Accepting request 846279 from home:pmonrealgonzalez:branches:network:utilities

- Security fix: [bsc#1178466, CVE-2020-8037]
  * PPP decapsulator: Allocate the right buffer size
- Add tcpdump-CVE-2020-8037.patch

- Update to 4.9.3 [bsc#1153098]

OBS-URL: https://build.opensuse.org/request/show/846279
OBS-URL: https://build.opensuse.org/package/show/network:utilities/tcpdump?expand=0&rev=56
This commit is contained in:
Pedro Monreal Gonzalez 2020-11-05 15:47:47 +00:00 committed by Git OBS Bridge
parent bbf036edab
commit af28d45d24
3 changed files with 75 additions and 3 deletions

View File

@ -0,0 +1,63 @@
From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Sat, 18 Apr 2020 14:04:59 -0700
Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer.
The buffer should be big enough to hold the captured data, but it
doesn't need to be big enough to hold the entire on-the-network packet,
if we haven't captured all of it.
(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
---
print-ppp.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/print-ppp.c b/print-ppp.c
index 891761728..33fb03412 100644
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -1367,19 +1367,29 @@ print_bacp_config_options(netdissect_options *ndo,
return 0;
}
+/*
+ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
+ * The length argument is the on-the-wire length, not the captured
+ * length; we can only un-escape the captured part.
+ */
static void
ppp_hdlc(netdissect_options *ndo,
const u_char *p, int length)
{
+ u_int caplen = ndo->ndo_snapend - p;
u_char *b, *t, c;
const u_char *s;
- int i, proto;
+ u_int i;
+ int proto;
const void *se;
+ if (caplen == 0)
+ return;
+
if (length <= 0)
return;
- b = (u_char *)malloc(length);
+ b = (u_char *)malloc(caplen);
if (b == NULL)
return;
@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
* Do this so that we dont overwrite the original packet
* contents.
*/
- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
+ for (s = p, t = b, i = caplen; i != 0; i--) {
c = *s++;
if (c == 0x7d) {
- if (i <= 1 || !ND_TTEST(*s))
+ if (i <= 1)
break;
i--;
c = *s++ ^ 0x20;

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Nov 5 10:58:11 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1178466, CVE-2020-8037]
* PPP decapsulator: Allocate the right buffer size
- Add tcpdump-CVE-2020-8037.patch
-------------------------------------------------------------------
Fri Dec 13 17:21:34 UTC 2019 - Michel Normand <normand@linux.vnet.ibm.com>
@ -12,7 +19,7 @@ Tue Oct 15 07:53:47 UTC 2019 - Martin Pluskal <mpluskal@suse.com>
-------------------------------------------------------------------
Wed Oct 2 14:01:31 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Update to 4.9.3
- Update to 4.9.3 [bsc#1153098]
* Fix buffer overflow/overread vulnerabilities:
- CVE-2017-16808 (AoE)
- CVE-2018-14468 (FrameRelay)

View File

@ -1,7 +1,7 @@
#
# spec file for package tcpdump
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -29,6 +29,8 @@ Source2: https://www.tcpdump.org/release/%{name}-%{version}.tar.gz.sig
Source3: https://www.tcpdump.org/tcpdump-workers.asc#/%{name}.keyring
# PATCH-FIX-OPENSUSE tcpdump-CVE-2018-19519.patch - Initialize buf in print-hncp.c:print_prefix
Patch0: tcpdump-CVE-2018-19519.patch
# PATCH-FIX-UPSTREAM bsc#1178466 CVE-2020-8037 PPP decapsulator: Allocate the right buffer size
Patch1: tcpdump-CVE-2020-8037.patch
BuildRequires: libpcap-devel >= %{min_libpcap_version}
BuildRequires: libsmi-devel
BuildRequires: openssl-devel
@ -40,7 +42,7 @@ ethernet. It can be used to debug specific network problems.
%prep
%setup -q
%patch0 -p1
%autopatch -p1
%build
# guessing TSO needed in print-ip.c