* [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543
@ 2017-09-07 9:49 wenzong.fan
2017-09-13 3:21 ` wenzong fan
0 siblings, 1 reply; 5+ messages in thread
From: wenzong.fan @ 2017-09-07 9:49 UTC (permalink / raw)
To: openembedded-devel
From: Wenzong Fan <wenzong.fan@windriver.com>
Backport patches for fixing:
- CVE-2017-11541:
https://nvd.nist.gov/vuln/detail/CVE-2017-11541
https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
- CVE-2017-11542:
https://nvd.nist.gov/vuln/detail/CVE-2017-11542
https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
- CVE-2017-11543:
https://nvd.nist.gov/vuln/detail/CVE-2017-11543
https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
The tests/* changes dropped to workaround patch error:
File tests/*.pcap: git binary diffs are not supported.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
...541-In-safeputs-check-the-length-before-c.patch | 49 +++++++++++++
...1-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch | 43 +++++++++++
...543-Make-sure-the-SLIP-direction-octet-is.patch | 85 ++++++++++++++++++++++
.../recipes-support/tcpdump/tcpdump_4.9.1.bb | 3 +
4 files changed, 180 insertions(+)
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
new file mode 100644
index 000000000..a83214b02
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
@@ -0,0 +1,49 @@
+From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Tue, 7 Feb 2017 11:40:36 -0800
+Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
+ checking for a NUL terminator.
+
+safeputs() doesn't do packet bounds checking of its own; it assumes that
+the caller has checked the availability in the packet data of all maxlen
+bytes of data. This means we should check that we're within the
+specified limit before looking at the byte.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+
+CVE: CVE-2017-11541
+
+Upstream-Status: Backport
+https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
+
+Drop the tests/* changes to workaroud patch error:
+File tests/hoobr_safeputs.pcap: git binary diffs are not supported.
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ tests/TESTLIST | 1 +
+ tests/hoobr_safeputs.out | 2 ++
+ tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
+ util-print.c | 2 +-
+ 4 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 tests/hoobr_safeputs.out
+ create mode 100644 tests/hoobr_safeputs.pcap
+
+diff --git a/util-print.c b/util-print.c
+index 394e7d59..ec3e8de8 100644
+--- a/util-print.c
++++ b/util-print.c
+@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
+ {
+ u_int idx = 0;
+
+- while (*s && idx < maxlen) {
++ while (idx < maxlen && *s) {
+ safeputchar(ndo, *s);
+ idx++;
+ s++;
+--
+2.13.0
+
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
new file mode 100644
index 000000000..a177e7c0b
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
@@ -0,0 +1,43 @@
+From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Tue, 7 Feb 2017 11:10:04 -0800
+Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
+
+This fixes a buffer over-read discovered by Kamil Frankowicz.
+
+Add a test using the capture file supplied by the reporter(s).
+
+CVE: CVE-2017-11542
+
+Upstream-Status: Backport
+https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
+
+Drop the tests/* changes to workaroud patch error:
+File tests/hoobr_pimv1.pcap: git binary diffs are not supported.
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ print-pim.c | 1 +
+ tests/TESTLIST | 1 +
+ tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
+ tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
+ 4 files changed, 27 insertions(+)
+ create mode 100644 tests/hoobr_pimv1.out
+ create mode 100644 tests/hoobr_pimv1.pcap
+
+diff --git a/print-pim.c b/print-pim.c
+index 25525953..ed880ae7 100644
+--- a/print-pim.c
++++ b/print-pim.c
+@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
+ pimv1_join_prune_print(ndo, &bp[8], len - 8);
+ break;
+ }
++ ND_TCHECK(bp[4]);
+ if ((bp[4] >> 4) != 1)
+ ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
+ return;
+
+--
+2.13.0
+
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
new file mode 100644
index 000000000..36e3f6b0d
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
@@ -0,0 +1,85 @@
+From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Fri, 17 Mar 2017 12:49:04 -0700
+Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
+
+Report if it's not, and don't use it as an out-of-bounds index into an
+array.
+
+This fixes a buffer overflow discovered by Wilfried Kirsch.
+
+Add a test using the capture file supplied by the reporter(s), modified
+so the capture file won't be rejected as an invalid capture.
+
+CVE: CVE-2017-11543
+
+Upstream-Status: Backport
+https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
+
+Drop the tests/* changes to workaroud patch error:
+File tests/slip-bad-direction.pcap: git binary diffs are not supported.
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ print-sl.c | 25 +++++++++++++++++++++++--
+ tests/TESTLIST | 3 +++
+ tests/slip-bad-direction.out | 1 +
+ tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
+ 4 files changed, 27 insertions(+), 2 deletions(-)
+ create mode 100644 tests/slip-bad-direction.out
+ create mode 100644 tests/slip-bad-direction.pcap
+
+diff --git a/print-sl.c b/print-sl.c
+index 3fd7e898..a02077b3 100644
+--- a/print-sl.c
++++ b/print-sl.c
+@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
+ u_int hlen;
+
+ dir = p[SLX_DIR];
+- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
++ switch (dir) {
+
++ case SLIPDIR_IN:
++ ND_PRINT((ndo, "I "));
++ break;
++
++ case SLIPDIR_OUT:
++ ND_PRINT((ndo, "O "));
++ break;
++
++ default:
++ ND_PRINT((ndo, "Invalid direction %d ", dir));
++ dir = -1;
++ break;
++ }
+ if (ndo->ndo_nflag) {
+ /* XXX just dump the header */
+ register int i;
+@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
+ * has restored the IP header copy to IPPROTO_TCP.
+ */
+ lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
++ ND_PRINT((ndo, "utcp %d: ", lastconn));
++ if (dir == -1) {
++ /* Direction is bogus, don't use it */
++ return;
++ }
+ hlen = IP_HL(ip);
+ hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
+ lastlen[dir][lastconn] = length - (hlen << 2);
+- ND_PRINT((ndo, "utcp %d: ", lastconn));
+ break;
+
+ default:
++ if (dir == -1) {
++ /* Direction is bogus, don't use it */
++ return;
++ }
+ if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
+ compressed_sl_print(ndo, &p[SLX_CHDR], ip,
+ length, dir);
+
+--
+2.13.0
+
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
index 261c78427..668d6f5e1 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
@@ -11,6 +11,9 @@ SRC_URI = " \
file://tcpdump-configure-dlpi.patch \
file://add-ptest.patch \
file://run-ptest \
+ file://0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch \
+ file://0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch \
+ file://0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch \
"
SRC_URI[md5sum] = "1e0293210b0dea5ef18e88e4150394b7"
--
2.13.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543
2017-09-07 9:49 [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543 wenzong.fan
@ 2017-09-13 3:21 ` wenzong fan
2017-09-13 9:17 ` Martin Jansa
0 siblings, 1 reply; 5+ messages in thread
From: wenzong fan @ 2017-09-13 3:21 UTC (permalink / raw)
To: openembedded-devel
Please ignore this patch, the fixes has been included by:
[oe] [meta-networking][PATCH] tcpdump: update to 4.9.2 to fix CVEs
Thanks
Wenzong
On 09/07/2017 05:49 PM, wenzong.fan@windriver.com wrote:
> From: Wenzong Fan <wenzong.fan@windriver.com>
>
> Backport patches for fixing:
> - CVE-2017-11541:
> https://nvd.nist.gov/vuln/detail/CVE-2017-11541
> https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
>
> - CVE-2017-11542:
> https://nvd.nist.gov/vuln/detail/CVE-2017-11542
> https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
>
> - CVE-2017-11543:
> https://nvd.nist.gov/vuln/detail/CVE-2017-11543
> https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
>
> The tests/* changes dropped to workaround patch error:
> File tests/*.pcap: git binary diffs are not supported.
>
> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> ---
> ...541-In-safeputs-check-the-length-before-c.patch | 49 +++++++++++++
> ...1-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch | 43 +++++++++++
> ...543-Make-sure-the-SLIP-direction-octet-is.patch | 85 ++++++++++++++++++++++
> .../recipes-support/tcpdump/tcpdump_4.9.1.bb | 3 +
> 4 files changed, 180 insertions(+)
> create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
> create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
> create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
> new file mode 100644
> index 000000000..a83214b02
> --- /dev/null
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
> @@ -0,0 +1,49 @@
> +From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
> +From: Guy Harris <guy@alum.mit.edu>
> +Date: Tue, 7 Feb 2017 11:40:36 -0800
> +Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
> + checking for a NUL terminator.
> +
> +safeputs() doesn't do packet bounds checking of its own; it assumes that
> +the caller has checked the availability in the packet data of all maxlen
> +bytes of data. This means we should check that we're within the
> +specified limit before looking at the byte.
> +
> +This fixes a buffer over-read discovered by Kamil Frankowicz.
> +
> +Add a test using the capture file supplied by the reporter(s).
> +
> +CVE: CVE-2017-11541
> +
> +Upstream-Status: Backport
> +https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
> +
> +Drop the tests/* changes to workaroud patch error:
> +File tests/hoobr_safeputs.pcap: git binary diffs are not supported.
> +
> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> +---
> + tests/TESTLIST | 1 +
> + tests/hoobr_safeputs.out | 2 ++
> + tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
> + util-print.c | 2 +-
> + 4 files changed, 4 insertions(+), 1 deletion(-)
> + create mode 100644 tests/hoobr_safeputs.out
> + create mode 100644 tests/hoobr_safeputs.pcap
> +
> +diff --git a/util-print.c b/util-print.c
> +index 394e7d59..ec3e8de8 100644
> +--- a/util-print.c
> ++++ b/util-print.c
> +@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
> + {
> + u_int idx = 0;
> +
> +- while (*s && idx < maxlen) {
> ++ while (idx < maxlen && *s) {
> + safeputchar(ndo, *s);
> + idx++;
> + s++;
> +--
> +2.13.0
> +
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
> new file mode 100644
> index 000000000..a177e7c0b
> --- /dev/null
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
> @@ -0,0 +1,43 @@
> +From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
> +From: Guy Harris <guy@alum.mit.edu>
> +Date: Tue, 7 Feb 2017 11:10:04 -0800
> +Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
> +
> +This fixes a buffer over-read discovered by Kamil Frankowicz.
> +
> +Add a test using the capture file supplied by the reporter(s).
> +
> +CVE: CVE-2017-11542
> +
> +Upstream-Status: Backport
> +https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
> +
> +Drop the tests/* changes to workaroud patch error:
> +File tests/hoobr_pimv1.pcap: git binary diffs are not supported.
> +
> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> +---
> + print-pim.c | 1 +
> + tests/TESTLIST | 1 +
> + tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
> + tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
> + 4 files changed, 27 insertions(+)
> + create mode 100644 tests/hoobr_pimv1.out
> + create mode 100644 tests/hoobr_pimv1.pcap
> +
> +diff --git a/print-pim.c b/print-pim.c
> +index 25525953..ed880ae7 100644
> +--- a/print-pim.c
> ++++ b/print-pim.c
> +@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
> + pimv1_join_prune_print(ndo, &bp[8], len - 8);
> + break;
> + }
> ++ ND_TCHECK(bp[4]);
> + if ((bp[4] >> 4) != 1)
> + ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
> + return;
> +
> +--
> +2.13.0
> +
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> new file mode 100644
> index 000000000..36e3f6b0d
> --- /dev/null
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> @@ -0,0 +1,85 @@
> +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
> +From: Guy Harris <guy@alum.mit.edu>
> +Date: Fri, 17 Mar 2017 12:49:04 -0700
> +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
> +
> +Report if it's not, and don't use it as an out-of-bounds index into an
> +array.
> +
> +This fixes a buffer overflow discovered by Wilfried Kirsch.
> +
> +Add a test using the capture file supplied by the reporter(s), modified
> +so the capture file won't be rejected as an invalid capture.
> +
> +CVE: CVE-2017-11543
> +
> +Upstream-Status: Backport
> +https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
> +
> +Drop the tests/* changes to workaroud patch error:
> +File tests/slip-bad-direction.pcap: git binary diffs are not supported.
> +
> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> +---
> + print-sl.c | 25 +++++++++++++++++++++++--
> + tests/TESTLIST | 3 +++
> + tests/slip-bad-direction.out | 1 +
> + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
> + 4 files changed, 27 insertions(+), 2 deletions(-)
> + create mode 100644 tests/slip-bad-direction.out
> + create mode 100644 tests/slip-bad-direction.pcap
> +
> +diff --git a/print-sl.c b/print-sl.c
> +index 3fd7e898..a02077b3 100644
> +--- a/print-sl.c
> ++++ b/print-sl.c
> +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
> + u_int hlen;
> +
> + dir = p[SLX_DIR];
> +- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
> ++ switch (dir) {
> +
> ++ case SLIPDIR_IN:
> ++ ND_PRINT((ndo, "I "));
> ++ break;
> ++
> ++ case SLIPDIR_OUT:
> ++ ND_PRINT((ndo, "O "));
> ++ break;
> ++
> ++ default:
> ++ ND_PRINT((ndo, "Invalid direction %d ", dir));
> ++ dir = -1;
> ++ break;
> ++ }
> + if (ndo->ndo_nflag) {
> + /* XXX just dump the header */
> + register int i;
> +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
> + * has restored the IP header copy to IPPROTO_TCP.
> + */
> + lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
> ++ ND_PRINT((ndo, "utcp %d: ", lastconn));
> ++ if (dir == -1) {
> ++ /* Direction is bogus, don't use it */
> ++ return;
> ++ }
> + hlen = IP_HL(ip);
> + hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
> + lastlen[dir][lastconn] = length - (hlen << 2);
> +- ND_PRINT((ndo, "utcp %d: ", lastconn));
> + break;
> +
> + default:
> ++ if (dir == -1) {
> ++ /* Direction is bogus, don't use it */
> ++ return;
> ++ }
> + if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
> + compressed_sl_print(ndo, &p[SLX_CHDR], ip,
> + length, dir);
> +
> +--
> +2.13.0
> +
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> index 261c78427..668d6f5e1 100644
> --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> @@ -11,6 +11,9 @@ SRC_URI = " \
> file://tcpdump-configure-dlpi.patch \
> file://add-ptest.patch \
> file://run-ptest \
> + file://0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch \
> + file://0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch \
> + file://0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch \
> "
>
> SRC_URI[md5sum] = "1e0293210b0dea5ef18e88e4150394b7"
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543
2017-09-13 3:21 ` wenzong fan
@ 2017-09-13 9:17 ` Martin Jansa
2017-09-13 14:05 ` Jose Lamego
0 siblings, 1 reply; 5+ messages in thread
From: Martin Jansa @ 2017-09-13 9:17 UTC (permalink / raw)
To: wenzong fan; +Cc: openembedded-devel
Please update the state on patchwork (https://patchwork.
openembedded.org/project/oe/patches/) when sending updates like this.
You can update it on the site or use some magic keywords in the e-mail
reply to update it automatically (but I've failed to find link to
documentation how this magic should look like).
On Wed, Sep 13, 2017 at 5:21 AM, wenzong fan <wenzong.fan@windriver.com>
wrote:
> Please ignore this patch, the fixes has been included by:
>
> [oe] [meta-networking][PATCH] tcpdump: update to 4.9.2 to fix CVEs
>
> Thanks
> Wenzong
>
>
> On 09/07/2017 05:49 PM, wenzong.fan@windriver.com wrote:
>
>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>
>> Backport patches for fixing:
>> - CVE-2017-11541:
>> https://nvd.nist.gov/vuln/detail/CVE-2017-11541
>> https://github.com/the-tcpdump-group/tcpdump/commit/21d702a
>> 136c5c16882e368af7c173df728242280
>>
>> - CVE-2017-11542:
>> https://nvd.nist.gov/vuln/detail/CVE-2017-11542
>> https://github.com/the-tcpdump-group/tcpdump/commit/bed4806
>> 2a64fca524156d7684af19f5b4a116fae
>>
>> - CVE-2017-11543:
>> https://nvd.nist.gov/vuln/detail/CVE-2017-11543
>> https://github.com/the-tcpdump-group/tcpdump/commit/7039327
>> 875525278d17edee59720e29a3e76b7b3
>>
>> The tests/* changes dropped to workaround patch error:
>> File tests/*.pcap: git binary diffs are not supported.
>>
>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>> ---
>> ...541-In-safeputs-check-the-length-before-c.patch | 49 +++++++++++++
>> ...1-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch | 43 +++++++++++
>> ...543-Make-sure-the-SLIP-direction-octet-is.patch | 85
>> ++++++++++++++++++++++
>> .../recipes-support/tcpdump/tcpdump_4.9.1.bb | 3 +
>> 4 files changed, 180 insertions(+)
>> create mode 100644 meta-networking/recipes-suppor
>> t/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-
>> the-length-before-c.patch
>> create mode 100644 meta-networking/recipes-suppor
>> t/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
>> create mode 100644 meta-networking/recipes-suppor
>> t/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-
>> direction-octet-is.patch
>>
>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>> 2017-11541-In-safeputs-check-the-length-before-c.patch
>> b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>> 2017-11541-In-safeputs-check-the-length-before-c.patch
>> new file mode 100644
>> index 000000000..a83214b02
>> --- /dev/null
>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>> 2017-11541-In-safeputs-check-the-length-before-c.patch
>> @@ -0,0 +1,49 @@
>> +From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
>> +From: Guy Harris <guy@alum.mit.edu>
>> +Date: Tue, 7 Feb 2017 11:40:36 -0800
>> +Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
>> + checking for a NUL terminator.
>> +
>> +safeputs() doesn't do packet bounds checking of its own; it assumes that
>> +the caller has checked the availability in the packet data of all maxlen
>> +bytes of data. This means we should check that we're within the
>> +specified limit before looking at the byte.
>> +
>> +This fixes a buffer over-read discovered by Kamil Frankowicz.
>> +
>> +Add a test using the capture file supplied by the reporter(s).
>> +
>> +CVE: CVE-2017-11541
>> +
>> +Upstream-Status: Backport
>> +https://github.com/the-tcpdump-group/tcpdump/commit/21d702a
>> 136c5c16882e368af7c173df728242280
>> +
>> +Drop the tests/* changes to workaroud patch error:
>> +File tests/hoobr_safeputs.pcap: git binary diffs are not supported.
>> +
>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>> +---
>> + tests/TESTLIST | 1 +
>> + tests/hoobr_safeputs.out | 2 ++
>> + tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
>> + util-print.c | 2 +-
>> + 4 files changed, 4 insertions(+), 1 deletion(-)
>> + create mode 100644 tests/hoobr_safeputs.out
>> + create mode 100644 tests/hoobr_safeputs.pcap
>> +
>> +diff --git a/util-print.c b/util-print.c
>> +index 394e7d59..ec3e8de8 100644
>> +--- a/util-print.c
>> ++++ b/util-print.c
>> +@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
>> + {
>> + u_int idx = 0;
>> +
>> +- while (*s && idx < maxlen) {
>> ++ while (idx < maxlen && *s) {
>> + safeputchar(ndo, *s);
>> + idx++;
>> + s++;
>> +--
>> +2.13.0
>> +
>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>> 2017-11542-PIMv1-Add-a-bounds-check.patch b/meta-networking/recipes-supp
>> ort/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
>> new file mode 100644
>> index 000000000..a177e7c0b
>> --- /dev/null
>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>> 2017-11542-PIMv1-Add-a-bounds-check.patch
>> @@ -0,0 +1,43 @@
>> +From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
>> +From: Guy Harris <guy@alum.mit.edu>
>> +Date: Tue, 7 Feb 2017 11:10:04 -0800
>> +Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
>> +
>> +This fixes a buffer over-read discovered by Kamil Frankowicz.
>> +
>> +Add a test using the capture file supplied by the reporter(s).
>> +
>> +CVE: CVE-2017-11542
>> +
>> +Upstream-Status: Backport
>> +https://github.com/the-tcpdump-group/tcpdump/commit/bed4806
>> 2a64fca524156d7684af19f5b4a116fae
>> +
>> +Drop the tests/* changes to workaroud patch error:
>> +File tests/hoobr_pimv1.pcap: git binary diffs are not supported.
>> +
>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>> +---
>> + print-pim.c | 1 +
>> + tests/TESTLIST | 1 +
>> + tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
>> + tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
>> + 4 files changed, 27 insertions(+)
>> + create mode 100644 tests/hoobr_pimv1.out
>> + create mode 100644 tests/hoobr_pimv1.pcap
>> +
>> +diff --git a/print-pim.c b/print-pim.c
>> +index 25525953..ed880ae7 100644
>> +--- a/print-pim.c
>> ++++ b/print-pim.c
>> +@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
>> + pimv1_join_prune_print(ndo, &bp[8], len - 8);
>> + break;
>> + }
>> ++ ND_TCHECK(bp[4]);
>> + if ((bp[4] >> 4) != 1)
>> + ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
>> + return;
>> +
>> +--
>> +2.13.0
>> +
>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>> b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>> new file mode 100644
>> index 000000000..36e3f6b0d
>> --- /dev/null
>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>> @@ -0,0 +1,85 @@
>> +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
>> +From: Guy Harris <guy@alum.mit.edu>
>> +Date: Fri, 17 Mar 2017 12:49:04 -0700
>> +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is
>> valid.
>> +
>> +Report if it's not, and don't use it as an out-of-bounds index into an
>> +array.
>> +
>> +This fixes a buffer overflow discovered by Wilfried Kirsch.
>> +
>> +Add a test using the capture file supplied by the reporter(s), modified
>> +so the capture file won't be rejected as an invalid capture.
>> +
>> +CVE: CVE-2017-11543
>> +
>> +Upstream-Status: Backport
>> +https://github.com/the-tcpdump-group/tcpdump/commit/7039327
>> 875525278d17edee59720e29a3e76b7b3
>> +
>> +Drop the tests/* changes to workaroud patch error:
>> +File tests/slip-bad-direction.pcap: git binary diffs are not supported.
>> +
>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>> +---
>> + print-sl.c | 25 +++++++++++++++++++++++--
>> + tests/TESTLIST | 3 +++
>> + tests/slip-bad-direction.out | 1 +
>> + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
>> + 4 files changed, 27 insertions(+), 2 deletions(-)
>> + create mode 100644 tests/slip-bad-direction.out
>> + create mode 100644 tests/slip-bad-direction.pcap
>> +
>> +diff --git a/print-sl.c b/print-sl.c
>> +index 3fd7e898..a02077b3 100644
>> +--- a/print-sl.c
>> ++++ b/print-sl.c
>> +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
>> + u_int hlen;
>> +
>> + dir = p[SLX_DIR];
>> +- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
>> ++ switch (dir) {
>> +
>> ++ case SLIPDIR_IN:
>> ++ ND_PRINT((ndo, "I "));
>> ++ break;
>> ++
>> ++ case SLIPDIR_OUT:
>> ++ ND_PRINT((ndo, "O "));
>> ++ break;
>> ++
>> ++ default:
>> ++ ND_PRINT((ndo, "Invalid direction %d ", dir));
>> ++ dir = -1;
>> ++ break;
>> ++ }
>> + if (ndo->ndo_nflag) {
>> + /* XXX just dump the header */
>> + register int i;
>> +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
>> + * has restored the IP header copy to IPPROTO_TCP.
>> + */
>> + lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
>> ++ ND_PRINT((ndo, "utcp %d: ", lastconn));
>> ++ if (dir == -1) {
>> ++ /* Direction is bogus, don't use it */
>> ++ return;
>> ++ }
>> + hlen = IP_HL(ip);
>> + hlen += TH_OFF((const struct tcphdr *)&((const int
>> *)ip)[hlen]);
>> + lastlen[dir][lastconn] = length - (hlen << 2);
>> +- ND_PRINT((ndo, "utcp %d: ", lastconn));
>> + break;
>> +
>> + default:
>> ++ if (dir == -1) {
>> ++ /* Direction is bogus, don't use it */
>> ++ return;
>> ++ }
>> + if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
>> + compressed_sl_print(ndo, &p[SLX_CHDR], ip,
>> + length, dir);
>> +
>> +--
>> +2.13.0
>> +
>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
>> b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
>> index 261c78427..668d6f5e1 100644
>> --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
>> @@ -11,6 +11,9 @@ SRC_URI = " \
>> file://tcpdump-configure-dlpi.patch \
>> file://add-ptest.patch \
>> file://run-ptest \
>> + file://0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch \
>> + file://0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
>> \
>> + file://0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>> \
>> "
>> SRC_URI[md5sum] = "1e0293210b0dea5ef18e88e4150394b7"
>>
>> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543
2017-09-13 9:17 ` Martin Jansa
@ 2017-09-13 14:05 ` Jose Lamego
2017-09-13 21:30 ` Martin Jansa
0 siblings, 1 reply; 5+ messages in thread
From: Jose Lamego @ 2017-09-13 14:05 UTC (permalink / raw)
To: openembedded-devel
On 09/13/2017 04:17 AM, Martin Jansa wrote:
> Please update the state on patchwork (https://patchwork.
> openembedded.org/project/oe/patches/) when sending updates like this.
>
> You can update it on the site or use some magic keywords in the e-mail
> reply to update it automatically (but I've failed to find link to
> documentation how this magic should look like).
>
To automatically change a patch status in Patchwork, the string to be
included at the bottom of an email reply must be in the form:
[Patchwork-Status: <new-state>]
where <new-state> can be any of the existing states (excepting "Accepted").
This and other ways of updating patch statuses can be seen at:
http://www.openembedded.org/wiki/Patchwork#Update_the_state_of_patches
> On Wed, Sep 13, 2017 at 5:21 AM, wenzong fan <wenzong.fan@windriver.com>
> wrote:
>
>> Please ignore this patch, the fixes has been included by:
>>
>> [oe] [meta-networking][PATCH] tcpdump: update to 4.9.2 to fix CVEs
>>
>> Thanks
>> Wenzong
>>
>>
>> On 09/07/2017 05:49 PM, wenzong.fan@windriver.com wrote:
>>
>>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>>
>>> Backport patches for fixing:
>>> - CVE-2017-11541:
>>> https://nvd.nist.gov/vuln/detail/CVE-2017-11541
>>> https://github.com/the-tcpdump-group/tcpdump/commit/21d702a
>>> 136c5c16882e368af7c173df728242280
>>>
>>> - CVE-2017-11542:
>>> https://nvd.nist.gov/vuln/detail/CVE-2017-11542
>>> https://github.com/the-tcpdump-group/tcpdump/commit/bed4806
>>> 2a64fca524156d7684af19f5b4a116fae
>>>
>>> - CVE-2017-11543:
>>> https://nvd.nist.gov/vuln/detail/CVE-2017-11543
>>> https://github.com/the-tcpdump-group/tcpdump/commit/7039327
>>> 875525278d17edee59720e29a3e76b7b3
>>>
>>> The tests/* changes dropped to workaround patch error:
>>> File tests/*.pcap: git binary diffs are not supported.
>>>
>>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>> ---
>>> ...541-In-safeputs-check-the-length-before-c.patch | 49 +++++++++++++
>>> ...1-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch | 43 +++++++++++
>>> ...543-Make-sure-the-SLIP-direction-octet-is.patch | 85
>>> ++++++++++++++++++++++
>>> .../recipes-support/tcpdump/tcpdump_4.9.1.bb | 3 +
>>> 4 files changed, 180 insertions(+)
>>> create mode 100644 meta-networking/recipes-suppor
>>> t/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-
>>> the-length-before-c.patch
>>> create mode 100644 meta-networking/recipes-suppor
>>> t/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
>>> create mode 100644 meta-networking/recipes-suppor
>>> t/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-
>>> direction-octet-is.patch
>>>
>>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>>> 2017-11541-In-safeputs-check-the-length-before-c.patch
>>> b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>>> 2017-11541-In-safeputs-check-the-length-before-c.patch
>>> new file mode 100644
>>> index 000000000..a83214b02
>>> --- /dev/null
>>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>>> 2017-11541-In-safeputs-check-the-length-before-c.patch
>>> @@ -0,0 +1,49 @@
>>> +From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
>>> +From: Guy Harris <guy@alum.mit.edu>
>>> +Date: Tue, 7 Feb 2017 11:40:36 -0800
>>> +Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
>>> + checking for a NUL terminator.
>>> +
>>> +safeputs() doesn't do packet bounds checking of its own; it assumes that
>>> +the caller has checked the availability in the packet data of all maxlen
>>> +bytes of data. This means we should check that we're within the
>>> +specified limit before looking at the byte.
>>> +
>>> +This fixes a buffer over-read discovered by Kamil Frankowicz.
>>> +
>>> +Add a test using the capture file supplied by the reporter(s).
>>> +
>>> +CVE: CVE-2017-11541
>>> +
>>> +Upstream-Status: Backport
>>> +https://github.com/the-tcpdump-group/tcpdump/commit/21d702a
>>> 136c5c16882e368af7c173df728242280
>>> +
>>> +Drop the tests/* changes to workaroud patch error:
>>> +File tests/hoobr_safeputs.pcap: git binary diffs are not supported.
>>> +
>>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>> +---
>>> + tests/TESTLIST | 1 +
>>> + tests/hoobr_safeputs.out | 2 ++
>>> + tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
>>> + util-print.c | 2 +-
>>> + 4 files changed, 4 insertions(+), 1 deletion(-)
>>> + create mode 100644 tests/hoobr_safeputs.out
>>> + create mode 100644 tests/hoobr_safeputs.pcap
>>> +
>>> +diff --git a/util-print.c b/util-print.c
>>> +index 394e7d59..ec3e8de8 100644
>>> +--- a/util-print.c
>>> ++++ b/util-print.c
>>> +@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
>>> + {
>>> + u_int idx = 0;
>>> +
>>> +- while (*s && idx < maxlen) {
>>> ++ while (idx < maxlen && *s) {
>>> + safeputchar(ndo, *s);
>>> + idx++;
>>> + s++;
>>> +--
>>> +2.13.0
>>> +
>>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>>> 2017-11542-PIMv1-Add-a-bounds-check.patch b/meta-networking/recipes-supp
>>> ort/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
>>> new file mode 100644
>>> index 000000000..a177e7c0b
>>> --- /dev/null
>>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>>> 2017-11542-PIMv1-Add-a-bounds-check.patch
>>> @@ -0,0 +1,43 @@
>>> +From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
>>> +From: Guy Harris <guy@alum.mit.edu>
>>> +Date: Tue, 7 Feb 2017 11:10:04 -0800
>>> +Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
>>> +
>>> +This fixes a buffer over-read discovered by Kamil Frankowicz.
>>> +
>>> +Add a test using the capture file supplied by the reporter(s).
>>> +
>>> +CVE: CVE-2017-11542
>>> +
>>> +Upstream-Status: Backport
>>> +https://github.com/the-tcpdump-group/tcpdump/commit/bed4806
>>> 2a64fca524156d7684af19f5b4a116fae
>>> +
>>> +Drop the tests/* changes to workaroud patch error:
>>> +File tests/hoobr_pimv1.pcap: git binary diffs are not supported.
>>> +
>>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>> +---
>>> + print-pim.c | 1 +
>>> + tests/TESTLIST | 1 +
>>> + tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
>>> + tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
>>> + 4 files changed, 27 insertions(+)
>>> + create mode 100644 tests/hoobr_pimv1.out
>>> + create mode 100644 tests/hoobr_pimv1.pcap
>>> +
>>> +diff --git a/print-pim.c b/print-pim.c
>>> +index 25525953..ed880ae7 100644
>>> +--- a/print-pim.c
>>> ++++ b/print-pim.c
>>> +@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
>>> + pimv1_join_prune_print(ndo, &bp[8], len - 8);
>>> + break;
>>> + }
>>> ++ ND_TCHECK(bp[4]);
>>> + if ((bp[4] >> 4) != 1)
>>> + ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
>>> + return;
>>> +
>>> +--
>>> +2.13.0
>>> +
>>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>>> b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>>> new file mode 100644
>>> index 000000000..36e3f6b0d
>>> --- /dev/null
>>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
>>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>>> @@ -0,0 +1,85 @@
>>> +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
>>> +From: Guy Harris <guy@alum.mit.edu>
>>> +Date: Fri, 17 Mar 2017 12:49:04 -0700
>>> +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is
>>> valid.
>>> +
>>> +Report if it's not, and don't use it as an out-of-bounds index into an
>>> +array.
>>> +
>>> +This fixes a buffer overflow discovered by Wilfried Kirsch.
>>> +
>>> +Add a test using the capture file supplied by the reporter(s), modified
>>> +so the capture file won't be rejected as an invalid capture.
>>> +
>>> +CVE: CVE-2017-11543
>>> +
>>> +Upstream-Status: Backport
>>> +https://github.com/the-tcpdump-group/tcpdump/commit/7039327
>>> 875525278d17edee59720e29a3e76b7b3
>>> +
>>> +Drop the tests/* changes to workaroud patch error:
>>> +File tests/slip-bad-direction.pcap: git binary diffs are not supported.
>>> +
>>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>> +---
>>> + print-sl.c | 25 +++++++++++++++++++++++--
>>> + tests/TESTLIST | 3 +++
>>> + tests/slip-bad-direction.out | 1 +
>>> + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
>>> + 4 files changed, 27 insertions(+), 2 deletions(-)
>>> + create mode 100644 tests/slip-bad-direction.out
>>> + create mode 100644 tests/slip-bad-direction.pcap
>>> +
>>> +diff --git a/print-sl.c b/print-sl.c
>>> +index 3fd7e898..a02077b3 100644
>>> +--- a/print-sl.c
>>> ++++ b/print-sl.c
>>> +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
>>> + u_int hlen;
>>> +
>>> + dir = p[SLX_DIR];
>>> +- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
>>> ++ switch (dir) {
>>> +
>>> ++ case SLIPDIR_IN:
>>> ++ ND_PRINT((ndo, "I "));
>>> ++ break;
>>> ++
>>> ++ case SLIPDIR_OUT:
>>> ++ ND_PRINT((ndo, "O "));
>>> ++ break;
>>> ++
>>> ++ default:
>>> ++ ND_PRINT((ndo, "Invalid direction %d ", dir));
>>> ++ dir = -1;
>>> ++ break;
>>> ++ }
>>> + if (ndo->ndo_nflag) {
>>> + /* XXX just dump the header */
>>> + register int i;
>>> +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
>>> + * has restored the IP header copy to IPPROTO_TCP.
>>> + */
>>> + lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
>>> ++ ND_PRINT((ndo, "utcp %d: ", lastconn));
>>> ++ if (dir == -1) {
>>> ++ /* Direction is bogus, don't use it */
>>> ++ return;
>>> ++ }
>>> + hlen = IP_HL(ip);
>>> + hlen += TH_OFF((const struct tcphdr *)&((const int
>>> *)ip)[hlen]);
>>> + lastlen[dir][lastconn] = length - (hlen << 2);
>>> +- ND_PRINT((ndo, "utcp %d: ", lastconn));
>>> + break;
>>> +
>>> + default:
>>> ++ if (dir == -1) {
>>> ++ /* Direction is bogus, don't use it */
>>> ++ return;
>>> ++ }
>>> + if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
>>> + compressed_sl_print(ndo, &p[SLX_CHDR], ip,
>>> + length, dir);
>>> +
>>> +--
>>> +2.13.0
>>> +
>>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
>>> b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
>>> index 261c78427..668d6f5e1 100644
>>> --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
>>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
>>> @@ -11,6 +11,9 @@ SRC_URI = " \
>>> file://tcpdump-configure-dlpi.patch \
>>> file://add-ptest.patch \
>>> file://run-ptest \
>>> + file://0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch \
>>> + file://0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
>>> \
>>> + file://0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
>>> \
>>> "
>>> SRC_URI[md5sum] = "1e0293210b0dea5ef18e88e4150394b7"
>>>
>>> --
>> _______________________________________________
>> Openembedded-devel mailing list
>> Openembedded-devel@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>>
--
Jose Lamego | OTC Embedded Platform & Tools | GDC
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543
2017-09-13 14:05 ` Jose Lamego
@ 2017-09-13 21:30 ` Martin Jansa
0 siblings, 0 replies; 5+ messages in thread
From: Martin Jansa @ 2017-09-13 21:30 UTC (permalink / raw)
To: Jose Lamego; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 13274 bytes --]
On Wed, Sep 13, 2017 at 09:05:45AM -0500, Jose Lamego wrote:
>
>
> On 09/13/2017 04:17 AM, Martin Jansa wrote:
> > Please update the state on patchwork (https://patchwork.
> > openembedded.org/project/oe/patches/) when sending updates like this.
> >
> > You can update it on the site or use some magic keywords in the e-mail
> > reply to update it automatically (but I've failed to find link to
> > documentation how this magic should look like).
> >
>
> To automatically change a patch status in Patchwork, the string to be
> included at the bottom of an email reply must be in the form:
> [Patchwork-Status: <new-state>]
>
> where <new-state> can be any of the existing states (excepting "Accepted").
>
> This and other ways of updating patch statuses can be seen at:
> http://www.openembedded.org/wiki/Patchwork#Update_the_state_of_patches
Thanks for the info.
I've tried it with:
https://patchwork.openembedded.org/patch/144079/
and it doesn't seem to work, patchwork shows my reply, but the state is
still New not Rejected.
>
> > On Wed, Sep 13, 2017 at 5:21 AM, wenzong fan <wenzong.fan@windriver.com>
> > wrote:
> >
> >> Please ignore this patch, the fixes has been included by:
> >>
> >> [oe] [meta-networking][PATCH] tcpdump: update to 4.9.2 to fix CVEs
> >>
> >> Thanks
> >> Wenzong
> >>
> >>
> >> On 09/07/2017 05:49 PM, wenzong.fan@windriver.com wrote:
> >>
> >>> From: Wenzong Fan <wenzong.fan@windriver.com>
> >>>
> >>> Backport patches for fixing:
> >>> - CVE-2017-11541:
> >>> https://nvd.nist.gov/vuln/detail/CVE-2017-11541
> >>> https://github.com/the-tcpdump-group/tcpdump/commit/21d702a
> >>> 136c5c16882e368af7c173df728242280
> >>>
> >>> - CVE-2017-11542:
> >>> https://nvd.nist.gov/vuln/detail/CVE-2017-11542
> >>> https://github.com/the-tcpdump-group/tcpdump/commit/bed4806
> >>> 2a64fca524156d7684af19f5b4a116fae
> >>>
> >>> - CVE-2017-11543:
> >>> https://nvd.nist.gov/vuln/detail/CVE-2017-11543
> >>> https://github.com/the-tcpdump-group/tcpdump/commit/7039327
> >>> 875525278d17edee59720e29a3e76b7b3
> >>>
> >>> The tests/* changes dropped to workaround patch error:
> >>> File tests/*.pcap: git binary diffs are not supported.
> >>>
> >>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> >>> ---
> >>> ...541-In-safeputs-check-the-length-before-c.patch | 49 +++++++++++++
> >>> ...1-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch | 43 +++++++++++
> >>> ...543-Make-sure-the-SLIP-direction-octet-is.patch | 85
> >>> ++++++++++++++++++++++
> >>> .../recipes-support/tcpdump/tcpdump_4.9.1.bb | 3 +
> >>> 4 files changed, 180 insertions(+)
> >>> create mode 100644 meta-networking/recipes-suppor
> >>> t/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-
> >>> the-length-before-c.patch
> >>> create mode 100644 meta-networking/recipes-suppor
> >>> t/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
> >>> create mode 100644 meta-networking/recipes-suppor
> >>> t/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-
> >>> direction-octet-is.patch
> >>>
> >>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
> >>> 2017-11541-In-safeputs-check-the-length-before-c.patch
> >>> b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
> >>> 2017-11541-In-safeputs-check-the-length-before-c.patch
> >>> new file mode 100644
> >>> index 000000000..a83214b02
> >>> --- /dev/null
> >>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
> >>> 2017-11541-In-safeputs-check-the-length-before-c.patch
> >>> @@ -0,0 +1,49 @@
> >>> +From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
> >>> +From: Guy Harris <guy@alum.mit.edu>
> >>> +Date: Tue, 7 Feb 2017 11:40:36 -0800
> >>> +Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
> >>> + checking for a NUL terminator.
> >>> +
> >>> +safeputs() doesn't do packet bounds checking of its own; it assumes that
> >>> +the caller has checked the availability in the packet data of all maxlen
> >>> +bytes of data. This means we should check that we're within the
> >>> +specified limit before looking at the byte.
> >>> +
> >>> +This fixes a buffer over-read discovered by Kamil Frankowicz.
> >>> +
> >>> +Add a test using the capture file supplied by the reporter(s).
> >>> +
> >>> +CVE: CVE-2017-11541
> >>> +
> >>> +Upstream-Status: Backport
> >>> +https://github.com/the-tcpdump-group/tcpdump/commit/21d702a
> >>> 136c5c16882e368af7c173df728242280
> >>> +
> >>> +Drop the tests/* changes to workaroud patch error:
> >>> +File tests/hoobr_safeputs.pcap: git binary diffs are not supported.
> >>> +
> >>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> >>> +---
> >>> + tests/TESTLIST | 1 +
> >>> + tests/hoobr_safeputs.out | 2 ++
> >>> + tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
> >>> + util-print.c | 2 +-
> >>> + 4 files changed, 4 insertions(+), 1 deletion(-)
> >>> + create mode 100644 tests/hoobr_safeputs.out
> >>> + create mode 100644 tests/hoobr_safeputs.pcap
> >>> +
> >>> +diff --git a/util-print.c b/util-print.c
> >>> +index 394e7d59..ec3e8de8 100644
> >>> +--- a/util-print.c
> >>> ++++ b/util-print.c
> >>> +@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
> >>> + {
> >>> + u_int idx = 0;
> >>> +
> >>> +- while (*s && idx < maxlen) {
> >>> ++ while (idx < maxlen && *s) {
> >>> + safeputchar(ndo, *s);
> >>> + idx++;
> >>> + s++;
> >>> +--
> >>> +2.13.0
> >>> +
> >>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
> >>> 2017-11542-PIMv1-Add-a-bounds-check.patch b/meta-networking/recipes-supp
> >>> ort/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
> >>> new file mode 100644
> >>> index 000000000..a177e7c0b
> >>> --- /dev/null
> >>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
> >>> 2017-11542-PIMv1-Add-a-bounds-check.patch
> >>> @@ -0,0 +1,43 @@
> >>> +From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
> >>> +From: Guy Harris <guy@alum.mit.edu>
> >>> +Date: Tue, 7 Feb 2017 11:10:04 -0800
> >>> +Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
> >>> +
> >>> +This fixes a buffer over-read discovered by Kamil Frankowicz.
> >>> +
> >>> +Add a test using the capture file supplied by the reporter(s).
> >>> +
> >>> +CVE: CVE-2017-11542
> >>> +
> >>> +Upstream-Status: Backport
> >>> +https://github.com/the-tcpdump-group/tcpdump/commit/bed4806
> >>> 2a64fca524156d7684af19f5b4a116fae
> >>> +
> >>> +Drop the tests/* changes to workaroud patch error:
> >>> +File tests/hoobr_pimv1.pcap: git binary diffs are not supported.
> >>> +
> >>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> >>> +---
> >>> + print-pim.c | 1 +
> >>> + tests/TESTLIST | 1 +
> >>> + tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++
> >>> + tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
> >>> + 4 files changed, 27 insertions(+)
> >>> + create mode 100644 tests/hoobr_pimv1.out
> >>> + create mode 100644 tests/hoobr_pimv1.pcap
> >>> +
> >>> +diff --git a/print-pim.c b/print-pim.c
> >>> +index 25525953..ed880ae7 100644
> >>> +--- a/print-pim.c
> >>> ++++ b/print-pim.c
> >>> +@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
> >>> + pimv1_join_prune_print(ndo, &bp[8], len - 8);
> >>> + break;
> >>> + }
> >>> ++ ND_TCHECK(bp[4]);
> >>> + if ((bp[4] >> 4) != 1)
> >>> + ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
> >>> + return;
> >>> +
> >>> +--
> >>> +2.13.0
> >>> +
> >>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
> >>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> >>> b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
> >>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> >>> new file mode 100644
> >>> index 000000000..36e3f6b0d
> >>> --- /dev/null
> >>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-
> >>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> >>> @@ -0,0 +1,85 @@
> >>> +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
> >>> +From: Guy Harris <guy@alum.mit.edu>
> >>> +Date: Fri, 17 Mar 2017 12:49:04 -0700
> >>> +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is
> >>> valid.
> >>> +
> >>> +Report if it's not, and don't use it as an out-of-bounds index into an
> >>> +array.
> >>> +
> >>> +This fixes a buffer overflow discovered by Wilfried Kirsch.
> >>> +
> >>> +Add a test using the capture file supplied by the reporter(s), modified
> >>> +so the capture file won't be rejected as an invalid capture.
> >>> +
> >>> +CVE: CVE-2017-11543
> >>> +
> >>> +Upstream-Status: Backport
> >>> +https://github.com/the-tcpdump-group/tcpdump/commit/7039327
> >>> 875525278d17edee59720e29a3e76b7b3
> >>> +
> >>> +Drop the tests/* changes to workaroud patch error:
> >>> +File tests/slip-bad-direction.pcap: git binary diffs are not supported.
> >>> +
> >>> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> >>> +---
> >>> + print-sl.c | 25 +++++++++++++++++++++++--
> >>> + tests/TESTLIST | 3 +++
> >>> + tests/slip-bad-direction.out | 1 +
> >>> + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
> >>> + 4 files changed, 27 insertions(+), 2 deletions(-)
> >>> + create mode 100644 tests/slip-bad-direction.out
> >>> + create mode 100644 tests/slip-bad-direction.pcap
> >>> +
> >>> +diff --git a/print-sl.c b/print-sl.c
> >>> +index 3fd7e898..a02077b3 100644
> >>> +--- a/print-sl.c
> >>> ++++ b/print-sl.c
> >>> +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
> >>> + u_int hlen;
> >>> +
> >>> + dir = p[SLX_DIR];
> >>> +- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
> >>> ++ switch (dir) {
> >>> +
> >>> ++ case SLIPDIR_IN:
> >>> ++ ND_PRINT((ndo, "I "));
> >>> ++ break;
> >>> ++
> >>> ++ case SLIPDIR_OUT:
> >>> ++ ND_PRINT((ndo, "O "));
> >>> ++ break;
> >>> ++
> >>> ++ default:
> >>> ++ ND_PRINT((ndo, "Invalid direction %d ", dir));
> >>> ++ dir = -1;
> >>> ++ break;
> >>> ++ }
> >>> + if (ndo->ndo_nflag) {
> >>> + /* XXX just dump the header */
> >>> + register int i;
> >>> +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
> >>> + * has restored the IP header copy to IPPROTO_TCP.
> >>> + */
> >>> + lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
> >>> ++ ND_PRINT((ndo, "utcp %d: ", lastconn));
> >>> ++ if (dir == -1) {
> >>> ++ /* Direction is bogus, don't use it */
> >>> ++ return;
> >>> ++ }
> >>> + hlen = IP_HL(ip);
> >>> + hlen += TH_OFF((const struct tcphdr *)&((const int
> >>> *)ip)[hlen]);
> >>> + lastlen[dir][lastconn] = length - (hlen << 2);
> >>> +- ND_PRINT((ndo, "utcp %d: ", lastconn));
> >>> + break;
> >>> +
> >>> + default:
> >>> ++ if (dir == -1) {
> >>> ++ /* Direction is bogus, don't use it */
> >>> ++ return;
> >>> ++ }
> >>> + if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
> >>> + compressed_sl_print(ndo, &p[SLX_CHDR], ip,
> >>> + length, dir);
> >>> +
> >>> +--
> >>> +2.13.0
> >>> +
> >>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> >>> b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> >>> index 261c78427..668d6f5e1 100644
> >>> --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> >>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> >>> @@ -11,6 +11,9 @@ SRC_URI = " \
> >>> file://tcpdump-configure-dlpi.patch \
> >>> file://add-ptest.patch \
> >>> file://run-ptest \
> >>> + file://0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch \
> >>> + file://0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
> >>> \
> >>> + file://0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> >>> \
> >>> "
> >>> SRC_URI[md5sum] = "1e0293210b0dea5ef18e88e4150394b7"
> >>>
> >>> --
> >> _______________________________________________
> >> Openembedded-devel mailing list
> >> Openembedded-devel@lists.openembedded.org
> >> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
> >>
>
> --
> Jose Lamego | OTC Embedded Platform & Tools | GDC
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-09-13 21:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-07 9:49 [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543 wenzong.fan
2017-09-13 3:21 ` wenzong fan
2017-09-13 9:17 ` Martin Jansa
2017-09-13 14:05 ` Jose Lamego
2017-09-13 21:30 ` Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.