[oe] [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543
wenzong.fan at windriver.com
wenzong.fan at windriver.com
Thu Sep 7 09:49:20 UTC 2017
From: Wenzong Fan <wenzong.fan at windriver.com>
Backport patches for fixing:
- CVE-2017-11541:
https://nvd.nist.gov/vuln/detail/CVE-2017-11541
https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
- CVE-2017-11542:
https://nvd.nist.gov/vuln/detail/CVE-2017-11542
https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
- CVE-2017-11543:
https://nvd.nist.gov/vuln/detail/CVE-2017-11543
https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
The tests/* changes dropped to workaround patch error:
File tests/*.pcap: git binary diffs are not supported.
Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
...541-In-safeputs-check-the-length-before-c.patch | 49 +++++++++++++
...1-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch | 43 +++++++++++
...543-Make-sure-the-SLIP-direction-octet-is.patch | 85 ++++++++++++++++++++++
.../recipes-support/tcpdump/tcpdump_4.9.1.bb | 3 +
4 files changed, 180 insertions(+)
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
new file mode 100644
index 000000000..a83214b02
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
@@ -0,0 +1,49 @@
+From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy at alum.mit.edu>
+Date: Tue, 7 Feb 2017 11:40:36 -0800
+Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
+ checking for a NUL terminator.
+
+safeputs() doesn't do packet bounds checking of its own; it assumes that
+the caller has checked the availability in the packet data of all maxlen
+bytes of data. This means we should check that we're within the
+specified limit before looking at the byte.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+
+CVE: CVE-2017-11541
+
+Upstream-Status: Backport
+https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
+
+Drop the tests/* changes to workaroud patch error:
+File tests/hoobr_safeputs.pcap: git binary diffs are not supported.
+
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
+---
+ tests/TESTLIST | 1 +
+ tests/hoobr_safeputs.out | 2 ++
+ tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
+ util-print.c | 2 +-
+ 4 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 tests/hoobr_safeputs.out
+ create mode 100644 tests/hoobr_safeputs.pcap
+
+diff --git a/util-print.c b/util-print.c
+index 394e7d59..ec3e8de8 100644
+--- a/util-print.c
++++ b/util-print.c
+@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
+ {
+ u_int idx = 0;
+
+- while (*s && idx < maxlen) {
++ while (idx < maxlen && *s) {
+ safeputchar(ndo, *s);
+ idx++;
+ s++;
+--
+2.13.0
+
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
new file mode 100644
index 000000000..a177e7c0b
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
@@ -0,0 +1,43 @@
+From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy at alum.mit.edu>
+Date: Tue, 7 Feb 2017 11:10:04 -0800
+Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+
+CVE: CVE-2017-11542
+
+Upstream-Status: Backport
+https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
+
+Drop the tests/* changes to workaroud patch error:
+File tests/hoobr_pimv1.pcap: git binary diffs are not supported.
+
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
+---
+ print-pim.c | 1 +
+ tests/TESTLIST | 1 +
+ tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
+ tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
+ 4 files changed, 27 insertions(+)
+ create mode 100644 tests/hoobr_pimv1.out
+ create mode 100644 tests/hoobr_pimv1.pcap
+
+diff --git a/print-pim.c b/print-pim.c
+index 25525953..ed880ae7 100644
+--- a/print-pim.c
++++ b/print-pim.c
+@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
+ pimv1_join_prune_print(ndo, &bp[8], len - 8);
+ break;
+ }
++ ND_TCHECK(bp[4]);
+ if ((bp[4] >> 4) != 1)
+ ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
+ return;
+
+--
+2.13.0
+
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
new file mode 100644
index 000000000..36e3f6b0d
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
@@ -0,0 +1,85 @@
+From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy at alum.mit.edu>
+Date: Fri, 17 Mar 2017 12:49:04 -0700
+Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
+
+Report if it's not, and don't use it as an out-of-bounds index into an
+array.
+
+This fixes a buffer overflow discovered by Wilfried Kirsch.
+
+Add a test using the capture file supplied by the reporter(s), modified
+so the capture file won't be rejected as an invalid capture.
+
+CVE: CVE-2017-11543
+
+Upstream-Status: Backport
+https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
+
+Drop the tests/* changes to workaroud patch error:
+File tests/slip-bad-direction.pcap: git binary diffs are not supported.
+
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
+---
+ print-sl.c | 25 +++++++++++++++++++++++--
+ tests/TESTLIST | 3 +++
+ tests/slip-bad-direction.out | 1 +
+ tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
+ 4 files changed, 27 insertions(+), 2 deletions(-)
+ create mode 100644 tests/slip-bad-direction.out
+ create mode 100644 tests/slip-bad-direction.pcap
+
+diff --git a/print-sl.c b/print-sl.c
+index 3fd7e898..a02077b3 100644
+--- a/print-sl.c
++++ b/print-sl.c
+@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
+ u_int hlen;
+
+ dir = p[SLX_DIR];
+- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
++ switch (dir) {
+
++ case SLIPDIR_IN:
++ ND_PRINT((ndo, "I "));
++ break;
++
++ case SLIPDIR_OUT:
++ ND_PRINT((ndo, "O "));
++ break;
++
++ default:
++ ND_PRINT((ndo, "Invalid direction %d ", dir));
++ dir = -1;
++ break;
++ }
+ if (ndo->ndo_nflag) {
+ /* XXX just dump the header */
+ register int i;
+@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
+ * has restored the IP header copy to IPPROTO_TCP.
+ */
+ lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
++ ND_PRINT((ndo, "utcp %d: ", lastconn));
++ if (dir == -1) {
++ /* Direction is bogus, don't use it */
++ return;
++ }
+ hlen = IP_HL(ip);
+ hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
+ lastlen[dir][lastconn] = length - (hlen << 2);
+- ND_PRINT((ndo, "utcp %d: ", lastconn));
+ break;
+
+ default:
++ if (dir == -1) {
++ /* Direction is bogus, don't use it */
++ return;
++ }
+ if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
+ compressed_sl_print(ndo, &p[SLX_CHDR], ip,
+ length, dir);
+
+--
+2.13.0
+
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
index 261c78427..668d6f5e1 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
@@ -11,6 +11,9 @@ SRC_URI = " \
file://tcpdump-configure-dlpi.patch \
file://add-ptest.patch \
file://run-ptest \
+ file://0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch \
+ file://0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch \
+ file://0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch \
"
SRC_URI[md5sum] = "1e0293210b0dea5ef18e88e4150394b7"
--
2.13.0
More information about the Openembedded-devel
mailing list