 	return 0;
+ }
+ 
++/*
++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
++ * The length argument is the on-the-wire length, not the captured
++ * length; we can only un-escape the captured part.
++ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+          const u_char *p, int length)
+ {
++	u_int caplen = ndo->ndo_snapend - p;
+ 	u_char *b, *t, c;
+ 	const u_char *s;
+-	int i, proto;
++	u_int i;
++	int proto;
+ 	const void *se;
+ 
++	if (caplen == 0)
++		return;
++
+         if (length <= 0)
+                 return;
+ 
+-	b = (u_char *)malloc(length);
++	b = (u_char *)malloc(caplen);
+ 	if (b == NULL)
+ 		return;
+ 
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+ 	 * Do this so that we dont overwrite the original packet
+ 	 * contents.
+ 	 */
+-	for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
++	for (s = p, t = b, i = caplen; i != 0; i--) {
+ 		c = *s++;
+ 		if (c == 0x7d) {
+-			if (i <= 1 || !ND_TTEST(*s))
++			if (i <= 1)
+ 				break;
+ 			i--;
+ 			c = *s++ ^ 0x20;

--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.7

Hi,

Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.

Regards,

Adam

--- End Message ---

Reply to: