msekleta pushed to tcpdump (f20). "Fixes for CVE-2015-0261, CVE-2015-2154, CVE-2015-2153, CVE-2015-2155 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed Mar 25 16:09:36 UTC 2015
>From 8ab437b22eb857899d21d84e1bd2327a30b7ca6e Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta at redhat.com>
Date: Wed, 25 Mar 2015 17:00:58 +0100
Subject: Fixes for CVE-2015-0261, CVE-2015-2154, CVE-2015-2153, CVE-2015-2155
Resolves: #1201799,#1201792,#1201795,#1201797
diff --git a/tcpdump-cve-2015-0261.patch b/tcpdump-cve-2015-0261.patch
new file mode 100644
index 0000000..1772c05
--- /dev/null
+++ b/tcpdump-cve-2015-0261.patch
@@ -0,0 +1,89 @@
+From 73934da8f9d6934a823f59995e132c4758403183 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta at redhat.com>
+Date: Wed, 25 Mar 2015 16:38:38 +0100
+Subject: [PATCH 1/4] Fix for CVE-2015-0261
+
+(cherry picked from commit 089ec2bd856dd17f6db62150b92ab7bb723bb31f)
+
+See: http://www.ca.tcpdump.org/cve/0003-test-case-for-cve2015-0261-corrupted-IPv6-mobility-h.patch
+---
+ print-mobility.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/print-mobility.c b/print-mobility.c
+index 1490b72..535f04b 100644
+--- a/print-mobility.c
++++ b/print-mobility.c
+@@ -1,7 +1,7 @@
+ /*
+ * Copyright (C) 2002 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -13,7 +13,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -74,6 +74,18 @@ struct ip6_mobility {
+ #define IP6M_BINDING_UPDATE 5 /* Binding Update */
+ #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */
+ #define IP6M_BINDING_ERROR 7 /* Binding Error */
++#define IP6M_MAX 7
++
++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
++ IP6M_MINLEN, /* IP6M_BINDING_REQUEST */
++ IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */
++ IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */
++ IP6M_MINLEN + 16, /* IP6M_HOME_TEST */
++ IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */
++ IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */
++ IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */
++ IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */
++};
+
+ /* Mobility Header Options */
+ #define IP6MOPT_MINLEN 2
+@@ -95,16 +107,20 @@ mobility_opt_print(const u_char *bp, int len)
+ int optlen;
+
+ for (i = 0; i < len; i += optlen) {
++ TCHECK(bp[i]);
+ if (bp[i] == IP6MOPT_PAD1)
+ optlen = 1;
+ else {
+- if (i + 1 < len)
++ if (i + 1 < len) {
++ TCHECK(bp[i + 1]);
+ optlen = bp[i + 1] + 2;
++ }
+ else
+ goto trunc;
+ }
+ if (i + optlen > len)
+ goto trunc;
++ TCHECK(bp[i + optlen]);
+
+ switch (bp[i]) {
+ case IP6MOPT_PAD1:
+@@ -201,6 +217,10 @@ mobility_print(const u_char *bp, const u_char *bp2 _U_)
+
+ TCHECK(mh->ip6m_type);
+ type = mh->ip6m_type;
++ if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
++ printf("(header length %u is too small for type %u)", mhlen, type);
++ goto trunc;
++ }
+ switch (type) {
+ case IP6M_BINDING_REQUEST:
+ printf("mobility: BRR");
+--
+2.3.4
+
diff --git a/tcpdump-cve-2015-2153.patch b/tcpdump-cve-2015-2153.patch
new file mode 100644
index 0000000..7c84caf
--- /dev/null
+++ b/tcpdump-cve-2015-2153.patch
@@ -0,0 +1,47 @@
+From 72d1f5b571c26699186dffbb8b01174179a011c9 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta at redhat.com>
+Date: Wed, 25 Mar 2015 16:45:43 +0100
+Subject: [PATCH 2/4] Fix for CVE-2015-2153
+
+(cherry picked from 1a4e86d0a273cc81b3236d9f8a5f47b586fec84c)
+
+See: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
+---
+ print-rpki-rtr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/print-rpki-rtr.c b/print-rpki-rtr.c
+index c705c05..8f22189 100644
+--- a/print-rpki-rtr.c
++++ b/print-rpki-rtr.c
+@@ -184,6 +184,7 @@ rpki_rtr_pdu_print (const u_char *tptr, u_int indent)
+ pdu_header = (rpki_rtr_pdu *)tptr;
+ pdu_type = pdu_header->pdu_type;
+ pdu_len = EXTRACT_32BITS(pdu_header->length);
++ TCHECK2(tptr, pdu_len);
+ hexdump = FALSE;
+
+ printf("%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -292,6 +293,7 @@ rpki_rtr_pdu_print (const u_char *tptr, u_int indent)
+ tptr += 4;
+ tlen -= 4;
+ }
++ printf("text_length: %u tlen %u\n", text_length, tlen);
+ if (text_length && (text_length <= tlen )) {
+ memcpy(buf, tptr, MIN(sizeof(buf)-1, text_length));
+ buf[text_length] = '\0';
+@@ -312,6 +314,11 @@ rpki_rtr_pdu_print (const u_char *tptr, u_int indent)
+ if (vflag > 1 || (vflag && hexdump)) {
+ print_unknown_data(tptr,"\n\t ", pdu_len);
+ }
++ return;
++
++ trunc:
++ printf("|trunc");
++ return;
+ }
+
+ void
+--
+2.3.4
+
diff --git a/tcpdump-cve-2015-2154.patch b/tcpdump-cve-2015-2154.patch
new file mode 100644
index 0000000..a00225f
--- /dev/null
+++ b/tcpdump-cve-2015-2154.patch
@@ -0,0 +1,38 @@
+From 2ce9e4d7ad6def2a8e962bdf2b90633e396dd9cf Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta at redhat.com>
+Date: Wed, 25 Mar 2015 16:48:48 +0100
+Subject: [PATCH 3/4] Fix for CVE-2015-2154
+
+(cherry picked from commit 1a4e86d0a273cc81b3236d9f8a5f47b586fec84c)
+
+See: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
+---
+ print-isoclns.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/print-isoclns.c b/print-isoclns.c
+index 8552d02..f870dce 100644
+--- a/print-isoclns.c
++++ b/print-isoclns.c
+@@ -3092,9 +3092,15 @@ osi_print_cksum (const u_int8_t *pptr, u_int16_t checksum,
+ u_int checksum_offset, u_int length)
+ {
+ u_int16_t calculated_checksum;
+-
+- /* do not attempt to verify the checksum if it is zero */
+- if (!checksum) {
++ /* do not attempt to verify the checksum if it is zero,
++ * if the total length is nonsense,
++ * if the offset is nonsense,
++ * or the base pointer is not sane
++ */
++ if (!checksum
++ || length > snaplen
++ || checksum_offset > snaplen
++ || checksum_offset > length) {
+ printf("(unverified)");
+ } else {
+ calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
+--
+2.3.4
+
diff --git a/tcpdump-cve-2015-2155.patch b/tcpdump-cve-2015-2155.patch
new file mode 100644
index 0000000..e326d62
--- /dev/null
+++ b/tcpdump-cve-2015-2155.patch
@@ -0,0 +1,39 @@
+From e980f0e68ad7bb1fe07873e6931077c3e9a12a3d Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta at redhat.com>
+Date: Wed, 25 Mar 2015 16:49:33 +0100
+Subject: [PATCH 4/4] Fix for CVE-2015-2155
+
+(cherry picked from commit 1a4e86d0a273cc81b3236d9f8a5f47b586fec84c)
+
+See: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
+---
+ print-forces.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/print-forces.c b/print-forces.c
+index 7391209..9eaa2f3 100644
+--- a/print-forces.c
++++ b/print-forces.c
+@@ -978,7 +978,7 @@ pdatacnt_print(register const u_char * pptr, register u_int len,
+
+ chk_op_type(type, op_msk, ops->op_msk);
+
+- if (ops->print((const u_char *)pdtlv,
++ if (ops->print!=NULL && ops->print((const u_char *)pdtlv,
+ tll + pad + TLV_HDRL, op_msk,
+ indent + 2) == -1)
+ return -1;
+@@ -1217,7 +1217,9 @@ otlv_print(const struct forces_tlv *otlv, u_int16_t op_msk _U_, int indent)
+
+ }
+
+- rc = ops->print(dp, tll, ops->op_msk, indent + 1);
++ if(ops->print) {
++ rc = ops->print(dp, tll, ops->op_msk, indent + 1);
++ }
+ return rc;
+
+ trunc:
+--
+2.3.4
+
diff --git a/tcpdump.spec b/tcpdump.spec
index a164967..1617726 100644
--- a/tcpdump.spec
+++ b/tcpdump.spec
@@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool
Name: tcpdump
Epoch: 14
Version: 4.5.1
-Release: 3%{?dist}
+Release: 4%{?dist}
License: BSD with advertising
URL: http://www.tcpdump.org
Group: Applications/Internet
@@ -24,6 +24,10 @@ Patch8: tcpdump-cve-2014-8767.patch
Patch9: tcpdump-cve-2014-8768.patch
Patch10: tcpdump-cve-2014-8769.patch
Patch11: tcpdump-cve-2014-9140.patch
+Patch12: tcpdump-cve-2015-0261.patch
+Patch13: tcpdump-cve-2015-2153.patch
+Patch14: tcpdump-cve-2015-2154.patch
+Patch15: tcpdump-cve-2015-2155.patch
%define tcpslice_dir tcpslice-1.2a3
@@ -53,6 +57,11 @@ popd
%patch9 -p1 -b .cve-2014-8768
%patch10 -p1 -b .cve-2014-8769
%patch11 -p1 -b .cve-2014-9140
+%patch12 -p1 -b .cve-2015-0261
+%patch13 -p1 -b .cve-2015-2153
+%patch14 -p1 -b .cve-2015-2154
+%patch15 -p1 -b .cve-2015-2155
+
find . -name '*.c' -o -name '*.h' | xargs chmod 644
@@ -104,6 +113,9 @@ exit 0
%{_mandir}/man8/tcpdump.8*
%changelog
+* Wed Mar 25 2015 Michal Sekletar <msekleta at redhat.com> - 14:4.5.1-4
+- Fixes for CVE-2015-0261, CVE-2015-2154, CVE-2015-2153, CVE-2015-2155 (#1201799,#1201792,#1201795,#1201797)
+
* Wed Dec 03 2014 Michal Sekletar <msekleta at redhat.com> - 14:4.5.1-3
- fix for CVE-2014-9140
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/tcpdump.git/commit/?h=f20&id=8ab437b22eb857899d21d84e1bd2327a30b7ca6e
--
You received this message due to your preference settings at
https://apps.fedoraproject.org/notifications//fmnscmcommits.id.fedoraproject.org/email/29390
More information about the scm-commits
mailing list