From 489848b1fa2ea47638635c2e1ef266ddac172319 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Fri, 28 Nov 2014 07:25:45 -0300 Subject: [PATCH] tcpdump: add 3 security patches Fixes: CVE-2014-8767 - denial of service in verbose mode using malformed OLSR payload OLSR payload CVE-2014-8768 - denial of service in verbose mode using malformed Geonet payload CVE-2014-8769 - unreliable output using malformed AOVD payload Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- package/tcpdump/0002-fix-CVE-2014-8767.patch | 20 ++++++++++++++++++++ package/tcpdump/0003-fix-CVE-2014-8768.patch | 19 +++++++++++++++++++ package/tcpdump/0004-fix-CVE-2014-8769.patch | 19 +++++++++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 package/tcpdump/0002-fix-CVE-2014-8767.patch create mode 100644 package/tcpdump/0003-fix-CVE-2014-8768.patch create mode 100644 package/tcpdump/0004-fix-CVE-2014-8769.patch diff --git a/package/tcpdump/0002-fix-CVE-2014-8767.patch b/package/tcpdump/0002-fix-CVE-2014-8767.patch new file mode 100644 index 0000000000..a88efdf58d --- /dev/null +++ b/package/tcpdump/0002-fix-CVE-2014-8767.patch @@ -0,0 +1,20 @@ +From https://bugzilla.redhat.com/show_bug.cgi?id=1165160 + +Signed-off-by: Gustavo Zacarias + +--- tcpdump-tcpdump-4.6/print-olsr.c 2014-10-23 14:07:12.000000000 +0700 ++++ tcpdump-4.6.2/print-olsr.c 2014-11-21 14:56:18.205542679 +0700 +@@ -234,6 +234,13 @@ + ND_PRINT((ndo, "\n\t neighbor\n\t\t")); + neighbor = 1; + ++ u_int caplength; ++ ++ /* Checking length of available data before print */ ++ caplength = (ndo->ndo_snapend >= msg_data) ? ndo->ndo_snapend - msg_data : 0; ++ if (hello_len > caplength) ++ hello_len = caplength; ++ + while (hello_len >= sizeof(struct in_addr)) { + + /* print 4 neighbors per line */ diff --git a/package/tcpdump/0003-fix-CVE-2014-8768.patch b/package/tcpdump/0003-fix-CVE-2014-8768.patch new file mode 100644 index 0000000000..a8b82cf701 --- /dev/null +++ b/package/tcpdump/0003-fix-CVE-2014-8768.patch @@ -0,0 +1,19 @@ +From https://bugzilla.redhat.com/show_bug.cgi?id=1165161 + +Signed-off-by: Gustavo Zacarias + +--- tcpdump-tcpdump_4.5/print-geonet.c 2014-02-17 05:58:41.000000000 +0700 ++++ print-geonet.c 2014-11-21 10:06:58.590217933 +0700 +@@ -237,6 +237,12 @@ + printf("Malformed (small) "); + } + ++ /* Checking length before print */ ++ u_int caplength; ++ caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0; ++ if (length > caplength) ++ length = caplength; ++ + /* Print user data part */ + if (ndo->ndo_vflag) + default_print(bp, length); diff --git a/package/tcpdump/0004-fix-CVE-2014-8769.patch b/package/tcpdump/0004-fix-CVE-2014-8769.patch new file mode 100644 index 0000000000..38eaf1247c --- /dev/null +++ b/package/tcpdump/0004-fix-CVE-2014-8769.patch @@ -0,0 +1,19 @@ +From https://bugzilla.redhat.com/show_bug.cgi?id=1165162 + +Signed-off-by: Gustavo Zacarias + +--- tcpdump-tcpdump-4.6/print-udp.c 2014-11-21 13:53:05.757690197 +0700 ++++ tcpdump-4.6.2/print-udp.c 2014-11-21 13:50:58.077695164 +0700 +@@ -357,6 +357,12 @@ + #ifdef INET6 + register const struct ip6_hdr *ip6; + #endif ++ u_int caplength; ++ ++ /* Checking length of available data before print */ ++ caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0; ++ if (length > caplength) ++ length = caplength; + + if (ep > ndo->ndo_snapend) + ep = ndo->ndo_snapend; -- 2.30.2