Hi, On Thu, Aug 31, 2017 at 12:39:17PM +0200, Guido Günther wrote: > Package: tcpdump > X-Debbugs-CC: t...@security.debian.org > secure-testing-t...@lists.alioth.debian.org > Severity: important > Tags: security > > Hi, > > the following vulnerability was published for tcpdump. > > CVE-2017-11541[0]: > | tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print > | function in print-lldp.c, related to util-print.c.
I've sent the attached patch upstream. I'd like to incorporate this into an upload to wheezy at one point. Shall I handle sid, stretch or jessie as well? Given the impact of the issue an update to stretch and jessie is probably more suitable for a point release (which wheezy does not have). Cheers, -- Guido
From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org> Date: Mon, 28 Aug 2017 18:53:20 +0200 Subject: CVE-2017-11541: safeputs: check length first Put the lenght check before accessing s since we might otherwise read from a memory area we're not supposed to read. Addresses CVE-2017-11541 with the testcase from https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/heap-buffer-overflow/util-print --- util-print.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util-print.c b/util-print.c index 5db042a..34fc2e0 100644 --- a/util-print.c +++ b/util-print.c @@ -902,7 +902,7 @@ safeputs(netdissect_options *ndo, { u_int idx = 0; - while (*s && idx < maxlen) { + while (idx < maxlen && *s) { safeputchar(ndo, *s); idx++; s++;