Bug#1004267: buster-pu: package libpcap/1.8.1-6+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Romain Francoise <rfrancoise@debian.org>, team@security.debian.org
* CVE-2019-15165: Improper PHB header length validation.
(Closes: #941697)
diff -Nru libpcap-1.8.1/debian/changelog libpcap-1.8.1/debian/changelog
--- libpcap-1.8.1/debian/changelog 2017-12-31 17:56:33.000000000 +0200
+++ libpcap-1.8.1/debian/changelog 2022-01-23 23:00:19.000000000 +0200
@@ -1,3 +1,11 @@
+libpcap (1.8.1-6+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-15165: Improper PHB header length validation.
+ (Closes: #941697)
+
+ -- Adrian Bunk <bunk@debian.org> Sun, 23 Jan 2022 23:00:19 +0200
+
libpcap (1.8.1-6) unstable; urgency=medium
* debian/watch: add pgpsigurlmangle option.
diff -Nru libpcap-1.8.1/debian/patches/0001-do-sanity-checks-on-PHB-header-length-before-allocat.patch libpcap-1.8.1/debian/patches/0001-do-sanity-checks-on-PHB-header-length-before-allocat.patch
--- libpcap-1.8.1/debian/patches/0001-do-sanity-checks-on-PHB-header-length-before-allocat.patch 1970-01-01 02:00:00.000000000 +0200
+++ libpcap-1.8.1/debian/patches/0001-do-sanity-checks-on-PHB-header-length-before-allocat.patch 2022-01-23 23:00:07.000000000 +0200
@@ -0,0 +1,53 @@
+From 7ef51510ab5b337cb8b34e1dbe9c9a64fc2c20b9 Mon Sep 17 00:00:00 2001
+From: Michael Richardson <mcr@sandelman.ca>
+Date: Fri, 20 Sep 2019 11:02:00 -0400
+Subject: do sanity checks on PHB header length before allocating memory. There
+ was no fault; but doing the check results in a more consistent error
+
+---
+ sf-pcap-ng.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/sf-pcap-ng.c b/sf-pcap-ng.c
+index 0c02829e..860487b7 100644
+--- a/sf-pcap-ng.c
++++ b/sf-pcap-ng.c
+@@ -102,7 +102,7 @@ struct option_header {
+ * Section Header Block.
+ */
+ #define BT_SHB 0x0A0D0D0A
+-
++#define BT_SHB_INSANE_MAX 1024U*1024U*1U /* 1MB should be enough */
+ struct section_header_block {
+ bpf_u_int32 byte_order_magic;
+ u_short major_version;
+@@ -247,7 +247,7 @@ read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
+ if (amt_read == 0 && !fail_on_eof)
+ return (0); /* EOF */
+ pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
+- "truncated dump file; tried to read %lu bytes, only got %lu",
++ "truncated pcap-ng dump file; tried to read %lu bytes, only got %lu",
+ (unsigned long)bytes_to_read,
+ (unsigned long)amt_read);
+ }
+@@ -798,11 +798,14 @@ pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
+ /*
+ * Check the sanity of the total length.
+ */
+- if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
++ if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
++ (total_length > BT_SHB_INSANE_MAX)) {
+ pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
+- "Section Header Block in pcap-ng dump file has a length of %u < %lu",
++ "Section Header Block in pcap-ng dump file has invalid length %lu < _%u_ < %u (BT_SHB_INSANE_MAX)",
++ (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)),
+ total_length,
+- (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
++ BT_SHB_INSANE_MAX);
++
+ *err = 1;
+ return (NULL);
+ }
+--
+2.20.1
+
diff -Nru libpcap-1.8.1/debian/patches/series libpcap-1.8.1/debian/patches/series
--- libpcap-1.8.1/debian/patches/series 2017-12-31 17:31:01.000000000 +0200
+++ libpcap-1.8.1/debian/patches/series 2022-01-23 23:00:17.000000000 +0200
@@ -8,3 +8,4 @@
disable-remote.diff
man-errors.diff
pcap-config.diff
+0001-do-sanity-checks-on-PHB-header-length-before-allocat.patch
Reply to: