[Buildroot] [git commit] tcpdump: add 3 security patches

Peter Korsgaard peter at korsgaard.com
Fri Nov 28 11:08:27 UTC 2014


commit: http://git.buildroot.net/buildroot/commit/?id=489848b1fa2ea47638635c2e1ef266ddac172319
branch: http://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Fixes:
CVE-2014-8767 - denial of service in verbose mode using malformed OLSR
payload
OLSR payload
CVE-2014-8768 - denial of service in verbose mode using malformed Geonet
payload
CVE-2014-8769 - unreliable output using malformed AOVD payload

Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/tcpdump/0002-fix-CVE-2014-8767.patch |   20 ++++++++++++++++++++
 package/tcpdump/0003-fix-CVE-2014-8768.patch |   19 +++++++++++++++++++
 package/tcpdump/0004-fix-CVE-2014-8769.patch |   19 +++++++++++++++++++
 3 files changed, 58 insertions(+), 0 deletions(-)

diff --git a/package/tcpdump/0002-fix-CVE-2014-8767.patch b/package/tcpdump/0002-fix-CVE-2014-8767.patch
new file mode 100644
index 0000000..a88efdf
--- /dev/null
+++ b/package/tcpdump/0002-fix-CVE-2014-8767.patch
@@ -0,0 +1,20 @@
+From https://bugzilla.redhat.com/show_bug.cgi?id=1165160
+
+Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
+
+--- tcpdump-tcpdump-4.6/print-olsr.c	2014-10-23 14:07:12.000000000 +0700
++++ tcpdump-4.6.2/print-olsr.c	2014-11-21 14:56:18.205542679 +0700
+@@ -234,6 +234,13 @@
+     ND_PRINT((ndo, "\n\t      neighbor\n\t\t"));
+     neighbor = 1;
+ 
++    u_int caplength;
++
++    /* Checking length of available data before print */
++    caplength = (ndo->ndo_snapend >= msg_data) ? ndo->ndo_snapend - msg_data : 0;
++    if (hello_len > caplength)
++        hello_len = caplength;
++
+     while (hello_len >= sizeof(struct in_addr)) {
+ 
+         /* print 4 neighbors per line */
diff --git a/package/tcpdump/0003-fix-CVE-2014-8768.patch b/package/tcpdump/0003-fix-CVE-2014-8768.patch
new file mode 100644
index 0000000..a8b82cf
--- /dev/null
+++ b/package/tcpdump/0003-fix-CVE-2014-8768.patch
@@ -0,0 +1,19 @@
+From https://bugzilla.redhat.com/show_bug.cgi?id=1165161
+
+Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
+
+--- tcpdump-tcpdump_4.5/print-geonet.c	2014-02-17 05:58:41.000000000 +0700
++++ print-geonet.c	2014-11-21 10:06:58.590217933 +0700
+@@ -237,6 +237,12 @@
+ 		printf("Malformed (small) ");
+ 	}
+ 
++	/* Checking length before print */
++	u_int caplength;
++	caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0;
++	if (length > caplength)
++		length = caplength;
++
+ 	/* Print user data part */
+ 	if (ndo->ndo_vflag)
+ 		default_print(bp, length);
diff --git a/package/tcpdump/0004-fix-CVE-2014-8769.patch b/package/tcpdump/0004-fix-CVE-2014-8769.patch
new file mode 100644
index 0000000..38eaf12
--- /dev/null
+++ b/package/tcpdump/0004-fix-CVE-2014-8769.patch
@@ -0,0 +1,19 @@
+From https://bugzilla.redhat.com/show_bug.cgi?id=1165162
+
+Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
+
+--- tcpdump-tcpdump-4.6/print-udp.c	2014-11-21 13:53:05.757690197 +0700
++++ tcpdump-4.6.2/print-udp.c	2014-11-21 13:50:58.077695164 +0700
+@@ -357,6 +357,12 @@
+ #ifdef INET6
+ 	register const struct ip6_hdr *ip6;
+ #endif
++	u_int caplength;
++
++	/* Checking length of available data before print */
++	caplength = (ndo->ndo_snapend >= bp) ? ndo->ndo_snapend - bp : 0;
++	if (length > caplength)
++		length = caplength;
+ 
+ 	if (ep > ndo->ndo_snapend)
+ 		ep = ndo->ndo_snapend;


More information about the buildroot mailing list