Package: src:tcpdump Version: 4.6.2-4 Tags: patch Usertags: origin-ubuntu ubuntu-patch vivid
In Ubuntu, we've applied the attached patch to achieve the following: * debian/patches/60_cve-2015-2153-fix-regression.diff: - Fix regression due to 60_cve-2015-2153.diff We thought you might be interested in doing the same.
Description: RPKI to Router Protocol: Fix Segmentation Faults and other problems. - Fix/add ND_TCHECK2 tests, - Fix a buffer overflow, - Remove a debug printf Origin: upstream, https://github.com/the-tcpdump-group/tcpdump/commit/fb6e5377f392555b8c725f66b8b701f0061a3695 diff -pruN -x '*~' tcpdump-4.6.2.orig/print-rpki-rtr.c tcpdump-4.6.2/print-rpki-rtr.c --- tcpdump-4.6.2.orig/print-rpki-rtr.c 2015-03-22 12:55:55.349173971 +0100 +++ tcpdump-4.6.2/print-rpki-rtr.c 2015-03-22 12:49:56.987396951 +0100 @@ -178,7 +178,7 @@ rpki_rtr_pdu_print (netdissect_options * pdu_header = (rpki_rtr_pdu *)tptr; pdu_type = pdu_header->pdu_type; pdu_len = EXTRACT_32BITS(pdu_header->length); - ND_TCHECK2(tptr, pdu_len); + ND_TCHECK2(*tptr, pdu_len); hexdump = FALSE; ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u", @@ -255,6 +255,7 @@ rpki_rtr_pdu_print (netdissect_options * pdu = (rpki_rtr_pdu_error_report *)tptr; encapsulated_pdu_length = EXTRACT_32BITS(pdu->encapsulated_pdu_length); + ND_TCHECK2(*tptr, encapsulated_pdu_length); tlen = pdu_len; error_code = EXTRACT_16BITS(pdu->pdu_header.u.error_code); @@ -287,9 +288,10 @@ rpki_rtr_pdu_print (netdissect_options * tptr += 4; tlen -= 4; } + ND_TCHECK2(*tptr, text_length); if (text_length && (text_length <= tlen )) { memcpy(buf, tptr, min(sizeof(buf)-1, text_length)); - buf[text_length] = '\0'; + buf[min(sizeof(buf) - 1, text_length)] = '\0'; ND_PRINT((ndo, "%sError text: %s", indent_string(indent+2), buf)); } } @@ -336,13 +338,13 @@ rpki_rtr_print(netdissect_options *ndo, pdu_header = (rpki_rtr_pdu *)tptr; pdu_type = pdu_header->pdu_type; pdu_len = EXTRACT_32BITS(pdu_header->length); + ND_TCHECK2(*tptr, pdu_len); /* infinite loop check */ if (!pdu_type || !pdu_len) { break; } - ND_TCHECK2(*tptr, pdu_len); if (tlen < pdu_len) { goto trunc; }