Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Dear Release Team, Please unblock tcpdump 4.6.2-4, it includes four security fixes that are not tracked in the BTS, but have CVE identifiers. Full debdiff attached. Thanks! unblock tcpdump/4.6.2-4 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (650, 'testing'), (600, 'unstable'), (550, 'experimental'), (550, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.1-ore (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diffstat for tcpdump-4.6.2 tcpdump-4.6.2 changelog | 11 ++++++++ patches/60_cve-2015-0261.diff | 56 ++++++++++++++++++++++++++++++++++++++++++ patches/60_cve-2015-2153.diff | 24 ++++++++++++++++++ patches/60_cve-2015-2154.diff | 31 +++++++++++++++++++++++ patches/60_cve-2015-2155.diff | 15 +++++++++++ patches/series | 4 +++ 6 files changed, 141 insertions(+) diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog --- tcpdump-4.6.2/debian/changelog 2014-11-29 12:24:11.000000000 +0100 +++ tcpdump-4.6.2/debian/changelog 2015-03-14 18:43:44.000000000 +0100 @@ -1,3 +1,14 @@ +tcpdump (4.6.2-4) unstable; urgency=high + + * Cherry-pick changes from upstream Git to fix the following security + issues: + + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer. + + CVE-2015-2153: missing bounds checks in RPKI/RTR printer. + + CVE-2015-2154: missing bounds checks in ISOCLNS printer. + + CVE-2015-2155: missing bounds checks in ForCES printer. + + -- Romain Francoise <[email protected]> Sat, 14 Mar 2015 18:43:44 +0100 + tcpdump (4.6.2-3) unstable; urgency=high * Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff --- tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff 2015-03-14 18:31:07.000000000 +0100 @@ -0,0 +1,56 @@ +diff --git a/print-mobility.c b/print-mobility.c +index 83447cf..b6fa61e 100644 +--- a/print-mobility.c ++++ b/print-mobility.c +@@ -69,6 +69,18 @@ struct ip6_mobility { + #define IP6M_BINDING_UPDATE 5 /* Binding Update */ + #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */ + #define IP6M_BINDING_ERROR 7 /* Binding Error */ ++#define IP6M_MAX 7 ++ ++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = { ++ IP6M_MINLEN, /* IP6M_BINDING_REQUEST */ ++ IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */ ++ IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */ ++ IP6M_MINLEN + 16, /* IP6M_HOME_TEST */ ++ IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */ ++ IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */ ++ IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */ ++ IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */ ++}; + + /* XXX: unused */ + #define IP6MOPT_BU_MINLEN 10 +@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo, + unsigned i, optlen; + + for (i = 0; i < len; i += optlen) { ++ ND_TCHECK(bp[i]); + if (bp[i] == IP6MOPT_PAD1) + optlen = 1; + else { +- if (i + 1 < len) ++ if (i + 1 < len) { ++ ND_TCHECK(bp[i + 1]); + optlen = bp[i + 1] + 2; ++ } + else + goto trunc; + } + if (i + optlen > len) + goto trunc; ++ ND_TCHECK(bp[i + optlen]); + + switch (bp[i]) { + case IP6MOPT_PAD1: +@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo, + + ND_TCHECK(mh->ip6m_type); + type = mh->ip6m_type; ++ if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) { ++ ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type)); ++ goto trunc; ++ } + switch (type) { + case IP6M_BINDING_REQUEST: + ND_PRINT((ndo, "mobility: BRR")); diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff --- tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff 2015-03-14 18:31:07.000000000 +0100 @@ -0,0 +1,24 @@ +diff --git a/print-rpki-rtr.c b/print-rpki-rtr.c +index 5bb5df7..8847c53 100644 +--- a/print-rpki-rtr.c ++++ b/print-rpki-rtr.c +@@ -178,6 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent) + pdu_header = (rpki_rtr_pdu *)tptr; + pdu_type = pdu_header->pdu_type; + pdu_len = EXTRACT_32BITS(pdu_header->length); ++ ND_TCHECK2(tptr, pdu_len); + hexdump = FALSE; + + ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u", +@@ -306,6 +307,11 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent) + if (ndo->ndo_vflag > 1 || (ndo->ndo_vflag && hexdump)) { + print_unknown_data(ndo,tptr,"\n\t ", pdu_len); + } ++ return; ++ ++ trunc: ++ ND_PRINT((ndo, "|trunc")); ++ return; + } + + void diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff --- tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff 2015-03-14 18:31:07.000000000 +0100 @@ -0,0 +1,31 @@ +diff --git a/print-isoclns.c b/print-isoclns.c +index bc710e4..54eed7c 100644 +--- a/print-isoclns.c ++++ b/print-isoclns.c +@@ -1057,7 +1057,7 @@ esis_print(netdissect_options *ndo, + + if (li < sizeof(struct esis_header_t) + 2) { + ND_PRINT((ndo, " length indicator < min PDU size %d:", li)); +- while (--length != 0) ++ while (pptr < ndo->ndo_snapend) + ND_PRINT((ndo, "%02X", *pptr++)); + return; + } +@@ -3084,8 +3084,15 @@ osi_print_cksum(netdissect_options *ndo, + { + uint16_t calculated_checksum; + +- /* do not attempt to verify the checksum if it is zero */ +- if (!checksum) { ++ /* do not attempt to verify the checksum if it is zero, ++ * if the total length is nonsense, ++ * if the offset is nonsense, ++ * or the base pointer is not sane ++ */ ++ if (!checksum ++ || length > ndo->ndo_snaplen ++ || checksum_offset > ndo->ndo_snaplen ++ || checksum_offset > length) { + ND_PRINT((ndo, "(unverified)")); + } else { + calculated_checksum = create_osi_cksum(pptr, checksum_offset, length); diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff --- tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff 2015-03-14 18:31:07.000000000 +0100 @@ -0,0 +1,15 @@ +diff --git a/print-forces.c b/print-forces.c +index 45bd74f..c5ec13c 100644 +--- a/print-forces.c ++++ b/print-forces.c +@@ -1203,7 +1203,9 @@ otlv_print(netdissect_options *ndo, + + } + +- rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1); ++ if(ops->print) { ++ rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1); ++ } + return rc; + + trunc: diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series --- tcpdump-4.6.2/debian/patches/series 2014-11-29 12:19:11.000000000 +0100 +++ tcpdump-4.6.2/debian/patches/series 2015-03-14 18:44:30.000000000 +0100 @@ -8,3 +8,7 @@ 60_cve-2014-8768.diff 60_cve-2014-8769.diff 60_cve-2014-9140.diff +60_cve-2015-0261.diff +60_cve-2015-2153.diff +60_cve-2015-2154.diff +60_cve-2015-2155.diff
