Hello community,
here is the log from the commit of package tcpdump for openSUSE:Factory checked
in at 2019-07-28 10:18:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tcpdump (Old)
and /work/SRC/openSUSE:Factory/.tcpdump.new.4126 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tcpdump"
Sun Jul 28 10:18:08 2019 rev:38 rq:717922 version:4.9.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/tcpdump/tcpdump.changes 2018-12-11
15:46:16.578309228 +0100
+++ /work/SRC/openSUSE:Factory/.tcpdump.new.4126/tcpdump.changes
2019-07-28 10:18:15.800601471 +0200
@@ -1,0 +2,19 @@
+Tue Jul 23 11:45:46 UTC 2019 - Pedro Monreal Gonzalez
<pmonrealgonza...@suse.com>
+
+- Security fix [bsc#1142439, CVE-2019-1010220]
+ * Buffer Over-read in print_prefix which may expose data
+ * Added tcpdump-CVE-2019-1010220.patch
+
+-------------------------------------------------------------------
+Tue Jul 23 10:37:17 UTC 2019 - Pedro Monreal Gonzalez
<pmonrealgonza...@suse.com>
+
+- Use %license macro for LICENSE file
+
+-------------------------------------------------------------------
+Tue Jul 23 10:24:31 UTC 2019 - Pedro Monreal Gonzalez
<pmonrealgonza...@suse.com>
+
+- Security fix [bsc#1068716, CVE-2017-16808]
+ * Heap-based buffer over-read related to aoe_print and lookup_emem
+ * Added tcpdump-CVE-2017-16808.patch
+
+-------------------------------------------------------------------
New:
----
tcpdump-CVE-2017-16808.patch
tcpdump-CVE-2019-1010220.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tcpdump.spec ++++++
--- /var/tmp/diff_new_pack.r7tgwe/_old 2019-07-28 10:18:18.420601475 +0200
+++ /var/tmp/diff_new_pack.r7tgwe/_new 2019-07-28 10:18:18.464601475 +0200
@@ -1,7 +1,7 @@
#
# spec file for package tcpdump
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,10 @@
Patch0: tcpdump-ikev2pI2.patch
# PATCH-FIX-OPENSUSE tcpdump-CVE-2018-19519.patch - Initialize buf in
print-hncp.c:print_prefix
Patch1: tcpdump-CVE-2018-19519.patch
+# PATCH-FIX-UPSTREAM bsc#1068716 CVE-2017-16808 Heap-based buffer over-read
related to aoe_print and lookup_emem
+Patch2: tcpdump-CVE-2017-16808.patch
+# PATCH-FIX-UPSTREAM bsc#1142439 CVE-2019-1010220 Buffer Over-read in
print_prefix
+Patch3: tcpdump-CVE-2019-1010220.patch
BuildRequires: libpcap-devel >= %{min_libpcap_version}
BuildRequires: libsmi-devel
BuildRequires: openssl-devel
@@ -46,6 +50,8 @@
%setup -q
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
export CFLAGS="%{optflags} -Wall -DGUESS_TSO -fstack-protector
-fno-strict-aliasing"
@@ -65,7 +71,8 @@
%files
%defattr(-,root,root)
-%doc CHANGES CREDITS LICENSE README* *.awk
+%license LICENSE
+%doc CHANGES CREDITS README* *.awk
%{_mandir}/man?/*
%{_sbindir}/tcpdump
%ifarch s390 s390x
++++++ tcpdump-CVE-2017-16808.patch ++++++
>From 28f610026d901660dd370862b62ec328727446a2 Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <de...@ovsienko.info>
Date: Thu, 31 Aug 2017 21:15:37 +0100
Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check.
In aoev1_reserve_print() check bounds before trying to print an Ethernet
address.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
---
print-aoe.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/print-aoe.c b/print-aoe.c
index 97e93df2e..2c78a55d3 100644
--- a/print-aoe.c
+++ b/print-aoe.c
@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo,
goto invalid;
/* addresses */
for (i = 0; i < nmacs; i++) {
+ ND_TCHECK2(*cp, ETHER_ADDR_LEN);
ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i,
etheraddr_string(ndo, cp)));
cp += ETHER_ADDR_LEN;
}
++++++ tcpdump-CVE-2019-1010220.patch ++++++
>From 511915bef7e4de2f31b8d9f581b4a44b0cfbcf53 Mon Sep 17 00:00:00 2001
From: Guy Harris <g...@alum.mit.edu>
Date: Sat, 1 Jun 2019 14:42:09 -0700
Subject: [PATCH] If decode_prefix6() returns a negative number, don't print
buf.
If it returns a negative number, it hasn't necessarily filled in buf, so
just return immediately; this is similar to the IPv4 code path, wherein
we just return a negative number, and print nothing, on an error.
This should fix GitHub issue #763.
---
print-hncp.c | 2 ++
1 file changed, 2 insertions(+)
Index: tcpdump-4.9.2/print-hncp.c
===================================================================
--- tcpdump-4.9.2.orig/print-hncp.c
+++ tcpdump-4.9.2/print-hncp.c
@@ -231,6 +231,8 @@ print_prefix(netdissect_options *ndo, co
plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
} else {
plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
+ if (plenbytes < 0)
+ return plenbytes;
}
ND_PRINT((ndo, "%s", buf));
