[oe] [meta-oe][PATCH] tcpdump: Delete unused patch
Delete patch "0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch" since it is not used in the tcpdump recipe anymore. Signed-off-by: Peiran Hong --- ...16808-AoE-Add-a-missing-bounds-check.patch | 61 --- 1 file changed, 61 deletions(-) delete mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch deleted file mode 100644 index 919f2b009..0 --- a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch +++ /dev/null @@ -1,61 +0,0 @@ -From c45443a0d3e16b92622bea6b589e5930e8f0d815 Mon Sep 17 00:00:00 2001 -From: Peiran Hong -Date: Fri, 13 Sep 2019 17:02:57 -0400 -Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check. - - netdissect.h | 12 - print-aoe.c | 1 + - 2 files changed, 13 insertions(+) - -diff --git a/netdissect.h b/netdissect.h -index 089b0406..cd05fdb9 100644 a/netdissect.h -+++ b/netdissect.h -@@ -69,6 +69,11 @@ typedef struct { - typedef unsigned char nd_uint8_t; - typedef signed char nd_int8_t; - -+/* -+ * Use this for MAC addresses. -+ */ -+#define MAC_ADDR_LEN6 /* length of MAC addresses */ -+ - /* snprintf et al */ - - #include -@@ -309,12 +314,19 @@ struct netdissect_options { - ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ - (uintptr_t)&(var) <= (uintptr_t)ndo->ndo_snapend - (l))) - -+#define ND_TTEST_LEN(p, l) \ -+ (IS_NOT_NEGATIVE(l) && \ -+((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ -+ (uintptr_t)(p) <= (uintptr_t)ndo->ndo_snapend - (l))) -+ - /* True if "var" was captured */ - #define ND_TTEST(var) ND_TTEST2(var, sizeof(var)) - - /* Bail if "l" bytes of "var" were not captured */ - #define ND_TCHECK2(var, l) if (!ND_TTEST2(var, l)) goto trunc - -+#define ND_TCHECK_LEN(p, l) if (!ND_TTEST_LEN(p, l)) goto trunc -+ - /* Bail if "var" was not captured */ - #define ND_TCHECK(var) ND_TCHECK2(var, sizeof(var)) - -diff --git a/print-aoe.c b/print-aoe.c -index 97e93df2..ac097a04 100644 a/print-aoe.c -+++ b/print-aoe.c -@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo, - goto invalid; - /* addresses */ - for (i = 0; i < nmacs; i++) { -+ ND_TCHECK_LEN(cp, MAC_ADDR_LEN); - ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp))); - cp += ETHER_ADDR_LEN; - } --- -2.21.0 - -- 2.21.0 -- ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-oe][PATCH] tcpdump: upgrade 4.9.2 -> 4.9.3
This upgrade adds some new features and fixes numerous bugs including the following CVEs: CVE: CVE-2017-16808 (AoE) CVE: CVE-2018-14468 (FrameRelay) CVE: CVE-2018-14469 (IKEv1) CVE: CVE-2018-14470 (BABEL) CVE: CVE-2018-14466 (AFS/RX) CVE: CVE-2018-14461 (LDP) CVE: CVE-2018-14462 (ICMP) CVE: CVE-2018-14465 (RSVP) CVE: CVE-2018-14881 (BGP) CVE: CVE-2018-14464 (LMP) CVE: CVE-2018-14463 (VRRP) CVE: CVE-2018-14467 (BGP) CVE: CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled) CVE: CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled) CVE: CVE-2018-14880 (OSPF6) CVE: CVE-2018-16451 (SMB) CVE: CVE-2018-14882 (RPL) CVE: CVE-2018-16227 (802.11) CVE: CVE-2018-16229 (DCCP) CVE: CVE-2018-16301 (was fixed in libpcap) CVE: CVE-2018-16230 (BGP) CVE: CVE-2018-16452 (SMB) CVE: CVE-2018-16300 (BGP) CVE: CVE-2018-16228 (HNCP) CVE: CVE-2019-15166 (LMP) CVE: CVE-2019-15167 (VRRP) CVE: CVE-2018-14879 (tcpdump -V) Deleted patch "0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch" since the fix is included in the upgrade. Modified patches "avoid-absolute-path-when-searching-for-libdlpi.patch", "unnecessary-to-check-libpcap.patch", and "add-ptest.path" since the upgrade renamed configure.in to configure.ac and made changes to the file. Added PACKAGECONFIG for smb. It is disabled by default in the upgraded version in both the package's configure script and this bitbake recipe since it is insecure. Modified the parsing of ptest result to align with the new output format. With core-image-minimal on qemux86-64/kvm: Recipe | Passed | Failed | Skipped | Time(s) Before | 408 | 0| 2 | 4 After | 431 | 11 | 2 | 10 11 test failed after the upgrade since libpcap is not upgraded alongside with tcpdump. Signed-off-by: Peiran Hong --- .../tcpdump/tcpdump/add-ptest.patch | 9 + ...lute-path-when-searching-for-libdlpi.patch | 19 ++- .../recipes-support/tcpdump/tcpdump/run-ptest | 4 ++-- .../unnecessary-to-check-libpcap.patch| 15 --- .../{tcpdump_4.9.2.bb => tcpdump_4.9.3.bb}| 12 +--- 5 files changed, 34 insertions(+), 25 deletions(-) rename meta-networking/recipes-support/tcpdump/{tcpdump_4.9.2.bb => tcpdump_4.9.3.bb} (74%) diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/add-ptest.patch b/meta-networking/recipes-support/tcpdump/tcpdump/add-ptest.patch index b71435a04..f8ff354fe 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump/add-ptest.patch +++ b/meta-networking/recipes-support/tcpdump/tcpdump/add-ptest.patch @@ -1,18 +1,19 @@ -From 8ee1ab1ac89557d48ac1ab7ddcc3c51be9b734ad Mon Sep 17 00:00:00 2001 +From 8c9c728757f89ebe6c4019114b83a63c63596f69 Mon Sep 17 00:00:00 2001 From: "Hongjun.Yang" -Date: Wed, 22 Oct 2014 10:02:48 +0800 +Date: Wed, 2 Oct 2019 16:57:06 -0400 Subject: [PATCH] Add ptest for tcpdump Upstream-Status: Pending Signed-off-by: Hongjun.Yang +Signed-off-by: Peiran Hong --- Makefile.in | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in -index 0941f0e..3ce40c6 100644 +index 3b589184..7b10e38c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -437,9 +437,17 @@ distclean: @@ -23,7 +24,7 @@ index 0941f0e..3ce40c6 100644 +buildtest-TESTS: tcpdump + +runtest-PTEST: - (cd tests && ./TESTrun.sh) + (mkdir -p tests && SRCDIR=`cd ${srcdir}; pwd` && export SRCDIR && $$SRCDIR/tests/TESTrun.sh ) +install-ptest: + cp -r tests $(DESTDIR) diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/avoid-absolute-path-when-searching-for-libdlpi.patch b/meta-networking/recipes-support/tcpdump/tcpdump/avoid-absolute-path-when-searching-for-libdlpi.patch index d82c16053..977ab95b7 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump/avoid-absolute-path-when-searching-for-libdlpi.patch +++ b/meta-networking/recipes-support/tcpdump/tcpdump/avoid-absolute-path-when-searching-for-libdlpi.patch @@ -1,6 +1,6 @@ -From a2bfd28034d9aa48d8ff109c1314e53bc9779752 Mon Sep 17 00:00:00 2001 +From 02085028cdaf075943c27ebc02bb6de0289ec1d3 Mon Sep 17 00:00:00 2001 From: Andre McCurdy -Date: Wed, 24 Oct 2018 22:26:08 -0700 +Date: Wed, 2 Oct 2019 16:43:48 -0400 Subject: [PATCH] avoid absolute path when searching for libdlpi Let the build environment control library search paths. @@ -8,15 +8,16 @@ Let the build environment control library search paths. Upstream-Status: Inappropriate [OE specific] Signed-off-by: Andre McCurdy +Signed-off-by: Peiran Hong --- - configure.in | 2 +- + configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/configure.in b/configure.in -index c882909..52aefd6 100644 a/configure.in -+++ b/configure.in -@@ -542,7 +542,7 @@ don't.]) +diff
[oe] [meta-oe][PATCH] zabbix: upgrade 3.0.9 -> 4.2.6
This update fixes the following CVEs: - CVE-2016-10742 (ZBX-13133, refer to 'Changes for 3.4.4rc1' in ChangeLog) and addresses numerous bugs as well as improved frontend messaging usage. Added libevent, libpcre and zlib to DEPENDS as required dependency to build 4.2.6. Added --with-libpthread to EXTRA_OECONF as default configure option since it is turned on by default in the new version. There are also new optional features available in this update that could be but are not yet added as PACKAGECONFIG. Signed-off-by: Peiran Hong --- .../zabbix/{zabbix_3.0.9.bb => zabbix_4.2.6.bb} | 12 1 file changed, 8 insertions(+), 4 deletions(-) rename meta-oe/recipes-connectivity/zabbix/{zabbix_3.0.9.bb => zabbix_4.2.6.bb} (88%) diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_3.0.9.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_4.2.6.bb similarity index 88% rename from meta-oe/recipes-connectivity/zabbix/zabbix_3.0.9.bb rename to meta-oe/recipes-connectivity/zabbix/zabbix_4.2.6.bb index bab5a6ae6..33c0a82b8 100644 --- a/meta-oe/recipes-connectivity/zabbix/zabbix_3.0.9.bb +++ b/meta-oe/recipes-connectivity/zabbix/zabbix_4.2.6.bb @@ -19,7 +19,7 @@ HOMEPAGE = "http://www.zabbix.com/; SECTION = "Applications/Internet" LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=300e938ad303147fede2294ed78fe02e" -DEPENDS = "openldap virtual/libiconv" +DEPENDS = "libevent libpcre openldap virtual/libiconv zlib" PACKAGE_ARCH = "${MACHINE_ARCH}" @@ -28,8 +28,8 @@ SRC_URI = "http://jaist.dl.sourceforge.net/project/zabbix/ZABBIX%20Latest%20Stab file://zabbix-agent.service \ " -SRC_URI[md5sum] = "489d21b464277c0d412155c7e5611a8f" -SRC_URI[sha256sum] = "4445f26c025009681c29c9b350aa6c4ee7b124ddcaf1609ae36c55997bcb8cf2" +SRC_URI[md5sum] = "6cd55cd743d416d9ffbf2e6fdee680ee" +SRC_URI[sha256sum] = "646b1f29a768e3123a00a9afadf382b4d0dfd54e20fb31023f0d6da066da0864" inherit autotools-brokensep linux-kernel-base pkgconfig systemd useradd @@ -55,8 +55,12 @@ EXTRA_OECONF = " \ --with-unixodbc \ --with-ssh2 \ --with-sqlite3 \ +--with-zlib \ +--with-libpthread \ +--with-libevent \ +--with-libpcre \ " -CFLAGS_append = " -lldap -llber" +CFLAGS_append = " -lldap -llber -pthread" do_configure_prepend() { export KERNEL_VERSION="${KERNEL_VERSION}" -- 2.21.0 -- ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-oe][PATCH] nmap: Update to 7.80
Updates nmap to v7.80, this solves the following CVEs: - CVE-2017-18594 - CVE-2018-15173 and addressed numerous bugs as well. The patch '0001-include-time.h-for-time-structure-definition.patch' is modified to be applicable to the new version while serving for the same purpose. The license changed in the commit https://github.com/nmap/nmap/commit/d639a53 and is only a date bump without modification of any content in the license. Signed-off-by: Peiran Hong --- h-header-to-pass-clang-compilation.patch} | 59 +-- .../nmap/{nmap_7.70.bb => nmap_7.80.bb} | 8 +-- 2 files changed, 31 insertions(+), 36 deletions(-) rename meta-oe/recipes-security/nmap/files/{0001-include-time.h-for-time-structure-definition.patch => 0001-Include-time.h-header-to-pass-clang-compilation.patch} (52%) rename meta-oe/recipes-security/nmap/{nmap_7.70.bb => nmap_7.80.bb} (85%) diff --git a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch similarity index 52% rename from meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch rename to meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch index 561c8c82c..f93af2d79 100644 --- a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch +++ b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch @@ -1,35 +1,39 @@ -From c774f2b129fd5acd5647d92c57a2079ae638a62b Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sun, 20 Jan 2019 23:07:39 -0800 -Subject: [PATCH] include time.h for time structure definition +From a068952a20880fc864e8cb8b49f8a6b143a5ac30 Mon Sep 17 00:00:00 2001 +From: Peiran Hong +Date: Fri, 20 Sep 2019 15:02:45 -0400 +Subject: [PATCH] Include time.h header to pass clang compilation -Exposed by musl/clang - -Upstream-Status: Pending - -Signed-off-by: Khem Raj --- - nmap_error.cc | 1 + - nping/EchoServer.cc | 1 + - osscan.cc | 1 + - osscan2.cc | 1 + - service_scan.cc | 1 + - 5 files changed, 5 insertions(+) + nmap_error.cc | 11 +-- + nping/EchoServer.cc | 1 + + osscan2.cc | 1 + + service_scan.cc | 1 + + 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/nmap_error.cc b/nmap_error.cc -index 19beafb..ea14e08 100644 +index 588b13c33..254107ff5 100644 --- a/nmap_error.cc +++ b/nmap_error.cc -@@ -135,6 +135,7 @@ +@@ -135,16 +135,7 @@ #include "xml.h" #include +-#if TIME_WITH_SYS_TIME +-# include +-# include +-#else +-# if HAVE_SYS_TIME_H +-# include +-# else +-# include +-# endif +-#endif +#include extern NmapOps o; diff --git a/nping/EchoServer.cc b/nping/EchoServer.cc -index 70f39b0..40cd4d6 100644 +index ccdcf9c2d..c403aeda5 100644 --- a/nping/EchoServer.cc +++ b/nping/EchoServer.cc @@ -137,6 +137,7 @@ @@ -40,20 +44,8 @@ index 70f39b0..40cd4d6 100644 extern NpingOps o; extern EchoServer es; -diff --git a/osscan.cc b/osscan.cc -index f851f60..6ae0c83 100644 a/osscan.cc -+++ b/osscan.cc -@@ -149,6 +149,7 @@ - # include - # endif - #endif -+#include - - #include - #include diff --git a/osscan2.cc b/osscan2.cc -index e341947..887fbd2 100644 +index aa31feb12..89673e108 100644 --- a/osscan2.cc +++ b/osscan2.cc @@ -147,6 +147,7 @@ @@ -65,7 +57,7 @@ index e341947..887fbd2 100644 extern NmapOps o; #ifdef WIN32 diff --git a/service_scan.cc b/service_scan.cc -index 9780ae3..e07b940 100644 +index 57a92ed28..ef277bb1f 100644 --- a/service_scan.cc +++ b/service_scan.cc @@ -145,6 +145,7 @@ @@ -76,3 +68,6 @@ index 9780ae3..e07b940 100644 #if HAVE_OPENSSL /* OpenSSL 1.0.0 needs _WINSOCKAPI_ to be defined, otherwise it loads +-- +2.21.0 + diff --git a/meta-oe/recipes-security/nmap/nmap_7.70.bb b/meta-oe/recipes-security/nmap/nmap_7.80.bb similarity index 85% rename from meta-oe/recipes-security/nmap/nmap_7.70.bb rename to meta-oe/recipes-security/nmap/nmap_7.80.bb index b1b150a7d..f24194da7 100644 --- a/meta-oe/recipes-security/nmap/nmap_7.70.bb +++ b/meta-oe/recipes-security/nmap/nmap_7.80.bb @@ -3,17 +3,17 @@ DESCRIPTION = "Nmap ("Network Mapper") is a free and open source (license) utili SECTION = "security" LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=1489288f46af415fadc4e8b6345ab9f4" +LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \ file://nmap-redefine-the-python-library-dir.patch \ file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \ - file://0001-include-time.h-for-time-structure-definition.patch \ + file://0001-Include-time.
Re: [oe] [meta-oe][PATCH] nmap: Update to 7.80
I double checked and the license file only had a date bump, the content of it did not change. I will email the commit with an edited commit message. Thank you, Peiran On 2019-09-23 12:24 p.m., Khem Raj wrote: On Mon, Sep 23, 2019 at 8:59 AM Peiran Hong <mailto:peiran.h...@windriver.com>> wrote: nmap 7.80 still cannot be compiled using clang tool-chain and the original patch does not apply cleanly, so I created a new patch that contains the following changes compared to the original patch: 1. nmap_error.cc: add line "#include " => delete "#if TIME_WITH_SYS_TIME...#endif" and add line"#include ". 2. nping/EchoServer.cc: add line "#include " (same as original patch). 3. osscan.cc: add line "#include " => remove change since this line is added in 7.80 4. osscan2.cc: add line "#include " (same as original patch) 5. service_scan.cc: add line "#include " (same as original patch) Thanks that was not the question though it was mainly about license checksum change it would be good to add a line or two in commit about that 1. Peiran On 2019-09-23 11:18 a.m., Khem Raj wrote: On Mon, Sep 23, 2019 at 6:59 AM Peiran Hong <mailto:peiran.h...@windriver.com> wrote: Updates nmap to v7.80, this solves the following CVEs: - CVE-2017-18594 - CVE-2018-15173 and addressed numerous bugs as well. The patch '0001-include-time.h-for-time-structure-definition.patch' is modified to be applicable to the new version while serving for the same purpose. Signed-off-by: Peiran Hong <mailto:peiran.h...@windriver.com> --- h-header-to-pass-clang-compilation.patch} | 59 +-- .../nmap/{nmap_7.70.bb <http://nmap_7.70.bb> =>nmap_7.80.bb <http://nmap_7.80.bb>} | 8 +-- 2 files changed, 31 insertions(+), 36 deletions(-) rename meta-oe/recipes-security/nmap/files/{0001-include-time.h-for-time-structure-definition.patch => 0001-Include-time.h-header-to-pass-clang-compilation.patch} (52%) rename meta-oe/recipes-security/nmap/{nmap_7.70.bb <http://nmap_7.70.bb> =>nmap_7.80.bb <http://nmap_7.80.bb>} (85%) diff --git a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch similarity index 52% rename from meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch rename to meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch index 561c8c82c..f93af2d79 100644 --- a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch +++ b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch @@ -1,35 +1,39 @@ -From c774f2b129fd5acd5647d92c57a2079ae638a62b Mon Sep 17 00:00:00 2001 -From: Khem Raj <mailto:raj.k...@gmail.com> -Date: Sun, 20 Jan 2019 23:07:39 -0800 -Subject: [PATCH] include time.h for time structure definition +From a068952a20880fc864e8cb8b49f8a6b143a5ac30 Mon Sep 17 00:00:00 2001 +From: Peiran Hong <mailto:peiran.h...@windriver.com> +Date: Fri, 20 Sep 2019 15:02:45 -0400 +Subject: [PATCH] Include time.h header to pass clang compilation -Exposed by musl/clang - -Upstream-Status: Pending - -Signed-off-by: Khem Raj <mailto:raj.k...@gmail.com> --- - nmap_error.cc | 1 + - nping/EchoServer.cc | 1 + - osscan.cc | 1 + - osscan2.cc | 1 + - service_scan.cc | 1 + - 5 files changed, 5 insertions(+) + nmap_error.cc | 11 +-- + nping/EchoServer.cc | 1 + + osscan2.cc | 1 + + service_scan.cc | 1 + + 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/nmap_error.cc b/nmap_error.cc -index 19beafb..ea14e08 100644 +index 588b13c33..254107ff5 100644 --- a/nmap_error.cc +++ b/nmap_error.cc -@@ -135,6 +135,7 @@ +@@ -135,16 +135,7 @@ #include "xml.h" #include +-#if TIME_WITH_SYS_TIME +-# include +-# include +-#else +-# if HAVE_SYS_TIME_H +-# include +-# else +-# include +-# endif +-#endif +#include extern NmapOps o; diff --git a/nping/EchoServer.cc b/nping/EchoServer.cc -index 70f39b0..40cd4d6 100644 +index ccdcf9c2d..c403aeda5 100644 --- a/nping/EchoServer.cc +++ b/nping/EchoServer.cc @@ -137,6 +137,7 @@ @@ -40,20 +44,8 @@ index 70f39b0..40cd4d6 100644 extern NpingOps o; extern EchoServer es; -diff --git a/osscan.cc b/osscan.cc
Re: [oe] [meta-oe][PATCH] nmap: Update to 7.80
I double checked and the license file only had a date bump, the content of it did not change. I will email the commit with an edited commit message. Thank you, Peiran On 2019-09-23 12:24 p.m., Khem Raj wrote: On Mon, Sep 23, 2019 at 8:59 AM Peiran Hong <mailto:peiran.h...@windriver.com>> wrote: nmap 7.80 still cannot be compiled using clang tool-chain and the original patch does not apply cleanly, so I created a new patch that contains the following changes compared to the original patch: 1. nmap_error.cc: add line "#include " => delete "#if TIME_WITH_SYS_TIME...#endif" and add line"#include ". 2. nping/EchoServer.cc: add line "#include " (same as original patch). 3. osscan.cc: add line "#include " => remove change since this line is added in 7.80 4. osscan2.cc: add line "#include " (same as original patch) 5. service_scan.cc: add line "#include " (same as original patch) Thanks that was not the question though it was mainly about license checksum change it would be good to add a line or two in commit about that 1. Peiran On 2019-09-23 11:18 a.m., Khem Raj wrote: On Mon, Sep 23, 2019 at 6:59 AM Peiran Hong <mailto:peiran.h...@windriver.com> wrote: Updates nmap to v7.80, this solves the following CVEs: - CVE-2017-18594 - CVE-2018-15173 and addressed numerous bugs as well. The patch '0001-include-time.h-for-time-structure-definition.patch' is modified to be applicable to the new version while serving for the same purpose. Signed-off-by: Peiran Hong <mailto:peiran.h...@windriver.com> --- h-header-to-pass-clang-compilation.patch} | 59 +-- .../nmap/{nmap_7.70.bb <http://nmap_7.70.bb> =>nmap_7.80.bb <http://nmap_7.80.bb>} | 8 +-- 2 files changed, 31 insertions(+), 36 deletions(-) rename meta-oe/recipes-security/nmap/files/{0001-include-time.h-for-time-structure-definition.patch => 0001-Include-time.h-header-to-pass-clang-compilation.patch} (52%) rename meta-oe/recipes-security/nmap/{nmap_7.70.bb <http://nmap_7.70.bb> =>nmap_7.80.bb <http://nmap_7.80.bb>} (85%) diff --git a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch similarity index 52% rename from meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch rename to meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch index 561c8c82c..f93af2d79 100644 --- a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch +++ b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch @@ -1,35 +1,39 @@ -From c774f2b129fd5acd5647d92c57a2079ae638a62b Mon Sep 17 00:00:00 2001 -From: Khem Raj <mailto:raj.k...@gmail.com> -Date: Sun, 20 Jan 2019 23:07:39 -0800 -Subject: [PATCH] include time.h for time structure definition +From a068952a20880fc864e8cb8b49f8a6b143a5ac30 Mon Sep 17 00:00:00 2001 +From: Peiran Hong <mailto:peiran.h...@windriver.com> +Date: Fri, 20 Sep 2019 15:02:45 -0400 +Subject: [PATCH] Include time.h header to pass clang compilation -Exposed by musl/clang - -Upstream-Status: Pending - -Signed-off-by: Khem Raj <mailto:raj.k...@gmail.com> --- - nmap_error.cc | 1 + - nping/EchoServer.cc | 1 + - osscan.cc | 1 + - osscan2.cc | 1 + - service_scan.cc | 1 + - 5 files changed, 5 insertions(+) + nmap_error.cc | 11 +-- + nping/EchoServer.cc | 1 + + osscan2.cc | 1 + + service_scan.cc | 1 + + 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/nmap_error.cc b/nmap_error.cc -index 19beafb..ea14e08 100644 +index 588b13c33..254107ff5 100644 --- a/nmap_error.cc +++ b/nmap_error.cc -@@ -135,6 +135,7 @@ +@@ -135,16 +135,7 @@ #include "xml.h" #include +-#if TIME_WITH_SYS_TIME +-# include +-# include +-#else +-# if HAVE_SYS_TIME_H +-# include +-# else +-# include +-# endif +-#endif +#include extern NmapOps o; diff --git a/nping/EchoServer.cc b/nping/EchoServer.cc -index 70f39b0..40cd4d6 100644 +index ccdcf9c2d..c403aeda5 100644 --- a/nping/EchoServer.cc +++ b/nping/EchoServer.cc @@ -137,6 +137,7 @@ @@ -40,20 +44,8 @@ index 70f39b0..40cd4d6 100644 extern NpingOps o; extern EchoServer es; -diff --git a/osscan.cc b/osscan.cc
Re: [oe] [meta-oe][PATCH] nmap: Update to 7.80
nmap 7.80 still cannot be compiled using clang tool-chain and the original patch does not apply cleanly, so I created a new patch that contains the following changes compared to the original patch: 1. nmap_error.cc: add line "#include " => delete "#if TIME_WITH_SYS_TIME...#endif" and add line"#include ". 2. nping/EchoServer.cc: add line "#include " (same as original patch). 3. osscan.cc: add line "#include " => remove change since this line is added in 7.80 4. osscan2.cc: add line "#include " (same as original patch) 5. service_scan.cc: add line "#include " (same as original patch) Peiran On 2019-09-23 11:18 a.m., Khem Raj wrote: On Mon, Sep 23, 2019 at 6:59 AM Peiran Hong wrote: Updates nmap to v7.80, this solves the following CVEs: - CVE-2017-18594 - CVE-2018-15173 and addressed numerous bugs as well. The patch '0001-include-time.h-for-time-structure-definition.patch' is modified to be applicable to the new version while serving for the same purpose. Signed-off-by: Peiran Hong --- h-header-to-pass-clang-compilation.patch} | 59 +-- .../nmap/{nmap_7.70.bb => nmap_7.80.bb} | 8 +-- 2 files changed, 31 insertions(+), 36 deletions(-) rename meta-oe/recipes-security/nmap/files/{0001-include-time.h-for-time-structure-definition.patch => 0001-Include-time.h-header-to-pass-clang-compilation.patch} (52%) rename meta-oe/recipes-security/nmap/{nmap_7.70.bb => nmap_7.80.bb} (85%) diff --git a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch similarity index 52% rename from meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch rename to meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch index 561c8c82c..f93af2d79 100644 --- a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch +++ b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch @@ -1,35 +1,39 @@ -From c774f2b129fd5acd5647d92c57a2079ae638a62b Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sun, 20 Jan 2019 23:07:39 -0800 -Subject: [PATCH] include time.h for time structure definition +From a068952a20880fc864e8cb8b49f8a6b143a5ac30 Mon Sep 17 00:00:00 2001 +From: Peiran Hong +Date: Fri, 20 Sep 2019 15:02:45 -0400 +Subject: [PATCH] Include time.h header to pass clang compilation -Exposed by musl/clang - -Upstream-Status: Pending - -Signed-off-by: Khem Raj --- - nmap_error.cc | 1 + - nping/EchoServer.cc | 1 + - osscan.cc | 1 + - osscan2.cc | 1 + - service_scan.cc | 1 + - 5 files changed, 5 insertions(+) + nmap_error.cc | 11 +-- + nping/EchoServer.cc | 1 + + osscan2.cc | 1 + + service_scan.cc | 1 + + 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/nmap_error.cc b/nmap_error.cc -index 19beafb..ea14e08 100644 +index 588b13c33..254107ff5 100644 --- a/nmap_error.cc +++ b/nmap_error.cc -@@ -135,6 +135,7 @@ +@@ -135,16 +135,7 @@ #include "xml.h" #include +-#if TIME_WITH_SYS_TIME +-# include +-# include +-#else +-# if HAVE_SYS_TIME_H +-# include +-# else +-# include +-# endif +-#endif +#include extern NmapOps o; diff --git a/nping/EchoServer.cc b/nping/EchoServer.cc -index 70f39b0..40cd4d6 100644 +index ccdcf9c2d..c403aeda5 100644 --- a/nping/EchoServer.cc +++ b/nping/EchoServer.cc @@ -137,6 +137,7 @@ @@ -40,20 +44,8 @@ index 70f39b0..40cd4d6 100644 extern NpingOps o; extern EchoServer es; -diff --git a/osscan.cc b/osscan.cc -index f851f60..6ae0c83 100644 a/osscan.cc -+++ b/osscan.cc -@@ -149,6 +149,7 @@ - # include - # endif - #endif -+#include - - #include - #include diff --git a/osscan2.cc b/osscan2.cc -index e341947..887fbd2 100644 +index aa31feb12..89673e108 100644 --- a/osscan2.cc +++ b/osscan2.cc @@ -147,6 +147,7 @@ @@ -65,7 +57,7 @@ index e341947..887fbd2 100644 extern NmapOps o; #ifdef WIN32 diff --git a/service_scan.cc b/service_scan.cc -index 9780ae3..e07b940 100644 +index 57a92ed28..ef277bb1f 100644 --- a/service_scan.cc +++ b/service_scan.cc @@ -145,6 +145,7 @@ @@ -76,3 +68,6 @@ index 9780ae3..e07b940 100644 #if HAVE_OPENSSL /* OpenSSL 1.0.0 needs _WINSOCKAPI_ to be defined, otherwise it loads +-- +2.21.0 + diff --git a/meta-oe/recipes-security/nmap/nmap_7.70.bb b/meta-oe/recipes-security/nmap/nmap_7.80.bb similarity index 85% rename from meta-oe/recipes-security/nmap/nmap_7.70.bb rename to meta-oe/recipes-security/nmap/nmap_7.80.bb index b1b150a7d..f24194da7 100644 --- a/meta-oe/recipes-security/nmap/nmap_7.70.bb +++ b/meta-oe/recipes-security/nmap/nmap_7.80.bb @@ -3,17 +3,17 @@ DESCRIPTION = "Nmap (&quo
[oe] [meta-oe][PATCH] nmap: Update to 7.80
Updates nmap to v7.80, this solves the following CVEs: - CVE-2017-18594 - CVE-2018-15173 and addressed numerous bugs as well. The patch '0001-include-time.h-for-time-structure-definition.patch' is modified to be applicable to the new version while serving for the same purpose. Signed-off-by: Peiran Hong --- h-header-to-pass-clang-compilation.patch} | 59 +-- .../nmap/{nmap_7.70.bb => nmap_7.80.bb} | 8 +-- 2 files changed, 31 insertions(+), 36 deletions(-) rename meta-oe/recipes-security/nmap/files/{0001-include-time.h-for-time-structure-definition.patch => 0001-Include-time.h-header-to-pass-clang-compilation.patch} (52%) rename meta-oe/recipes-security/nmap/{nmap_7.70.bb => nmap_7.80.bb} (85%) diff --git a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch similarity index 52% rename from meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch rename to meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch index 561c8c82c..f93af2d79 100644 --- a/meta-oe/recipes-security/nmap/files/0001-include-time.h-for-time-structure-definition.patch +++ b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch @@ -1,35 +1,39 @@ -From c774f2b129fd5acd5647d92c57a2079ae638a62b Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sun, 20 Jan 2019 23:07:39 -0800 -Subject: [PATCH] include time.h for time structure definition +From a068952a20880fc864e8cb8b49f8a6b143a5ac30 Mon Sep 17 00:00:00 2001 +From: Peiran Hong +Date: Fri, 20 Sep 2019 15:02:45 -0400 +Subject: [PATCH] Include time.h header to pass clang compilation -Exposed by musl/clang - -Upstream-Status: Pending - -Signed-off-by: Khem Raj --- - nmap_error.cc | 1 + - nping/EchoServer.cc | 1 + - osscan.cc | 1 + - osscan2.cc | 1 + - service_scan.cc | 1 + - 5 files changed, 5 insertions(+) + nmap_error.cc | 11 +-- + nping/EchoServer.cc | 1 + + osscan2.cc | 1 + + service_scan.cc | 1 + + 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/nmap_error.cc b/nmap_error.cc -index 19beafb..ea14e08 100644 +index 588b13c33..254107ff5 100644 --- a/nmap_error.cc +++ b/nmap_error.cc -@@ -135,6 +135,7 @@ +@@ -135,16 +135,7 @@ #include "xml.h" #include +-#if TIME_WITH_SYS_TIME +-# include +-# include +-#else +-# if HAVE_SYS_TIME_H +-# include +-# else +-# include +-# endif +-#endif +#include extern NmapOps o; diff --git a/nping/EchoServer.cc b/nping/EchoServer.cc -index 70f39b0..40cd4d6 100644 +index ccdcf9c2d..c403aeda5 100644 --- a/nping/EchoServer.cc +++ b/nping/EchoServer.cc @@ -137,6 +137,7 @@ @@ -40,20 +44,8 @@ index 70f39b0..40cd4d6 100644 extern NpingOps o; extern EchoServer es; -diff --git a/osscan.cc b/osscan.cc -index f851f60..6ae0c83 100644 a/osscan.cc -+++ b/osscan.cc -@@ -149,6 +149,7 @@ - # include - # endif - #endif -+#include - - #include - #include diff --git a/osscan2.cc b/osscan2.cc -index e341947..887fbd2 100644 +index aa31feb12..89673e108 100644 --- a/osscan2.cc +++ b/osscan2.cc @@ -147,6 +147,7 @@ @@ -65,7 +57,7 @@ index e341947..887fbd2 100644 extern NmapOps o; #ifdef WIN32 diff --git a/service_scan.cc b/service_scan.cc -index 9780ae3..e07b940 100644 +index 57a92ed28..ef277bb1f 100644 --- a/service_scan.cc +++ b/service_scan.cc @@ -145,6 +145,7 @@ @@ -76,3 +68,6 @@ index 9780ae3..e07b940 100644 #if HAVE_OPENSSL /* OpenSSL 1.0.0 needs _WINSOCKAPI_ to be defined, otherwise it loads +-- +2.21.0 + diff --git a/meta-oe/recipes-security/nmap/nmap_7.70.bb b/meta-oe/recipes-security/nmap/nmap_7.80.bb similarity index 85% rename from meta-oe/recipes-security/nmap/nmap_7.70.bb rename to meta-oe/recipes-security/nmap/nmap_7.80.bb index b1b150a7d..f24194da7 100644 --- a/meta-oe/recipes-security/nmap/nmap_7.70.bb +++ b/meta-oe/recipes-security/nmap/nmap_7.80.bb @@ -3,17 +3,17 @@ DESCRIPTION = "Nmap ("Network Mapper") is a free and open source (license) utili SECTION = "security" LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=1489288f46af415fadc4e8b6345ab9f4" +LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \ file://nmap-redefine-the-python-library-dir.patch \ file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \ - file://0001-include-time.h-for-time-structure-definition.patch \ + file://0001-Include-time.h-header-to-pass-clang-compilation.patch \ file://0002-Fix-building-with-libc.patch \
[oe] [meta-oe][warrior][PATCH] tcpdump: Fix CVE-2017-16808
Backport selected parts of three upstream commits to fix CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read. Upstream-Status: Backport [ several ] Upstream commits fully backported: 46aead6 [CVE-2017-16808/AoE: Add a missing bounds check] Upstream commits partially backported: 7068209 [Use nd_ types in 802.x and FDDI headers.] 84ef17a [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using pointers (1/n)] 46aead6 fixes the vulnerability and requires two macros defined in 7068209 and 84ef17a, which are committed after the release of 4.9.2. Only the definition of the macros are taken from the two commits as they impact a wide range of code and are difficult to integrate. CVE: CVE-2017-16808 Signed-off-by: Peiran Hong Signed-off-by: Khem Raj --- ...16808-AoE-Add-a-missing-bounds-check.patch | 61 +++ .../recipes-support/tcpdump/tcpdump_4.9.2.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch new file mode 100644 index 0..919f2b009 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch @@ -0,0 +1,61 @@ +From c45443a0d3e16b92622bea6b589e5930e8f0d815 Mon Sep 17 00:00:00 2001 +From: Peiran Hong +Date: Fri, 13 Sep 2019 17:02:57 -0400 +Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check. + +--- + netdissect.h | 12 + print-aoe.c | 1 + + 2 files changed, 13 insertions(+) + +diff --git a/netdissect.h b/netdissect.h +index 089b0406..cd05fdb9 100644 +--- a/netdissect.h b/netdissect.h +@@ -69,6 +69,11 @@ typedef struct { + typedef unsigned char nd_uint8_t; + typedef signed char nd_int8_t; + ++/* ++ * Use this for MAC addresses. ++ */ ++#define MAC_ADDR_LEN6 /* length of MAC addresses */ ++ + /* snprintf et al */ + + #include +@@ -309,12 +314,19 @@ struct netdissect_options { + ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ + (uintptr_t)&(var) <= (uintptr_t)ndo->ndo_snapend - (l))) + ++#define ND_TTEST_LEN(p, l) \ ++ (IS_NOT_NEGATIVE(l) && \ ++((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ ++ (uintptr_t)(p) <= (uintptr_t)ndo->ndo_snapend - (l))) ++ + /* True if "var" was captured */ + #define ND_TTEST(var) ND_TTEST2(var, sizeof(var)) + + /* Bail if "l" bytes of "var" were not captured */ + #define ND_TCHECK2(var, l) if (!ND_TTEST2(var, l)) goto trunc + ++#define ND_TCHECK_LEN(p, l) if (!ND_TTEST_LEN(p, l)) goto trunc ++ + /* Bail if "var" was not captured */ + #define ND_TCHECK(var) ND_TCHECK2(var, sizeof(var)) + +diff --git a/print-aoe.c b/print-aoe.c +index 97e93df2..ac097a04 100644 +--- a/print-aoe.c b/print-aoe.c +@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo, + goto invalid; + /* addresses */ + for (i = 0; i < nmacs; i++) { ++ ND_TCHECK_LEN(cp, MAC_ADDR_LEN); + ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp))); + cp += ETHER_ADDR_LEN; + } +-- +2.21.0 + diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb index 038c1617f..9bd861cd4 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb @@ -12,6 +12,7 @@ SRC_URI = " \ file://avoid-absolute-path-when-searching-for-libdlpi.patch \ file://add-ptest.patch \ file://run-ptest \ +file://0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch \ " SRC_URI[md5sum] = "9bbc1ee33dab61302411b02dd0515576" -- 2.21.0 -- ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-oe][thud][PATCH] tcpdump: Fix CVE-2017-16808
Backport selected parts of three upstream commits to fix CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read. Upstream-Status: Backport [ several ] Upstream commits fully backported: 46aead6 [CVE-2017-16808/AoE: Add a missing bounds check] Upstream commits partially backported: 7068209 [Use nd_ types in 802.x and FDDI headers.] 84ef17a [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using pointers (1/n)] 46aead6 fixes the vulnerability and requires two macros defined in 7068209 and 84ef17a, which are committed after the release of 4.9.2. Only the definition of the macros are taken from the two commits as they impact a wide range of code and are difficult to integrate. CVE: CVE-2017-16808 Signed-off-by: Peiran Hong Signed-off-by: Khem Raj --- ...16808-AoE-Add-a-missing-bounds-check.patch | 61 +++ .../recipes-support/tcpdump/tcpdump_4.9.2.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch new file mode 100644 index 0..919f2b009 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch @@ -0,0 +1,61 @@ +From c45443a0d3e16b92622bea6b589e5930e8f0d815 Mon Sep 17 00:00:00 2001 +From: Peiran Hong +Date: Fri, 13 Sep 2019 17:02:57 -0400 +Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check. + +--- + netdissect.h | 12 + print-aoe.c | 1 + + 2 files changed, 13 insertions(+) + +diff --git a/netdissect.h b/netdissect.h +index 089b0406..cd05fdb9 100644 +--- a/netdissect.h b/netdissect.h +@@ -69,6 +69,11 @@ typedef struct { + typedef unsigned char nd_uint8_t; + typedef signed char nd_int8_t; + ++/* ++ * Use this for MAC addresses. ++ */ ++#define MAC_ADDR_LEN6 /* length of MAC addresses */ ++ + /* snprintf et al */ + + #include +@@ -309,12 +314,19 @@ struct netdissect_options { + ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ + (uintptr_t)&(var) <= (uintptr_t)ndo->ndo_snapend - (l))) + ++#define ND_TTEST_LEN(p, l) \ ++ (IS_NOT_NEGATIVE(l) && \ ++((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ ++ (uintptr_t)(p) <= (uintptr_t)ndo->ndo_snapend - (l))) ++ + /* True if "var" was captured */ + #define ND_TTEST(var) ND_TTEST2(var, sizeof(var)) + + /* Bail if "l" bytes of "var" were not captured */ + #define ND_TCHECK2(var, l) if (!ND_TTEST2(var, l)) goto trunc + ++#define ND_TCHECK_LEN(p, l) if (!ND_TTEST_LEN(p, l)) goto trunc ++ + /* Bail if "var" was not captured */ + #define ND_TCHECK(var) ND_TCHECK2(var, sizeof(var)) + +diff --git a/print-aoe.c b/print-aoe.c +index 97e93df2..ac097a04 100644 +--- a/print-aoe.c b/print-aoe.c +@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo, + goto invalid; + /* addresses */ + for (i = 0; i < nmacs; i++) { ++ ND_TCHECK_LEN(cp, MAC_ADDR_LEN); + ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp))); + cp += ETHER_ADDR_LEN; + } +-- +2.21.0 + diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb index d38540e34..14e90b092 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb @@ -10,6 +10,7 @@ SRC_URI = " \ file://unnecessary-to-check-libpcap.patch \ file://add-ptest.patch \ file://run-ptest \ +file://0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch \ " SRC_URI[md5sum] = "9bbc1ee33dab61302411b02dd0515576" -- 2.21.0 -- ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [PATCH] tcpdump: Fix CVE-2017-16808
Backport selected parts of three upstream commits to fix CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read. Upstream-Status: Backport [ several ] Upstream commits fully backported: 46aead6 [CVE-2017-16808/AoE: Add a missing bounds check] Upstream commits partially backported: 7068209 [Use nd_ types in 802.x and FDDI headers.] 84ef17a [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using pointers (1/n)] 46aead6 fixes the vulnerability and requires two macros defined in 7068209 and 84ef17a, which are committed after the release of 4.9.2. Only the definition of the macros are taken from the two commits as they impact a wide range of code and are difficult to integrate. CVE: CVE-2017-16808 Signed-off-by: Peiran Hong --- ...16808-AoE-Add-a-missing-bounds-check.patch | 61 +++ .../recipes-support/tcpdump/tcpdump_4.9.2.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch new file mode 100644 index 0..919f2b009 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch @@ -0,0 +1,61 @@ +From c45443a0d3e16b92622bea6b589e5930e8f0d815 Mon Sep 17 00:00:00 2001 +From: Peiran Hong +Date: Fri, 13 Sep 2019 17:02:57 -0400 +Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check. + +--- + netdissect.h | 12 + print-aoe.c | 1 + + 2 files changed, 13 insertions(+) + +diff --git a/netdissect.h b/netdissect.h +index 089b0406..cd05fdb9 100644 +--- a/netdissect.h b/netdissect.h +@@ -69,6 +69,11 @@ typedef struct { + typedef unsigned char nd_uint8_t; + typedef signed char nd_int8_t; + ++/* ++ * Use this for MAC addresses. ++ */ ++#define MAC_ADDR_LEN6 /* length of MAC addresses */ ++ + /* snprintf et al */ + + #include +@@ -309,12 +314,19 @@ struct netdissect_options { + ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ + (uintptr_t)&(var) <= (uintptr_t)ndo->ndo_snapend - (l))) + ++#define ND_TTEST_LEN(p, l) \ ++ (IS_NOT_NEGATIVE(l) && \ ++((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \ ++ (uintptr_t)(p) <= (uintptr_t)ndo->ndo_snapend - (l))) ++ + /* True if "var" was captured */ + #define ND_TTEST(var) ND_TTEST2(var, sizeof(var)) + + /* Bail if "l" bytes of "var" were not captured */ + #define ND_TCHECK2(var, l) if (!ND_TTEST2(var, l)) goto trunc + ++#define ND_TCHECK_LEN(p, l) if (!ND_TTEST_LEN(p, l)) goto trunc ++ + /* Bail if "var" was not captured */ + #define ND_TCHECK(var) ND_TCHECK2(var, sizeof(var)) + +diff --git a/print-aoe.c b/print-aoe.c +index 97e93df2..ac097a04 100644 +--- a/print-aoe.c b/print-aoe.c +@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo, + goto invalid; + /* addresses */ + for (i = 0; i < nmacs; i++) { ++ ND_TCHECK_LEN(cp, MAC_ADDR_LEN); + ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp))); + cp += ETHER_ADDR_LEN; + } +-- +2.21.0 + diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb index 038c1617f..9bd861cd4 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb @@ -12,6 +12,7 @@ SRC_URI = " \ file://avoid-absolute-path-when-searching-for-libdlpi.patch \ file://add-ptest.patch \ file://run-ptest \ +file://0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch \ " SRC_URI[md5sum] = "9bbc1ee33dab61302411b02dd0515576" -- 2.21.0 -- ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel