Hello community, here is the log from the commit of package tcpdump for openSUSE:Factory checked in at 2019-07-28 10:18:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tcpdump (Old) and /work/SRC/openSUSE:Factory/.tcpdump.new.4126 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tcpdump" Sun Jul 28 10:18:08 2019 rev:38 rq:717922 version:4.9.2 Changes: -------- --- /work/SRC/openSUSE:Factory/tcpdump/tcpdump.changes 2018-12-11 15:46:16.578309228 +0100 +++ /work/SRC/openSUSE:Factory/.tcpdump.new.4126/tcpdump.changes 2019-07-28 10:18:15.800601471 +0200 @@ -1,0 +2,19 @@ +Tue Jul 23 11:45:46 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Security fix [bsc#1142439, CVE-2019-1010220] + * Buffer Over-read in print_prefix which may expose data + * Added tcpdump-CVE-2019-1010220.patch + +------------------------------------------------------------------- +Tue Jul 23 10:37:17 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Use %license macro for LICENSE file + +------------------------------------------------------------------- +Tue Jul 23 10:24:31 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Security fix [bsc#1068716, CVE-2017-16808] + * Heap-based buffer over-read related to aoe_print and lookup_emem + * Added tcpdump-CVE-2017-16808.patch + +------------------------------------------------------------------- New: ---- tcpdump-CVE-2017-16808.patch tcpdump-CVE-2019-1010220.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tcpdump.spec ++++++ --- /var/tmp/diff_new_pack.r7tgwe/_old 2019-07-28 10:18:18.420601475 +0200 +++ /var/tmp/diff_new_pack.r7tgwe/_new 2019-07-28 10:18:18.464601475 +0200 @@ -1,7 +1,7 @@ # # spec file for package tcpdump # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,10 @@ Patch0: tcpdump-ikev2pI2.patch # PATCH-FIX-OPENSUSE tcpdump-CVE-2018-19519.patch - Initialize buf in print-hncp.c:print_prefix Patch1: tcpdump-CVE-2018-19519.patch +# PATCH-FIX-UPSTREAM bsc#1068716 CVE-2017-16808 Heap-based buffer over-read related to aoe_print and lookup_emem +Patch2: tcpdump-CVE-2017-16808.patch +# PATCH-FIX-UPSTREAM bsc#1142439 CVE-2019-1010220 Buffer Over-read in print_prefix +Patch3: tcpdump-CVE-2019-1010220.patch BuildRequires: libpcap-devel >= %{min_libpcap_version} BuildRequires: libsmi-devel BuildRequires: openssl-devel @@ -46,6 +50,8 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build export CFLAGS="%{optflags} -Wall -DGUESS_TSO -fstack-protector -fno-strict-aliasing" @@ -65,7 +71,8 @@ %files %defattr(-,root,root) -%doc CHANGES CREDITS LICENSE README* *.awk +%license LICENSE +%doc CHANGES CREDITS README* *.awk %{_mandir}/man?/* %{_sbindir}/tcpdump %ifarch s390 s390x ++++++ tcpdump-CVE-2017-16808.patch ++++++ >From 28f610026d901660dd370862b62ec328727446a2 Mon Sep 17 00:00:00 2001 From: Denis Ovsienko <de...@ovsienko.info> Date: Thu, 31 Aug 2017 21:15:37 +0100 Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check. In aoev1_reserve_print() check bounds before trying to print an Ethernet address. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. --- print-aoe.c | 1 + 1 file changed, 1 insertion(+) diff --git a/print-aoe.c b/print-aoe.c index 97e93df2e..2c78a55d3 100644 --- a/print-aoe.c +++ b/print-aoe.c @@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo, goto invalid; /* addresses */ for (i = 0; i < nmacs; i++) { + ND_TCHECK2(*cp, ETHER_ADDR_LEN); ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp))); cp += ETHER_ADDR_LEN; } ++++++ tcpdump-CVE-2019-1010220.patch ++++++ >From 511915bef7e4de2f31b8d9f581b4a44b0cfbcf53 Mon Sep 17 00:00:00 2001 From: Guy Harris <g...@alum.mit.edu> Date: Sat, 1 Jun 2019 14:42:09 -0700 Subject: [PATCH] If decode_prefix6() returns a negative number, don't print buf. If it returns a negative number, it hasn't necessarily filled in buf, so just return immediately; this is similar to the IPv4 code path, wherein we just return a negative number, and print nothing, on an error. This should fix GitHub issue #763. --- print-hncp.c | 2 ++ 1 file changed, 2 insertions(+) Index: tcpdump-4.9.2/print-hncp.c =================================================================== --- tcpdump-4.9.2.orig/print-hncp.c +++ tcpdump-4.9.2/print-hncp.c @@ -231,6 +231,8 @@ print_prefix(netdissect_options *ndo, co plenbytes += 1 + IPV4_MAPPED_HEADING_LEN; } else { plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf)); + if (plenbytes < 0) + return plenbytes; } ND_PRINT((ndo, "%s", buf));