import tcpdump-4.9.3-1.el8

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/tcpdump-4.9.2.tar.gz
+SOURCES/tcpdump-4.9.3.tar.gz
 SOURCES/tcpslice-1.2a3.tar.gz

.tcpdump.metadata

@@ -1,2 +1,2 @@
-f7dccebe94c3d07ac8744d43297ea2b98b35a13f SOURCES/tcpdump-4.9.2.tar.gz
+59b309f3620ac4b709de2eaf7bf3a83bf04bc048 SOURCES/tcpdump-4.9.3.tar.gz
 98790301cb1bf4399a95153bc62d49b3f5808994 SOURCES/tcpslice-1.2a3.tar.gz

SOURCES/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch

@@ -1,26 +0,0 @@
-From f19e0376b8e98b38240d28eb9e6f78c465bb1c6e Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 20 Oct 2014 13:34:24 +0200
-Subject: [PATCH 1/8] icmp6: print Reachable Time and Retransmit Time from
- ICMPv6 as milliseconds
-
----
- print-icmp6.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/print-icmp6.c b/print-icmp6.c
-index 7fe639d..cfaa2df 100644
---- a/print-icmp6.c
-+++ b/print-icmp6.c
-@@ -1034,7 +1034,7 @@ icmp6_print(netdissect_options *ndo,
- 			p = (const struct nd_router_advert *)dp;
- 			ND_TCHECK(p->nd_ra_retransmit);
- 			ND_PRINT((ndo,"\n\thop limit %u, Flags [%s]" \
--                                  ", pref %s, router lifetime %us, reachable time %us, retrans time %us",
-+                                  ", pref %s, router lifetime %us, reachable time %ums, retrans time %ums",
-                                   (u_int)p->nd_ra_curhoplimit,
-                                   bittok2str(icmp6_opt_ra_flag_values,"none",(p->nd_ra_flags_reserved)),
-                                   get_rtpref(p->nd_ra_flags_reserved),
--- 
-2.9.3
-

SOURCES/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch

@@ -1,36 +0,0 @@
-From d5508c13119404102104a3935e7445c9fddf79b5 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Fri, 3 Feb 2017 09:43:03 +0100
-Subject: [PATCH 8/8] Don't print out we dropped root, we are always dropping
- it
-
----
- tcpdump.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/tcpdump.c b/tcpdump.c
-index 29f7f87..18c4a5c 100644
---- a/tcpdump.c
-+++ b/tcpdump.c
-@@ -618,8 +618,6 @@ droproot(const char *username, const char *chroot_dir)
- 			int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
- 			if (ret < 0) {
- 				fprintf(stderr, "error : ret %d\n", ret);
--			} else {
--				fprintf(stderr, "dropped privs to %s\n", username);
- 			}
- 		}
- #else
-@@ -632,9 +630,6 @@ droproot(const char *username, const char *chroot_dir)
- 				pcap_strerror(errno));
- 			exit_tcpdump(1);
- 		}
--		else {
--			fprintf(stderr, "dropped privs to %s\n", username);
--		}
- #endif /* HAVE_LIBCAP_NG */
- 	}
- 	else {
--- 
-2.9.3
-

SOURCES/0009-Change-n-flag-to-nn-in-TESTonce.patch

@@ -10,18 +10,15 @@ flag than upstream does. We use -nn in those cases.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/tests/TESTonce b/tests/TESTonce
-index 7026624..e348701 100755
+index 425abaa..81283d9 100755
 --- a/tests/TESTonce
 +++ b/tests/TESTonce
-@@ -21,7 +21,7 @@ if ($^O eq 'MSWin32') {
+@@ -43,7 +43,7 @@ if ($^O eq 'MSWin32') {
  else {
      # we used to do this as a nice pipeline, but the problem is that $r fails to
      # to be set properly if the tcpdump core dumps.
--    $r = system "../tcpdump 2>/dev/null -n -t -r $input $options >NEW/$output";
-+    $r = system "../tcpdump 2>/dev/null -nn -t -r $input $options >NEW/$output";
-     if($r != 0) {
-         # this means tcpdump failed.
-         open(OUTPUT, ">>"."NEW/$output") || die "fail to open $output\n";
--- 
-2.13.5
-
+-    $cmd = "$TCPDUMP 2>${rawstderrlog} -t -n -r $input $options >tests/NEW/${outputbase}";
++    $cmd = "$TCPDUMP 2>${rawstderrlog} -t -nn -r $input $options >tests/NEW/${outputbase}";
+     print "CMD: $cmd\n" if $debug;
+     $r = system $cmd;
+     if($r == -1) {

SOURCES/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch

@@ -1,45 +0,0 @@
-From 0ae4aa1881bbe40443bff802b5e4aa6ca0696dd9 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 11 Apr 2017 09:37:53 +0200
-Subject: [PATCH 10/13] Expect miliseconds instead of seconds in icmp capture.
-
-Again this is caused by our patch, so we need to modify tests
-accordingly.
----
- tests/icmpv6.out         | 2 +-
- tests/icmpv6_opt24-v.out | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tests/icmpv6.out b/tests/icmpv6.out
-index bb7775e..8979540 100644
---- a/tests/icmpv6.out
-+++ b/tests/icmpv6.out
-@@ -1,5 +1,5 @@
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 176) fe80::b299:28ff:fec8:d66c > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 176
--	hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0s, retrans time 0s
-+	hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0ms, retrans time 0ms
- 	  prefix info option (3), length 32 (4): 2222:3333:4444:5555:6600::/72, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
- 	    0x0000:  48c0 0027 8d00 0009 3a80 0000 0000 2222
- 	    0x0010:  3333 4444 5555 6600 0000 0000 0000
-diff --git a/tests/icmpv6_opt24-v.out b/tests/icmpv6_opt24-v.out
-index 2b7cf09..00512df 100644
---- a/tests/icmpv6_opt24-v.out
-+++ b/tests/icmpv6_opt24-v.out
-@@ -1,5 +1,5 @@
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
--	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
-+	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms
- 	  source link-address option (1), length 8 (1): 14:cf:92:87:23:d6
- 	  mtu option (5), length 8 (1):  1500
- 	  prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
-@@ -7,7 +7,7 @@ IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87
- 	  rdnss option (25), length 24 (3):  lifetime 1800s, addr: fd8d:4fb3:5b2e::1
- 	  dnssl option (31), length 16 (2):  lifetime 1800s, domain(s): lan.
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
--	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
-+	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms
- 	  source link-address option (1), length 8 (1): 14:cf:92:87:23:d6
- 	  mtu option (5), length 8 (1):  1500
- 	  prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
--- 
-2.13.5

SOURCES/0011-Evp-cipher-buffers.patch

@@ -1,133 +1,13 @@
 diff --git a/print-esp.c b/print-esp.c
-index 511ee8a3..5b282526 100644
+index 6fabff1..cdeca9d 100644
 --- a/print-esp.c
 +++ b/print-esp.c
-@@ -192,8 +192,8 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 	const u_char *iv;
- 	unsigned int len;
- 	EVP_CIPHER_CTX *ctx;
--	unsigned int block_size, output_buffer_size;
--	u_char *output_buffer;
-+	unsigned int block_size, buffer_size;
-+	u_char *input_buffer, *output_buffer;
- 
- 	/* initiator arg is any non-zero value */
- 	if(initiator) initiator=1;
-@@ -228,19 +228,41 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 		(*ndo->ndo_warning)(ndo, "espkey init failed");
- 	set_cipher_parameters(ctx, NULL, NULL, iv, 0);
- 	/*
--	 * Allocate a buffer for the decrypted data.
--	 * The output buffer must be separate from the input buffer, and
--	 * its size must be a multiple of the cipher block size.
-+	 * Allocate buffers for the encrypted and decrypted data.
-+	 * Both buffers' sizes must be a multiple of the cipher block
-+	 * size, and the output buffer must be separate from the input
-+	 * buffer.
- 	 */
- 	block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
--	output_buffer_size = len + (block_size - len % block_size);
--	output_buffer = (u_char *)malloc(output_buffer_size);
-+	buffer_size = len + (block_size - len % block_size);
-+
-+	/*
-+	 * Attempt to allocate the input buffer.
-+	 */
-+	input_buffer = (u_char *)malloc(buffer_size);
-+	if (input_buffer == NULL) {
-+		(*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer");
-+		EVP_CIPHER_CTX_free(ctx);
-+		return 0;
-+	}
-+	/*
-+	 * Copy the input data to the encrypted data buffer, and pad it
-+	 * with zeroes.
-+	 */
-+	memcpy(input_buffer, buf, len);
-+	memset(input_buffer + len, 0, buffer_size - len);
-+
-+	/*
-+	 * Attempt to allocate the output buffer.
-+	 */
-+	output_buffer = (u_char *)malloc(buffer_size);
- 	if (output_buffer == NULL) {
- 		(*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer");
-+		free(input_buffer);
+@@ -259,7 +259,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
  		EVP_CIPHER_CTX_free(ctx);
- 		return 0;
+ 		(*ndo->ndo_error)(ndo, "can't allocate memory for decryption buffer");
  	}
--	EVP_Cipher(ctx, output_buffer, buf, len);
+-	EVP_Cipher(ctx, output_buffer, input_buffer, len);
 +	EVP_Cipher(ctx, output_buffer, input_buffer, buffer_size);
  	EVP_CIPHER_CTX_free(ctx);
  
  	/*
-@@ -249,6 +272,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 	 * but changing this would require a more complicated fix.
- 	 */
- 	memcpy(buf, output_buffer, len);
-+	free(input_buffer);
- 	free(output_buffer);
- 
- 	ndo->ndo_packetp = buf;
-@@ -666,8 +690,8 @@ esp_print(netdissect_options *ndo,
- 	const u_char *ivoff;
- 	const u_char *p;
- 	EVP_CIPHER_CTX *ctx;
--	unsigned int block_size, output_buffer_size;
--	u_char *output_buffer;
-+	unsigned int block_size, buffer_size;
-+	u_char *input_buffer, *output_buffer;
- #endif
- 
- 	esp = (const struct newesp *)bp;
-@@ -784,21 +808,43 @@ esp_print(netdissect_options *ndo,
- 			len = ep - (p + ivlen);
- 
- 			/*
--			 * Allocate a buffer for the decrypted data.
--			 * The output buffer must be separate from the
--			 * input buffer, and its size must be a multiple
--			 * of the cipher block size.
-+			 * Allocate buffers for the encrypted and decrypted
-+			 * data.  Both buffers' sizes must be a multiple of
-+			 * the cipher block size, and the output buffer must
-+			 * be separate from the input buffer.
- 			 */
- 			block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
--			output_buffer_size = len + (block_size - len % block_size);
--			output_buffer = (u_char *)malloc(output_buffer_size);
-+			buffer_size = len + (block_size - len % block_size);
-+
-+			/*
-+			 * Attempt to allocate the input buffer.
-+			 */
-+			input_buffer = (u_char *)malloc(buffer_size);
-+			if (input_buffer == NULL) {
-+				(*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer");
-+				EVP_CIPHER_CTX_free(ctx);
-+				return 0;
-+			}
-+			/*
-+			 * Copy the input data to the encrypted data buffer,
-+			 * and pad it with zeroes.
-+			 */
-+			memcpy(input_buffer, p + ivlen, len);
-+			memset(input_buffer + len, 0, buffer_size - len);
-+
-+			/*
-+			 * Attempt to allocate the output buffer.
-+			 */
-+			output_buffer = (u_char *)malloc(buffer_size);
- 			if (output_buffer == NULL) {
- 				(*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer");
-+				free(input_buffer);
- 				EVP_CIPHER_CTX_free(ctx);
- 				return -1;
- 			}
- 
--			EVP_Cipher(ctx, output_buffer, p + ivlen, len);
-+			EVP_Cipher(ctx, output_buffer, input_buffer, len);
-+			free(input_buffer);
- 			EVP_CIPHER_CTX_free(ctx);
- 			/*
- 			 * XXX - of course this is wrong, because buf is a

SOURCES/0014-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch

@@ -1,26 +0,0 @@
-From bbae61cda27b8d565456c95a697d9e7ed3298937 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 8 Oct 2019 14:32:32 +0200
-Subject: [PATCH] 
- 0015-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch
-
----
- print-hncp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/print-hncp.c b/print-hncp.c
-index 11a6a93..7537a0d 100644
---- a/print-hncp.c
-+++ b/print-hncp.c
-@@ -229,6 +229,8 @@ print_prefix(netdissect_options *ndo, const u_char *prefix, u_int max_length)
-         plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
-     } else {
-         plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
-+        if (plenbytes < 0)
-+            return plenbytes;
-     }
- 
-     ND_PRINT((ndo, "%s", buf));
--- 
-2.21.0
-

SPECS/tcpdump.spec

@@ -1,8 +1,8 @@
 Summary: A network traffic monitoring tool
 Name: tcpdump
 Epoch: 14
-Version: 4.9.2
-Release: 6%{?dist}
+Version: 4.9.3
+Release: 1%{?dist}
 License: BSD with advertising
 URL: http://www.tcpdump.org
 Group: Applications/Internet
@@ -13,20 +13,16 @@ Source0: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz
 Source1: ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz
 Source2: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz.sig
 
-Patch0001:      0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
 Patch0002:      0002-Use-getnameinfo-instead-of-gethostbyaddr.patch
 Patch0003:      0003-Drop-root-priviledges-before-opening-first-savefile-.patch
 Patch0004:      0004-tcpslice-update-tcpslice-patch-to-1.2a3.patch
 Patch0005:      0005-tcpslice-remove-unneeded-include.patch
 Patch0006:      0006-tcpslice-don-t-test-the-pointer-but-pointee-for-NULL.patch
 Patch0007:      0007-Introduce-nn-option.patch
-Patch0008:      0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
 Patch0009:      0009-Change-n-flag-to-nn-in-TESTonce.patch
-Patch0010:      0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
 Patch0011:      0011-Evp-cipher-buffers.patch
 Patch0012:      0012-Add-printing-support-for-vsockmon-devices.patch
 Patch0013:      0013-tcpslice-stdlib.patch
-Patch0014:      0014-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch
 
 %define tcpslice_dir tcpslice-1.2a3
 
@@ -92,6 +88,9 @@ exit 0
 %{_mandir}/man8/tcpdump.8*
 
 %changelog
+* Thu May 07 2020 Michal Ruprich <michalruprich@gmail.com> - 14:4.9.3-1
+- Resolves: #1804063 - Rebase tcpdump to 4.9.3 to fix multiple CVEs
+
 * Tue Oct 29 2019 Michal Ruprich <mruprich@redhat.com> - 14:4.9.2-6
 - Resolves: #1715423 - tcpdump pre creates user and groups unconditionally
 - Resolves: #1655622 - CVE-2018-19519 Stack-based buffer over-read in print-hncp.c:print_prefix() via crafted pcap