fix improper command line parsing (CVE-2023-46316)

Resolves: RHEL-14756
This commit is contained in:
Jan Macku 2023-10-30 13:03:27 +01:00
parent df7008d2f1
commit cd04ed6853
2 changed files with 74 additions and 4 deletions

View File

@ -0,0 +1,68 @@
From 9a605da8a6c72f0f52f505f38adb3133b7e726f8 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Mon, 30 Oct 2023 12:55:43 +0100
Subject: [PATCH] Fix command line parsing in wrappers
Resolves: CVE-2023-46316
---
wrappers/tcptraceroute | 2 +-
wrappers/tracepath | 2 +-
wrappers/traceproto | 2 +-
wrappers/traceroute-nanog | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/wrappers/tcptraceroute b/wrappers/tcptraceroute
index b4fc810..9063886 100755
--- a/wrappers/tcptraceroute
+++ b/wrappers/tcptraceroute
@@ -26,7 +26,7 @@ usage () {
}
-PARSED=`getopt 'hvdnNi:l:f:Fm:p:q:w:s:t:SAE' "$@"`
+PARSED=`getopt -- 'hvdnNi:l:f:Fm:p:q:w:s:t:SAE' "$@"`
[ $? != 0 ] && exit 2
eval set -- "$PARSED"
diff --git a/wrappers/tracepath b/wrappers/tracepath
index 987b998..448f031 100755
--- a/wrappers/tracepath
+++ b/wrappers/tracepath
@@ -25,7 +25,7 @@ usage () {
}
-PARSED=`getopt 'hnbl:' "$@"`
+PARSED=`getopt -- 'hnbl:' "$@"`
[ $? != 0 ] && exit 2
eval set -- "$PARSED"
diff --git a/wrappers/traceproto b/wrappers/traceproto
index 988fdc5..5dfd9a7 100755
--- a/wrappers/traceproto
+++ b/wrappers/traceproto
@@ -38,7 +38,7 @@ warning () {
}
-PARSED=`getopt 'cCTfAhvRp:d:D:s:S:m:M:w:W:a:P:F:k:I:H:i:o:t:' "$@"`
+PARSED=`getopt -- 'cCTfAhvRp:d:D:s:S:m:M:w:W:a:P:F:k:I:H:i:o:t:' "$@"`
[ $? != 0 ] && exit 2
eval set -- "$PARSED"
diff --git a/wrappers/traceroute-nanog b/wrappers/traceroute-nanog
index 29fd2a4..aac4c83 100755
--- a/wrappers/traceroute-nanog
+++ b/wrappers/traceroute-nanog
@@ -31,7 +31,7 @@ warning () {
}
-PARSED=`getopt 'adnruvAMOPQU$w:S:m:p:q:g:t:s:I:f:T:' "$@"`
+PARSED=`getopt -- 'adnruvAMOPQU$w:S:m:p:q:g:t:s:I:f:T:' "$@"`
[ $? != 0 ] && {
usage
exit 2
--
2.41.0

View File

@ -2,12 +2,13 @@ Summary: Traces the route taken by packets over an IPv4/IPv6 network
Name: traceroute
Epoch: 3
Version: 2.1.0
Release: 16%{?dist}
Release: 17%{?dist}
License: GPLv2+
URL: http://traceroute.sourceforge.net
Source0: https://downloads.sourceforge.net/project/traceroute/traceroute/traceroute-%{version}/traceroute-%{version}.tar.gz
Patch001: 001-review-of-CWE-170-CWE-772.patch
Patch002: 002-traceroute-CVE-2023-46316.patch
Provides: tcptraceroute = 1.5-1
Obsoletes: tcptraceroute < 1.5-1
@ -29,9 +30,7 @@ problems.
%prep
%setup -q
%patch001 -p1
%autosetup -p1
%build
@ -55,6 +54,9 @@ ln -s traceroute.8 $RPM_BUILD_ROOT%{_mandir}/man8/tcptraceroute.8
%changelog
* Mon Oct 30 2023 Jan Macku <jamacku@redhat.com> - 3:2.1.0-17
- fix improper command line parsing (CVE-2023-46316)
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3:2.1.0-16
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688