Re: [meta-oe][master][PATCH] tcpdump: Add fix for CVE-2018-16301

Re: [meta-oe][master][PATCH] tcpdump: Add fix for CVE-2018-16301

[Khem Raj]

send it to openembedded-devel mailing list please.

On Mon, May 9, 2022 at 12:21 AM Riyaz <Riyaz.Khan@kpit.com> wrote:
>
> From: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
>
> Add patch for CVE issue: CVE-2018-16301
> Link: https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86
>
> Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
> ---
>  .../tcpdump/tcpdump/CVE-2018-16301.patch      | 111 ++++++++++++++++++
>  .../recipes-support/tcpdump/tcpdump_4.9.3.bb  |   1 +
>  2 files changed, 112 insertions(+)
>  create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
>
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
> new file mode 100644
> index 000000000..5f5c68ccd
> --- /dev/null
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
> @@ -0,0 +1,111 @@
> +From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001
> +From: Guy Harris <gharris@sonic.net>
> +Date: Wed, 30 Sep 2020 11:37:30 -0700
> +Subject: [PATCH] Handle very large -f files by rejecting them.
> +
> +_read(), on Windows, has a 32-bit size argument and a 32-bit return
> +value, so reject -f files that have more than 2^31-1 characters.
> +
> +Add some #defines so that, on Windows, we use _fstati64 to get the size
> +of that file, to handle large files.
> +
> +Don't assume that our definition for ssize_t is the same size as size_t;
> +by the time we want to print the return value of the read, we know it'll
> +fit into an int, so just cast it to int and print it with %d.
> +
> +(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77)
> +
> +CVE: CVE-2022-25308
> +Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86]
> +
> +Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
> +
> +---
> + netdissect-stdinc.h | 16 +++++++++++++++-
> + tcpdump.c           | 15 ++++++++++++---
> + 2 files changed, 27 insertions(+), 4 deletions(-)
> +
> +diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h
> +index 8282c5846..9941c2a16 100644
> +--- a/netdissect-stdinc.h
> ++++ b/netdissect-stdinc.h
> +@@ -149,10 +149,17 @@
> + #ifdef _MSC_VER
> + #define stat _stat
> + #define open _open
> +-#define fstat _fstat
> + #define read _read
> + #define close _close
> + #define O_RDONLY _O_RDONLY
> ++
> ++/*
> ++ * We define our_fstat64 as _fstati64, and define our_statb as
> ++ * struct _stati64, so we get 64-bit file sizes.
> ++ */
> ++#define our_fstat _fstati64
> ++#define our_statb struct _stati64
> ++
> + #endif  /* _MSC_VER */
> +
> + /*
> +@@ -211,6 +218,13 @@ typedef char* caddr_t;
> +
> + #include <arpa/inet.h>
> +
> ++/*
> ++ * We should have large file support enabled, if it's available,
> ++ * so just use fstat as our_fstat and struct stat as our_statb.
> ++ */
> ++#define our_fstat fstat
> ++#define our_statb struct stat
> ++
> + #endif /* _WIN32 */
> +
> + #ifndef HAVE___ATTRIBUTE__
> +diff --git a/tcpdump.c b/tcpdump.c
> +index 043bda1d7..8f27ba2a4 100644
> +--- a/tcpdump.c
> ++++ b/tcpdump.c
> +@@ -108,6 +108,7 @@ The Regents of the University of California.  All rights reserved.\n";
> + #endif /* HAVE_CAP_NG_H */
> + #endif /* HAVE_LIBCAP_NG */
> +
> ++#include "netdissect-stdinc.h"
> + #include "netdissect.h"
> + #include "interface.h"
> + #include "addrtoname.h"
> +@@ -861,15 +862,22 @@ read_infile(char *fname)
> + {
> +       register int i, fd, cc;
> +       register char *cp;
> +-      struct stat buf;
> ++      our_statb buf;
> +
> +       fd = open(fname, O_RDONLY|O_BINARY);
> +       if (fd < 0)
> +               error("can't open %s: %s", fname, pcap_strerror(errno));
> +
> +-      if (fstat(fd, &buf) < 0)
> ++      if (our_fstat(fd, &buf) < 0)
> +               error("can't stat %s: %s", fname, pcap_strerror(errno));
> +
> ++      /*
> ++       * Reject files whose size doesn't fit into an int; a filter
> ++       * *that* large will probably be too big.
> ++       */
> ++      if (buf.st_size > INT_MAX)
> ++              error("%s is too large", fname);
> ++
> +       cp = malloc((u_int)buf.st_size + 1);
> +       if (cp == NULL)
> +               error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1,
> +@@ -878,7 +886,8 @@ read_infile(char *fname)
> +       if (cc < 0)
> +               error("read %s: %s", fname, pcap_strerror(errno));
> +       if (cc != buf.st_size)
> +-              error("short read %s (%d != %d)", fname, cc, (int)buf.st_size);
> ++              error("short read %s (%d != %d)", fname, (int) cc,
> ++                  (int)buf.st_size);
> +
> +       close(fd);
> +       /* replace "# comment" with spaces */
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
> index 2ea493863..66bf21775 100644
> --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
> @@ -18,6 +18,7 @@ SRC_URI = " \
>      file://add-ptest.patch \
>      file://run-ptest \
>      file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
> +    file://CVE-2018-16301.patch \
>  "
>
>  SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.