Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Dear Release Team, Please unblock tcpdump 4.6.2-3, it fixes a security vulnerability in the PPP dissector known as CVE-2014-9140. Full debdiff attached unblock tcpdump/4.6.2-3
diffstat for tcpdump-4.6.2 tcpdump-4.6.2 changelog | 7 +++++ patches/60_cve-2014-9140.diff | 50 ++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 58 insertions(+) diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog --- tcpdump-4.6.2/debian/changelog 2014-11-22 11:48:11.000000000 +0100 +++ tcpdump-4.6.2/debian/changelog 2014-11-29 12:24:11.000000000 +0100 @@ -1,3 +1,10 @@ +tcpdump (4.6.2-3) unstable; urgency=high + + * Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow + in the PPP dissector (CVE-2014-9140). + + -- Romain Francoise <[email protected]> Sat, 29 Nov 2014 12:23:53 +0100 + tcpdump (4.6.2-2) unstable; urgency=high * Urgency high due to security fixes. diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2014-9140.diff tcpdump-4.6.2/debian/patches/60_cve-2014-9140.diff --- tcpdump-4.6.2/debian/patches/60_cve-2014-9140.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.6.2/debian/patches/60_cve-2014-9140.diff 2014-11-29 12:15:29.000000000 +0100 @@ -0,0 +1,50 @@ +commit 0f95d441e4b5d7512cc5c326c8668a120e048eda +Author: Guy Harris <[email protected]> +Date: Wed Oct 22 12:31:21 2014 -0700 + + Do bounds checking when unescaping PPP. + + Clean up a const issue while we're at it. + +diff --git a/print-ppp.c b/print-ppp.c +index 8e098f0..9a983e6 100644 +--- a/print-ppp.c ++++ b/print-ppp.c +@@ -1351,14 +1351,15 @@ static void + ppp_hdlc(netdissect_options *ndo, + const u_char *p, int length) + { +- u_char *b, *s, *t, c; ++ u_char *b, *t, c; ++ const u_char *s; + int i, proto; + const void *se; + + if (length <= 0) + return; + +- b = (uint8_t *)malloc(length); ++ b = (u_char *)malloc(length); + if (b == NULL) + return; + +@@ -1367,14 +1368,13 @@ ppp_hdlc(netdissect_options *ndo, + * Do this so that we dont overwrite the original packet + * contents. + */ +- for (s = (u_char *)p, t = b, i = length; i > 0; i--) { ++ for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) { + c = *s++; + if (c == 0x7d) { +- if (i > 1) { +- i--; +- c = *s++ ^ 0x20; +- } else +- continue; ++ if (i <= 1 || !ND_TTEST(*s)) ++ break; ++ i--; ++ c = *s++ ^ 0x20; + } + *t++ = c; + } diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series --- tcpdump-4.6.2/debian/patches/series 2014-11-22 11:38:26.000000000 +0100 +++ tcpdump-4.6.2/debian/patches/series 2014-11-29 12:19:11.000000000 +0100 @@ -7,3 +7,4 @@ 60_cve-2014-8767.diff 60_cve-2014-8768.diff 60_cve-2014-8769.diff +60_cve-2014-9140.diff
