Hi, On Thu, Aug 31, 2017 at 12:39:33PM +0200, Guido Günther wrote: > Package: tcpdump > X-Debbugs-CC: t...@security.debian.org > secure-testing-t...@lists.alioth.debian.org > Severity: important > Tags: security > > Hi, > > the following vulnerability was published for tcpdump. > > CVE-2017-11541[0]: > | tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print > | function in print-lldp.c, related to util-print.c.
I've sent the attached patch upstream. I'd like to incorporate this into an upload to wheezy at one point. Shall I handle sid, stretch or jessie as well? Given the impact of the issue an update to stretch and jessie is probably more suitable for a point release (which wheezy does not have). Cheers, -- Guido
From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org> Date: Mon, 28 Aug 2017 19:22:27 +0200 Subject: CVE-2017-11542: pimv1_print: prevent out of bounds read In case of an invalid type there's no bounds check when parsing the version field. Add this unconditionally. This fixes CVE-2017-11542 with the testcase from https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/heap-buffer-overflow/print-pim while https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=IGMP+dataset.pcap still passes --- print-pim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/print-pim.c b/print-pim.c index 2552595..674dddb 100644 --- a/print-pim.c +++ b/print-pim.c @@ -306,7 +306,7 @@ pimv1_print(netdissect_options *ndo, pimv1_join_prune_print(ndo, &bp[8], len - 8); break; } - if ((bp[4] >> 4) != 1) + if (ND_TTEST(bp[4]) && (bp[4] >> 4) != 1) ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); return;