Hi,
On Thu, Aug 31, 2017 at 12:39:33PM +0200, Guido Günther wrote:
> Package: tcpdump
> X-Debbugs-CC: t...@security.debian.org
> secure-testing-t...@lists.alioth.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> the following vulnerability was published for tcpdump.
>
> CVE-2017-11541[0]:
> | tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print
> | function in print-lldp.c, related to util-print.c.
I've sent the attached patch upstream. I'd like to incorporate this into
an upload to wheezy at one point. Shall I handle sid, stretch or jessie
as well? Given the impact of the issue an update to stretch and jessie
is probably more suitable for a point release (which wheezy does not have).
Cheers,
-- Guido
From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
Date: Mon, 28 Aug 2017 19:22:27 +0200
Subject: CVE-2017-11542: pimv1_print: prevent out of bounds read
In case of an invalid type there's no bounds check when parsing the
version field. Add this unconditionally.
This fixes CVE-2017-11542 with the testcase from
https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/heap-buffer-overflow/print-pim
while
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=IGMP+dataset.pcap
still passes
---
print-pim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/print-pim.c b/print-pim.c
index 2552595..674dddb 100644
--- a/print-pim.c
+++ b/print-pim.c
@@ -306,7 +306,7 @@ pimv1_print(netdissect_options *ndo,
pimv1_join_prune_print(ndo, &bp[8], len - 8);
break;
}
- if ((bp[4] >> 4) != 1)
+ if (ND_TTEST(bp[4]) && (bp[4] >> 4) != 1)
ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
return;
