Accepting request 734985 from network:utilities

OBS-URL: https://build.opensuse.org/request/show/734985 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tcpdump?expand=0&rev=39
2019-10-11 13:11:24 +00:00 · 2019-10-11 13:11:24 +00:00 · ac9d560f84
commit ac9d560f84
parent d7c96e686b cf831b344c
9 changed files with 48 additions and 95 deletions
--- a/tcpdump-4.9.2.tar.gz
+++ b/tcpdump-4.9.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:798b3536a29832ce0cbb07fafb1ce5097c95e308a6f592d14052e1ef1505fe79
-size 2298386
--- a/tcpdump-4.9.2.tar.gz.sig
+++ b/tcpdump-4.9.2.tar.gz.sig
--- a/tcpdump-4.9.3.tar.gz
+++ b/tcpdump-4.9.3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2cd47cb3d460b6ff75f4a9940f594317ad456cfbf2bd2c8e5151e16559db6410
+size 2333119
--- a/tcpdump-4.9.3.tar.gz.sig
+++ b/tcpdump-4.9.3.tar.gz.sig
--- a/tcpdump-CVE-2017-16808.patch
+++ b/tcpdump-CVE-2017-16808.patch
@ -1,26 +0,0 @@
-From 28f610026d901660dd370862b62ec328727446a2 Mon Sep 17 00:00:00 2001
-From: Denis Ovsienko <denis@ovsienko.info>
-Date: Thu, 31 Aug 2017 21:15:37 +0100
-Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check.
-
-In aoev1_reserve_print() check bounds before trying to print an Ethernet
-address.
-
-This fixes a buffer over-read discovered by Bhargava Shastry,
-SecT/TU Berlin.
---
- print-aoe.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/print-aoe.c b/print-aoe.c
-index 97e93df2e..2c78a55d3 100644
--- a/print-aoe.c
-+++ b/print-aoe.c
-@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo,
- 		goto invalid;
- 	/* addresses */
- 	for (i = 0; i < nmacs; i++) {
-+		ND_TCHECK2(*cp, ETHER_ADDR_LEN);
- 		ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)));
- 		cp += ETHER_ADDR_LEN;
- 	}
--- a/tcpdump-CVE-2019-1010220.patch
+++ b/tcpdump-CVE-2019-1010220.patch
@ -1,28 +0,0 @@
-From 511915bef7e4de2f31b8d9f581b4a44b0cfbcf53 Mon Sep 17 00:00:00 2001
-From: Guy Harris <guy@alum.mit.edu>
-Date: Sat, 1 Jun 2019 14:42:09 -0700
-Subject: [PATCH] If decode_prefix6() returns a negative number, don't print
- buf.
-
-If it returns a negative number, it hasn't necessarily filled in buf, so
-just return immediately; this is similar to the IPv4 code path, wherein
-we just return a negative number, and print nothing, on an error.
-
-This should fix GitHub issue #763.
---
- print-hncp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-Index: tcpdump-4.9.2/print-hncp.c
-===================================================================
--- tcpdump-4.9.2.orig/print-hncp.c
-+++ tcpdump-4.9.2/print-hncp.c
-@@ -231,6 +231,8 @@ print_prefix(netdissect_options *ndo, co
-         plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
-     } else {
-         plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
-+        if (plenbytes < 0)
-+            return plenbytes;
-     }
- 
-     ND_PRINT((ndo, "%s", buf));
--- a/tcpdump-ikev2pI2.patch
+++ b/tcpdump-ikev2pI2.patch
@ -1,20 +0,0 @@
-Index: tcpdump-4.9.2/tests/crypto.sh
-===================================================================
--- tcpdump-4.9.2.orig/tests/crypto.sh
-+++ tcpdump-4.9.2/tests/crypto.sh
-@@ -72,15 +72,6 @@ then
- 			echo $failed >.failed
- 			exitcode=1
- 		fi
-		if ./TESTonce ikev2pI2 ikev2pI2.pcap ikev2pI2.out '-E "file ikev2pI2-secrets.txt" -v -v -v -v'
-		then
-			passed=`expr $passed + 1`
-			echo $passed >.passed
-		else
-			failed=`expr $failed + 1`
-			echo $failed >.failed
-			exitcode=1
-		fi
- 		if ./TESTonce isakmp4 isakmp4500.pcap isakmp4.out '-E "file esp-secrets.txt"'
- 		then
- 			passed=`expr $passed + 1`
--- a/tcpdump.changes
+++ b/tcpdump.changes
@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Wed Oct  2 14:01:31 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Update to 4.9.3
+  * Fix buffer overflow/overread vulnerabilities:
+    - CVE-2017-16808 (AoE)
+    - CVE-2018-14468 (FrameRelay)
+    - CVE-2018-14469 (IKEv1)
+    - CVE-2018-14470 (BABEL)
+    - CVE-2018-14466 (AFS/RX)
+    - CVE-2018-14461 (LDP)
+    - CVE-2018-14462 (ICMP)
+    - CVE-2018-14465 (RSVP)
+    - CVE-2018-14881 (BGP)
+    - CVE-2018-14464 (LMP)
+    - CVE-2018-14463 (VRRP)
+    - CVE-2018-14467 (BGP)
+    - CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
+    - CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
+    - CVE-2018-14880 (OSPF6)
+    - CVE-2018-16451 (SMB)
+    - CVE-2018-14882 (RPL)
+    - CVE-2018-16227 (802.11)
+    - CVE-2018-16229 (DCCP)
+    - CVE-2018-16301 (was fixed in libpcap)
+    - CVE-2018-16230 (BGP)
+    - CVE-2018-16452 (SMB)
+    - CVE-2018-16300 (BGP)
+    - CVE-2018-16228 (HNCP)
+    - CVE-2019-15166 (LMP)
+    - CVE-2019-15167 (VRRP)
+  * Fix for cmdline argument/local issues:
+    - CVE-2018-14879 (tcpdump -V)
+- Drop patches fixed upstream:
+  * tcpdump-CVE-2017-16808.patch
+  * tcpdump-CVE-2019-1010220.patch
+  * tcpdump-ikev2pI2.patch
+
 -------------------------------------------------------------------
 Tue Jul 23 11:45:46 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>

--- a/tcpdump.spec
+++ b/tcpdump.spec
@ -16,31 +16,24 @@
 #


-%define min_libpcap_version 1.8.1
+%define min_libpcap_version 1.9.1
 Name:           tcpdump
-Version:        4.9.2
+Version:        4.9.3
 Release:        0
 Summary:        A Packet Sniffer
 License:        BSD-3-Clause
 Group:          Productivity/Networking/Diagnostic
-Url:            http://www.tcpdump.org/
-Source:         http://www.tcpdump.org/release/%{name}-%{version}.tar.gz
+Url:            https://www.tcpdump.org/
+Source:         https://www.tcpdump.org/release/%{name}-%{version}.tar.gz
 Source1:        tcpdump-qeth
-Source2:        http://www.tcpdump.org/release/%{name}-%{version}.tar.gz.sig
-Source3:        http://www.tcpdump.org/tcpdump-workers.asc#/%{name}.keyring
-# PATCH-FIX-OPENSUSE tcpdump-ikev2pI2.patch - disabled failing test
-Patch0:         tcpdump-ikev2pI2.patch
+Source2:        https://www.tcpdump.org/release/%{name}-%{version}.tar.gz.sig
+Source3:        https://www.tcpdump.org/tcpdump-workers.asc#/%{name}.keyring
 # PATCH-FIX-OPENSUSE tcpdump-CVE-2018-19519.patch - Initialize buf in print-hncp.c:print_prefix
-Patch1:         tcpdump-CVE-2018-19519.patch
-# PATCH-FIX-UPSTREAM bsc#1068716 CVE-2017-16808 Heap-based buffer over-read related to aoe_print and lookup_emem
-Patch2:         tcpdump-CVE-2017-16808.patch
-# PATCH-FIX-UPSTREAM bsc#1142439 CVE-2019-1010220 Buffer Over-read in print_prefix
-Patch3:         tcpdump-CVE-2019-1010220.patch
+Patch0:         tcpdump-CVE-2018-19519.patch
 BuildRequires:  libpcap-devel >= %{min_libpcap_version}
 BuildRequires:  libsmi-devel
 BuildRequires:  openssl-devel
 Requires:       libpcap >= %{min_libpcap_version}
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
 This program can "read" all or only certain packets going over the
@ -49,9 +42,6 @@ ethernet. It can be used to debug specific network problems.
 %prep
 %setup -q
 %patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1

 %build
 export CFLAGS="%{optflags} -Wall -DGUESS_TSO -fstack-protector -fno-strict-aliasing"
@ -70,7 +60,6 @@ rm %{buildroot}/%{_sbindir}/tcpdump.%{version}
 make check %{?_smp_mflags}

 %files
-%defattr(-,root,root)
 %license LICENSE
 %doc CHANGES CREDITS README* *.awk
 %{_mandir}/man?/*