New version 4.9.3

Fixes CVE-2017-16808, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14466, CVE-2018-14461, CVE-2018-14462, CVE-2018-14465, CVE-2018-14881, CVE-2018-14464, CVE-2018-14463, CVE-2018-14467, CVE-2018-10103, CVE-2018-10105, CVE-2018-14880, CVE-2018-16451, CVE-2018-14882, CVE-2018-16227, CVE-2018-16229, CVE-2018-16301, CVE-2018-16230, CVE-2018-16452, CVE-2018-16300, CVE-2018-16228, CVE-2019-15166, CVE-2019-15167
2019-10-15 15:06:02 +02:00 · 2019-10-15 15:06:02 +02:00 · 40612b3036
commit 40612b3036
parent 75ba4869e0
8 changed files with 34 additions and 245 deletions
--- a/.gitignore
+++ b/.gitignore
@ -18,3 +18,5 @@ tcpdump-4.1.1.tar.gz
 /tcpdump-4.9.1.tar.gz
 /tcpdump-4.9.2.tar.gz.sig
 /tcpdump-4.9.2.tar.gz
+/tcpdump-4.9.3.tar.gz
+/tcpdump-4.9.3.tar.gz.sig
--- a/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
+++ b/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
@ -1,26 +0,0 @@
-From f19e0376b8e98b38240d28eb9e6f78c465bb1c6e Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 20 Oct 2014 13:34:24 +0200
-Subject: [PATCH 1/8] icmp6: print Reachable Time and Retransmit Time from
- ICMPv6 as milliseconds
-
---
- print-icmp6.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/print-icmp6.c b/print-icmp6.c
-index 7fe639d..cfaa2df 100644
--- a/print-icmp6.c
-+++ b/print-icmp6.c
-@@ -1034,7 +1034,7 @@ icmp6_print(netdissect_options *ndo,
- 			p = (const struct nd_router_advert *)dp;
- 			ND_TCHECK(p->nd_ra_retransmit);
- 			ND_PRINT((ndo,"\n\thop limit %u, Flags [%s]" \
-                                  ", pref %s, router lifetime %us, reachable time %us, retrans time %us",
-+                                  ", pref %s, router lifetime %us, reachable time %ums, retrans time %ums",
-                                   (u_int)p->nd_ra_curhoplimit,
-                                   bittok2str(icmp6_opt_ra_flag_values,"none",(p->nd_ra_flags_reserved)),
-                                   get_rtpref(p->nd_ra_flags_reserved),
-- 
-2.9.3
-
--- a/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
+++ b/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
@ -1,36 +0,0 @@
-From d5508c13119404102104a3935e7445c9fddf79b5 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Fri, 3 Feb 2017 09:43:03 +0100
-Subject: [PATCH 8/8] Don't print out we dropped root, we are always dropping
- it
-
---
- tcpdump.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/tcpdump.c b/tcpdump.c
-index 29f7f87..18c4a5c 100644
--- a/tcpdump.c
-+++ b/tcpdump.c
-@@ -618,8 +618,6 @@ droproot(const char *username, const char *chroot_dir)
- 			int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
- 			if (ret < 0) {
- 				fprintf(stderr, "error : ret %d\n", ret);
-			} else {
-				fprintf(stderr, "dropped privs to %s\n", username);
- 			}
- 		}
- #else
-@@ -632,9 +630,6 @@ droproot(const char *username, const char *chroot_dir)
- 				pcap_strerror(errno));
- 			exit_tcpdump(1);
- 		}
-		else {
-			fprintf(stderr, "dropped privs to %s\n", username);
-		}
- #endif /* HAVE_LIBCAP_NG */
- 	}
- 	else {
-- 
-2.9.3
-
--- a/0009-Change-n-flag-to-nn-in-TESTonce.patch
+++ b/0009-Change-n-flag-to-nn-in-TESTonce.patch
@ -10,18 +10,15 @@ flag than upstream does. We use -nn in those cases.
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/tests/TESTonce b/tests/TESTonce
-index 7026624..e348701 100755
+index 425abaa..81283d9 100755
 --- a/tests/TESTonce
 +++ b/tests/TESTonce
-@@ -21,7 +21,7 @@ if ($^O eq 'MSWin32') {
+@@ -43,7 +43,7 @@ if ($^O eq 'MSWin32') {
 else {
     # we used to do this as a nice pipeline, but the problem is that $r fails to
     # to be set properly if the tcpdump core dumps.
-    $r = system "../tcpdump 2>/dev/null -n -t -r $input $options >NEW/$output";
-+    $r = system "../tcpdump 2>/dev/null -nn -t -r $input $options >NEW/$output";
-     if($r != 0) {
-         # this means tcpdump failed.
-         open(OUTPUT, ">>"."NEW/$output") || die "fail to open $output\n";
-- 
-2.13.5
-
+-    $cmd = "$TCPDUMP 2>${rawstderrlog} -t -n -r $input $options >tests/NEW/${outputbase}";
+    $cmd = "$TCPDUMP 2>${rawstderrlog} -t -nn -r $input $options >tests/NEW/${outputbase}";
+     print "CMD: $cmd\n" if $debug;
+     $r = system $cmd;
+     if($r == -1) {
--- a/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
+++ b/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
@ -1,45 +0,0 @@
-From 0ae4aa1881bbe40443bff802b5e4aa6ca0696dd9 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 11 Apr 2017 09:37:53 +0200
-Subject: [PATCH 10/13] Expect miliseconds instead of seconds in icmp capture.
-
-Again this is caused by our patch, so we need to modify tests
-accordingly.
---
- tests/icmpv6.out         | 2 +-
- tests/icmpv6_opt24-v.out | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tests/icmpv6.out b/tests/icmpv6.out
-index bb7775e..8979540 100644
--- a/tests/icmpv6.out
-+++ b/tests/icmpv6.out
-@@ -1,5 +1,5 @@
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 176) fe80::b299:28ff:fec8:d66c > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 176
-	hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0s, retrans time 0s
-+	hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0ms, retrans time 0ms
- 	  prefix info option (3), length 32 (4): 2222:3333:4444:5555:6600::/72, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
- 	    0x0000:  48c0 0027 8d00 0009 3a80 0000 0000 2222
- 	    0x0010:  3333 4444 5555 6600 0000 0000 0000
-diff --git a/tests/icmpv6_opt24-v.out b/tests/icmpv6_opt24-v.out
-index 2b7cf09..00512df 100644
--- a/tests/icmpv6_opt24-v.out
-+++ b/tests/icmpv6_opt24-v.out
-@@ -1,5 +1,5 @@
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
-	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
-+	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms
- 	  source link-address option (1), length 8 (1): 14:cf:92:87:23:d6
- 	  mtu option (5), length 8 (1):  1500
- 	  prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
-@@ -7,7 +7,7 @@ IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87
- 	  rdnss option (25), length 24 (3):  lifetime 1800s, addr: fd8d:4fb3:5b2e::1
- 	  dnssl option (31), length 16 (2):  lifetime 1800s, domain(s): lan.
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
-	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
-+	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms
- 	  source link-address option (1), length 8 (1): 14:cf:92:87:23:d6
- 	  mtu option (5), length 8 (1):  1500
- 	  prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
-- 
-2.13.5
--- a/0011-Evp-cipher-buffers.patch
+++ b/0011-Evp-cipher-buffers.patch
@ -1,133 +1,29 @@
 diff --git a/print-esp.c b/print-esp.c
-index 511ee8a3..5b282526 100644
+index 6fabff1..5818cc8 100644
 --- a/print-esp.c
 +++ b/print-esp.c
-@@ -192,8 +192,8 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 	const u_char *iv;
- 	unsigned int len;
- 	EVP_CIPHER_CTX *ctx;
-	unsigned int block_size, output_buffer_size;
-	u_char *output_buffer;
-+	unsigned int block_size, buffer_size;
-+	u_char *input_buffer, *output_buffer;
- 
- 	/* initiator arg is any non-zero value */
- 	if(initiator) initiator=1;
-@@ -228,19 +228,41 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 		(*ndo->ndo_warning)(ndo, "espkey init failed");
- 	set_cipher_parameters(ctx, NULL, NULL, iv, 0);
- 	/*
-	 * Allocate a buffer for the decrypted data.
-	 * The output buffer must be separate from the input buffer, and
-	 * its size must be a multiple of the cipher block size.
-+	 * Allocate buffers for the encrypted and decrypted data.
-+	 * Both buffers' sizes must be a multiple of the cipher block
-+	 * size, and the output buffer must be separate from the input
-+	 * buffer.
- 	 */
- 	block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
-	output_buffer_size = len + (block_size - len % block_size);
-	output_buffer = (u_char *)malloc(output_buffer_size);
-+	buffer_size = len + (block_size - len % block_size);
-+
-+	/*
-+	 * Attempt to allocate the input buffer.
-+	 */
-+	input_buffer = (u_char *)malloc(buffer_size);
-+	if (input_buffer == NULL) {
-+		(*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer");
-+		EVP_CIPHER_CTX_free(ctx);
-+		return 0;
-+	}
-+	/*
-+	 * Copy the input data to the encrypted data buffer, and pad it
-+	 * with zeroes.
-+	 */
-+	memcpy(input_buffer, buf, len);
-+	memset(input_buffer + len, 0, buffer_size - len);
-+
-+	/*
-+	 * Attempt to allocate the output buffer.
-+	 */
-+	output_buffer = (u_char *)malloc(buffer_size);
- 	if (output_buffer == NULL) {
- 		(*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer");
-+		free(input_buffer);
+@@ -242,6 +242,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
+ 	if (input_buffer == NULL) {
 		EVP_CIPHER_CTX_free(ctx);
- 		return 0;
+ 		(*ndo->ndo_error)(ndo, "can't allocate memory for encrypted data buffer");
+		return 0;
 	}
-	EVP_Cipher(ctx, output_buffer, buf, len);
+ 	/*
+ 	 * Copy the input data to the encrypted data buffer, and pad it
+@@ -259,7 +260,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
+ 		EVP_CIPHER_CTX_free(ctx);
+ 		(*ndo->ndo_error)(ndo, "can't allocate memory for decryption buffer");
+ 	}
+-	EVP_Cipher(ctx, output_buffer, input_buffer, len);
 +	EVP_Cipher(ctx, output_buffer, input_buffer, buffer_size);
 	EVP_CIPHER_CTX_free(ctx);
 
 	/*
-@@ -249,6 +272,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 	 * but changing this would require a more complicated fix.
- 	 */
- 	memcpy(buf, output_buffer, len);
-+	free(input_buffer);
- 	free(output_buffer);
- 
- 	ndo->ndo_packetp = buf;
-@@ -666,8 +690,8 @@ esp_print(netdissect_options *ndo,
- 	const u_char *ivoff;
- 	const u_char *p;
- 	EVP_CIPHER_CTX *ctx;
-	unsigned int block_size, output_buffer_size;
-	u_char *output_buffer;
-+	unsigned int block_size, buffer_size;
-+	u_char *input_buffer, *output_buffer;
- #endif
- 
- 	esp = (const struct newesp *)bp;
-@@ -784,21 +808,43 @@ esp_print(netdissect_options *ndo,
- 			len = ep - (p + ivlen);
- 
- 			/*
-			 * Allocate a buffer for the decrypted data.
-			 * The output buffer must be separate from the
-			 * input buffer, and its size must be a multiple
-			 * of the cipher block size.
-+			 * Allocate buffers for the encrypted and decrypted
-+			 * data.  Both buffers' sizes must be a multiple of
-+			 * the cipher block size, and the output buffer must
-+			 * be separate from the input buffer.
- 			 */
- 			block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
-			output_buffer_size = len + (block_size - len % block_size);
-			output_buffer = (u_char *)malloc(output_buffer_size);
-+			buffer_size = len + (block_size - len % block_size);
-+
-+			/*
-+			 * Attempt to allocate the input buffer.
-+			 */
-+			input_buffer = (u_char *)malloc(buffer_size);
-+			if (input_buffer == NULL) {
-+				(*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer");
-+				EVP_CIPHER_CTX_free(ctx);
+@@ -815,6 +816,7 @@ esp_print(netdissect_options *ndo,
+ 			if (input_buffer == NULL) {
+ 				EVP_CIPHER_CTX_free(ctx);
+ 				(*ndo->ndo_error)(ndo, "can't allocate memory for encrypted data buffer");
 +				return 0;
-+			}
-+			/*
-+			 * Copy the input data to the encrypted data buffer,
-+			 * and pad it with zeroes.
-+			 */
-+			memcpy(input_buffer, p + ivlen, len);
-+			memset(input_buffer + len, 0, buffer_size - len);
-+
-+			/*
-+			 * Attempt to allocate the output buffer.
-+			 */
-+			output_buffer = (u_char *)malloc(buffer_size);
- 			if (output_buffer == NULL) {
- 				(*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer");
-+				free(input_buffer);
- 				EVP_CIPHER_CTX_free(ctx);
- 				return -1;
 			}
- 
-			EVP_Cipher(ctx, output_buffer, p + ivlen, len);
-+			EVP_Cipher(ctx, output_buffer, input_buffer, len);
-+			free(input_buffer);
- 			EVP_CIPHER_CTX_free(ctx);
 			/*
- 			 * XXX - of course this is wrong, because buf is a
+ 			 * Copy the input data to the encrypted data buffer,
--- a/4
+++ b/4
@ -1,3 +1,3 @@
 SHA512 (tcpslice-1.2a3.tar.gz) = 04e12d592807022c78eb4941580ed103995680c69af885bb8f13828a12ec570f7fe93c34c1b20a01d3d99f445d5da17a1fcfbe25b2e3b41abe28304c034654c5
-SHA512 (tcpdump-4.9.2.tar.gz.sig) = 76a41de2fc414018e01a9177e6946d9792fa8ded575ec264c7eb67a036bcdad3f451aa76e7b611430b8dd55de2403977c990e00f8b735aa8e6e4395463c8b1a6
-SHA512 (tcpdump-4.9.2.tar.gz) = e1bc19a5867d6e3628f3941bdf3ec831bf13784f1233ca1bccc46aac1702f47ee9357d7ff0ca62cddf211b3c8884488c21144cabddd92c861e32398cd8f7c44b
+SHA512 (tcpdump-4.9.3.tar.gz) = 22354dbbf6ab3f7519035b41702a8dc93472dc808e88e76414a06dd69eca822e3d6b94ec608cfeffe25572125757824e97e6a4a7ec81d45e990429e8faf774cb
+SHA512 (tcpdump-4.9.3.tar.gz.sig) = b8b189a522b924c717c30f09a9d60ede76cfbb0ffc6cd185fec1887230d06117663b6f55e7489c0e34b744a89e05e78509ca8a1551a94f6e091cbafc643b0c8c
--- a/tcpdump.spec
+++ b/tcpdump.spec
@ -1,8 +1,8 @@
 Summary: A network traffic monitoring tool
 Name: tcpdump
 Epoch: 14
-Version: 4.9.2
-Release: 9%{?dist}
+Version: 4.9.3
+Release: 1%{?dist}
 License: BSD with advertising
 URL: http://www.tcpdump.org
 Requires(pre): shadow-utils
@ -12,16 +12,13 @@ Source0: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz
 Source1: ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz
 Source2: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz.sig

-Patch0001:      0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
 Patch0002:      0002-Use-getnameinfo-instead-of-gethostbyaddr.patch
 Patch0003:      0003-Drop-root-priviledges-before-opening-first-savefile-.patch
 Patch0004:      0004-tcpslice-update-tcpslice-patch-to-1.2a3.patch
 Patch0005:      0005-tcpslice-remove-unneeded-include.patch
 Patch0006:      0006-tcpslice-don-t-test-the-pointer-but-pointee-for-NULL.patch
 Patch0007:      0007-Introduce-nn-option.patch
-Patch0008:      0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
 Patch0009:      0009-Change-n-flag-to-nn-in-TESTonce.patch
-Patch0010:      0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
 Patch0011:      0011-Evp-cipher-buffers.patch
 Patch0012:      0012-Add-printing-support-for-vsockmon-devices.patch

@ -88,6 +85,10 @@ exit 0
 %{_mandir}/man8/tcpdump.8*

 %changelog
+* Tue Oct 15 2019 Michal Ruprich <mruprich@redhat.com> - 14:4.9.3-1
+- New version 4.9.3
+- Fixes CVE-2017-16808, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14466, CVE-2018-14461, CVE-2018-14462, CVE-2018-14465, CVE-2018-14881, CVE-2018-14464, CVE-2018-14463, CVE-2018-14467, CVE-2018-10103, CVE-2018-10105, CVE-2018-14880, CVE-2018-16451, CVE-2018-14882, CVE-2018-16227, CVE-2018-16229, CVE-2018-16301, CVE-2018-16230, CVE-2018-16452, CVE-2018-16300, CVE-2018-16228, CVE-2019-15166, CVE-2019-15167
+
 * Mon Sep 16 2019 Michal Ruprich <mruprich@redhat.com> - 14:4.9.2-9
 - Adding getent to pre scriptlet to avoid audit messages (rhbz#1715420)