New version 4.9.3

Fixes CVE-2017-16808, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14466, CVE-2018-14461, CVE-2018-14462, CVE-2018-14465, CVE-2018-14881, CVE-2018-14464, CVE-2018-14463, CVE-2018-14467, CVE-2018-10103, CVE-2018-10105, CVE-2018-14880, CVE-2018-16451, CVE-2018-14882, CVE-2018-16227, CVE-2018-16229, CVE-2018-16301, CVE-2018-16230, CVE-2018-16452, CVE-2018-16300, CVE-2018-16228, CVE-2019-15166, CVE-2019-15167
This commit is contained in:
Michal Ruprich 2019-10-15 15:06:02 +02:00
parent 75ba4869e0
commit 40612b3036
8 changed files with 34 additions and 245 deletions

2
.gitignore vendored
View File

@ -18,3 +18,5 @@ tcpdump-4.1.1.tar.gz
/tcpdump-4.9.1.tar.gz /tcpdump-4.9.1.tar.gz
/tcpdump-4.9.2.tar.gz.sig /tcpdump-4.9.2.tar.gz.sig
/tcpdump-4.9.2.tar.gz /tcpdump-4.9.2.tar.gz
/tcpdump-4.9.3.tar.gz
/tcpdump-4.9.3.tar.gz.sig

View File

@ -1,26 +0,0 @@
From f19e0376b8e98b38240d28eb9e6f78c465bb1c6e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 20 Oct 2014 13:34:24 +0200
Subject: [PATCH 1/8] icmp6: print Reachable Time and Retransmit Time from
ICMPv6 as milliseconds
---
print-icmp6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/print-icmp6.c b/print-icmp6.c
index 7fe639d..cfaa2df 100644
--- a/print-icmp6.c
+++ b/print-icmp6.c
@@ -1034,7 +1034,7 @@ icmp6_print(netdissect_options *ndo,
p = (const struct nd_router_advert *)dp;
ND_TCHECK(p->nd_ra_retransmit);
ND_PRINT((ndo,"\n\thop limit %u, Flags [%s]" \
- ", pref %s, router lifetime %us, reachable time %us, retrans time %us",
+ ", pref %s, router lifetime %us, reachable time %ums, retrans time %ums",
(u_int)p->nd_ra_curhoplimit,
bittok2str(icmp6_opt_ra_flag_values,"none",(p->nd_ra_flags_reserved)),
get_rtpref(p->nd_ra_flags_reserved),
--
2.9.3

View File

@ -1,36 +0,0 @@
From d5508c13119404102104a3935e7445c9fddf79b5 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Fri, 3 Feb 2017 09:43:03 +0100
Subject: [PATCH 8/8] Don't print out we dropped root, we are always dropping
it
---
tcpdump.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/tcpdump.c b/tcpdump.c
index 29f7f87..18c4a5c 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -618,8 +618,6 @@ droproot(const char *username, const char *chroot_dir)
int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
if (ret < 0) {
fprintf(stderr, "error : ret %d\n", ret);
- } else {
- fprintf(stderr, "dropped privs to %s\n", username);
}
}
#else
@@ -632,9 +630,6 @@ droproot(const char *username, const char *chroot_dir)
pcap_strerror(errno));
exit_tcpdump(1);
}
- else {
- fprintf(stderr, "dropped privs to %s\n", username);
- }
#endif /* HAVE_LIBCAP_NG */
}
else {
--
2.9.3

View File

@ -10,18 +10,15 @@ flag than upstream does. We use -nn in those cases.
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/TESTonce b/tests/TESTonce diff --git a/tests/TESTonce b/tests/TESTonce
index 7026624..e348701 100755 index 425abaa..81283d9 100755
--- a/tests/TESTonce --- a/tests/TESTonce
+++ b/tests/TESTonce +++ b/tests/TESTonce
@@ -21,7 +21,7 @@ if ($^O eq 'MSWin32') { @@ -43,7 +43,7 @@ if ($^O eq 'MSWin32') {
else { else {
# we used to do this as a nice pipeline, but the problem is that $r fails to # we used to do this as a nice pipeline, but the problem is that $r fails to
# to be set properly if the tcpdump core dumps. # to be set properly if the tcpdump core dumps.
- $r = system "../tcpdump 2>/dev/null -n -t -r $input $options >NEW/$output"; - $cmd = "$TCPDUMP 2>${rawstderrlog} -t -n -r $input $options >tests/NEW/${outputbase}";
+ $r = system "../tcpdump 2>/dev/null -nn -t -r $input $options >NEW/$output"; + $cmd = "$TCPDUMP 2>${rawstderrlog} -t -nn -r $input $options >tests/NEW/${outputbase}";
if($r != 0) { print "CMD: $cmd\n" if $debug;
# this means tcpdump failed. $r = system $cmd;
open(OUTPUT, ">>"."NEW/$output") || die "fail to open $output\n"; if($r == -1) {
--
2.13.5

View File

@ -1,45 +0,0 @@
From 0ae4aa1881bbe40443bff802b5e4aa6ca0696dd9 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 11 Apr 2017 09:37:53 +0200
Subject: [PATCH 10/13] Expect miliseconds instead of seconds in icmp capture.
Again this is caused by our patch, so we need to modify tests
accordingly.
---
tests/icmpv6.out | 2 +-
tests/icmpv6_opt24-v.out | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/icmpv6.out b/tests/icmpv6.out
index bb7775e..8979540 100644
--- a/tests/icmpv6.out
+++ b/tests/icmpv6.out
@@ -1,5 +1,5 @@
IP6 (hlim 255, next-header ICMPv6 (58) payload length: 176) fe80::b299:28ff:fec8:d66c > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 176
- hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0s, retrans time 0s
+ hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0ms, retrans time 0ms
prefix info option (3), length 32 (4): 2222:3333:4444:5555:6600::/72, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
0x0000: 48c0 0027 8d00 0009 3a80 0000 0000 2222
0x0010: 3333 4444 5555 6600 0000 0000 0000
diff --git a/tests/icmpv6_opt24-v.out b/tests/icmpv6_opt24-v.out
index 2b7cf09..00512df 100644
--- a/tests/icmpv6_opt24-v.out
+++ b/tests/icmpv6_opt24-v.out
@@ -1,5 +1,5 @@
IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
- hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
+ hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms
source link-address option (1), length 8 (1): 14:cf:92:87:23:d6
mtu option (5), length 8 (1): 1500
prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
@@ -7,7 +7,7 @@ IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87
rdnss option (25), length 24 (3): lifetime 1800s, addr: fd8d:4fb3:5b2e::1
dnssl option (31), length 16 (2): lifetime 1800s, domain(s): lan.
IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
- hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
+ hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms
source link-address option (1), length 8 (1): 14:cf:92:87:23:d6
mtu option (5), length 8 (1): 1500
prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
--
2.13.5

View File

@ -1,133 +1,29 @@
diff --git a/print-esp.c b/print-esp.c diff --git a/print-esp.c b/print-esp.c
index 511ee8a3..5b282526 100644 index 6fabff1..5818cc8 100644
--- a/print-esp.c --- a/print-esp.c
+++ b/print-esp.c +++ b/print-esp.c
@@ -192,8 +192,8 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, @@ -242,6 +242,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
const u_char *iv; if (input_buffer == NULL) {
unsigned int len;
EVP_CIPHER_CTX *ctx;
- unsigned int block_size, output_buffer_size;
- u_char *output_buffer;
+ unsigned int block_size, buffer_size;
+ u_char *input_buffer, *output_buffer;
/* initiator arg is any non-zero value */
if(initiator) initiator=1;
@@ -228,19 +228,41 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
(*ndo->ndo_warning)(ndo, "espkey init failed");
set_cipher_parameters(ctx, NULL, NULL, iv, 0);
/*
- * Allocate a buffer for the decrypted data.
- * The output buffer must be separate from the input buffer, and
- * its size must be a multiple of the cipher block size.
+ * Allocate buffers for the encrypted and decrypted data.
+ * Both buffers' sizes must be a multiple of the cipher block
+ * size, and the output buffer must be separate from the input
+ * buffer.
*/
block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
- output_buffer_size = len + (block_size - len % block_size);
- output_buffer = (u_char *)malloc(output_buffer_size);
+ buffer_size = len + (block_size - len % block_size);
+
+ /*
+ * Attempt to allocate the input buffer.
+ */
+ input_buffer = (u_char *)malloc(buffer_size);
+ if (input_buffer == NULL) {
+ (*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer");
+ EVP_CIPHER_CTX_free(ctx);
+ return 0;
+ }
+ /*
+ * Copy the input data to the encrypted data buffer, and pad it
+ * with zeroes.
+ */
+ memcpy(input_buffer, buf, len);
+ memset(input_buffer + len, 0, buffer_size - len);
+
+ /*
+ * Attempt to allocate the output buffer.
+ */
+ output_buffer = (u_char *)malloc(buffer_size);
if (output_buffer == NULL) {
(*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer");
+ free(input_buffer);
EVP_CIPHER_CTX_free(ctx); EVP_CIPHER_CTX_free(ctx);
return 0; (*ndo->ndo_error)(ndo, "can't allocate memory for encrypted data buffer");
+ return 0;
} }
- EVP_Cipher(ctx, output_buffer, buf, len); /*
* Copy the input data to the encrypted data buffer, and pad it
@@ -259,7 +260,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
EVP_CIPHER_CTX_free(ctx);
(*ndo->ndo_error)(ndo, "can't allocate memory for decryption buffer");
}
- EVP_Cipher(ctx, output_buffer, input_buffer, len);
+ EVP_Cipher(ctx, output_buffer, input_buffer, buffer_size); + EVP_Cipher(ctx, output_buffer, input_buffer, buffer_size);
EVP_CIPHER_CTX_free(ctx); EVP_CIPHER_CTX_free(ctx);
/* /*
@@ -249,6 +272,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, @@ -815,6 +816,7 @@ esp_print(netdissect_options *ndo,
* but changing this would require a more complicated fix. if (input_buffer == NULL) {
*/ EVP_CIPHER_CTX_free(ctx);
memcpy(buf, output_buffer, len); (*ndo->ndo_error)(ndo, "can't allocate memory for encrypted data buffer");
+ free(input_buffer);
free(output_buffer);
ndo->ndo_packetp = buf;
@@ -666,8 +690,8 @@ esp_print(netdissect_options *ndo,
const u_char *ivoff;
const u_char *p;
EVP_CIPHER_CTX *ctx;
- unsigned int block_size, output_buffer_size;
- u_char *output_buffer;
+ unsigned int block_size, buffer_size;
+ u_char *input_buffer, *output_buffer;
#endif
esp = (const struct newesp *)bp;
@@ -784,21 +808,43 @@ esp_print(netdissect_options *ndo,
len = ep - (p + ivlen);
/*
- * Allocate a buffer for the decrypted data.
- * The output buffer must be separate from the
- * input buffer, and its size must be a multiple
- * of the cipher block size.
+ * Allocate buffers for the encrypted and decrypted
+ * data. Both buffers' sizes must be a multiple of
+ * the cipher block size, and the output buffer must
+ * be separate from the input buffer.
*/
block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
- output_buffer_size = len + (block_size - len % block_size);
- output_buffer = (u_char *)malloc(output_buffer_size);
+ buffer_size = len + (block_size - len % block_size);
+
+ /*
+ * Attempt to allocate the input buffer.
+ */
+ input_buffer = (u_char *)malloc(buffer_size);
+ if (input_buffer == NULL) {
+ (*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer");
+ EVP_CIPHER_CTX_free(ctx);
+ return 0; + return 0;
+ }
+ /*
+ * Copy the input data to the encrypted data buffer,
+ * and pad it with zeroes.
+ */
+ memcpy(input_buffer, p + ivlen, len);
+ memset(input_buffer + len, 0, buffer_size - len);
+
+ /*
+ * Attempt to allocate the output buffer.
+ */
+ output_buffer = (u_char *)malloc(buffer_size);
if (output_buffer == NULL) {
(*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer");
+ free(input_buffer);
EVP_CIPHER_CTX_free(ctx);
return -1;
} }
- EVP_Cipher(ctx, output_buffer, p + ivlen, len);
+ EVP_Cipher(ctx, output_buffer, input_buffer, len);
+ free(input_buffer);
EVP_CIPHER_CTX_free(ctx);
/* /*
* XXX - of course this is wrong, because buf is a * Copy the input data to the encrypted data buffer,

View File

@ -1,3 +1,3 @@
SHA512 (tcpslice-1.2a3.tar.gz) = 04e12d592807022c78eb4941580ed103995680c69af885bb8f13828a12ec570f7fe93c34c1b20a01d3d99f445d5da17a1fcfbe25b2e3b41abe28304c034654c5 SHA512 (tcpslice-1.2a3.tar.gz) = 04e12d592807022c78eb4941580ed103995680c69af885bb8f13828a12ec570f7fe93c34c1b20a01d3d99f445d5da17a1fcfbe25b2e3b41abe28304c034654c5
SHA512 (tcpdump-4.9.2.tar.gz.sig) = 76a41de2fc414018e01a9177e6946d9792fa8ded575ec264c7eb67a036bcdad3f451aa76e7b611430b8dd55de2403977c990e00f8b735aa8e6e4395463c8b1a6 SHA512 (tcpdump-4.9.3.tar.gz) = 22354dbbf6ab3f7519035b41702a8dc93472dc808e88e76414a06dd69eca822e3d6b94ec608cfeffe25572125757824e97e6a4a7ec81d45e990429e8faf774cb
SHA512 (tcpdump-4.9.2.tar.gz) = e1bc19a5867d6e3628f3941bdf3ec831bf13784f1233ca1bccc46aac1702f47ee9357d7ff0ca62cddf211b3c8884488c21144cabddd92c861e32398cd8f7c44b SHA512 (tcpdump-4.9.3.tar.gz.sig) = b8b189a522b924c717c30f09a9d60ede76cfbb0ffc6cd185fec1887230d06117663b6f55e7489c0e34b744a89e05e78509ca8a1551a94f6e091cbafc643b0c8c

View File

@ -1,8 +1,8 @@
Summary: A network traffic monitoring tool Summary: A network traffic monitoring tool
Name: tcpdump Name: tcpdump
Epoch: 14 Epoch: 14
Version: 4.9.2 Version: 4.9.3
Release: 9%{?dist} Release: 1%{?dist}
License: BSD with advertising License: BSD with advertising
URL: http://www.tcpdump.org URL: http://www.tcpdump.org
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -12,16 +12,13 @@ Source0: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz
Source1: ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz Source1: ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz
Source2: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz.sig Source2: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz.sig
Patch0001: 0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
Patch0002: 0002-Use-getnameinfo-instead-of-gethostbyaddr.patch Patch0002: 0002-Use-getnameinfo-instead-of-gethostbyaddr.patch
Patch0003: 0003-Drop-root-priviledges-before-opening-first-savefile-.patch Patch0003: 0003-Drop-root-priviledges-before-opening-first-savefile-.patch
Patch0004: 0004-tcpslice-update-tcpslice-patch-to-1.2a3.patch Patch0004: 0004-tcpslice-update-tcpslice-patch-to-1.2a3.patch
Patch0005: 0005-tcpslice-remove-unneeded-include.patch Patch0005: 0005-tcpslice-remove-unneeded-include.patch
Patch0006: 0006-tcpslice-don-t-test-the-pointer-but-pointee-for-NULL.patch Patch0006: 0006-tcpslice-don-t-test-the-pointer-but-pointee-for-NULL.patch
Patch0007: 0007-Introduce-nn-option.patch Patch0007: 0007-Introduce-nn-option.patch
Patch0008: 0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
Patch0009: 0009-Change-n-flag-to-nn-in-TESTonce.patch Patch0009: 0009-Change-n-flag-to-nn-in-TESTonce.patch
Patch0010: 0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
Patch0011: 0011-Evp-cipher-buffers.patch Patch0011: 0011-Evp-cipher-buffers.patch
Patch0012: 0012-Add-printing-support-for-vsockmon-devices.patch Patch0012: 0012-Add-printing-support-for-vsockmon-devices.patch
@ -88,6 +85,10 @@ exit 0
%{_mandir}/man8/tcpdump.8* %{_mandir}/man8/tcpdump.8*
%changelog %changelog
* Tue Oct 15 2019 Michal Ruprich <mruprich@redhat.com> - 14:4.9.3-1
- New version 4.9.3
- Fixes CVE-2017-16808, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14466, CVE-2018-14461, CVE-2018-14462, CVE-2018-14465, CVE-2018-14881, CVE-2018-14464, CVE-2018-14463, CVE-2018-14467, CVE-2018-10103, CVE-2018-10105, CVE-2018-14880, CVE-2018-16451, CVE-2018-14882, CVE-2018-16227, CVE-2018-16229, CVE-2018-16301, CVE-2018-16230, CVE-2018-16452, CVE-2018-16300, CVE-2018-16228, CVE-2019-15166, CVE-2019-15167
* Mon Sep 16 2019 Michal Ruprich <mruprich@redhat.com> - 14:4.9.2-9 * Mon Sep 16 2019 Michal Ruprich <mruprich@redhat.com> - 14:4.9.2-9
- Adding getent to pre scriptlet to avoid audit messages (rhbz#1715420) - Adding getent to pre scriptlet to avoid audit messages (rhbz#1715420)