On 09/13/2017 04:17 AM, Martin Jansa wrote: > Please update the state on patchwork (https://patchwork. > openembedded.org/project/oe/patches/) when sending updates like this. > > You can update it on the site or use some magic keywords in the e-mail > reply to update it automatically (but I've failed to find link to > documentation how this magic should look like). >
To automatically change a patch status in Patchwork, the string to be included at the bottom of an email reply must be in the form: [Patchwork-Status: <new-state>] where <new-state> can be any of the existing states (excepting "Accepted"). This and other ways of updating patch statuses can be seen at: http://www.openembedded.org/wiki/Patchwork#Update_the_state_of_patches > On Wed, Sep 13, 2017 at 5:21 AM, wenzong fan <wenzong....@windriver.com> > wrote: > >> Please ignore this patch, the fixes has been included by: >> >> [oe] [meta-networking][PATCH] tcpdump: update to 4.9.2 to fix CVEs >> >> Thanks >> Wenzong >> >> >> On 09/07/2017 05:49 PM, wenzong....@windriver.com wrote: >> >>> From: Wenzong Fan <wenzong....@windriver.com> >>> >>> Backport patches for fixing: >>> - CVE-2017-11541: >>> https://nvd.nist.gov/vuln/detail/CVE-2017-11541 >>> https://github.com/the-tcpdump-group/tcpdump/commit/21d702a >>> 136c5c16882e368af7c173df728242280 >>> >>> - CVE-2017-11542: >>> https://nvd.nist.gov/vuln/detail/CVE-2017-11542 >>> https://github.com/the-tcpdump-group/tcpdump/commit/bed4806 >>> 2a64fca524156d7684af19f5b4a116fae >>> >>> - CVE-2017-11543: >>> https://nvd.nist.gov/vuln/detail/CVE-2017-11543 >>> https://github.com/the-tcpdump-group/tcpdump/commit/7039327 >>> 875525278d17edee59720e29a3e76b7b3 >>> >>> The tests/* changes dropped to workaround patch error: >>> File tests/*.pcap: git binary diffs are not supported. >>> >>> Signed-off-by: Wenzong Fan <wenzong....@windriver.com> >>> --- >>> ...541-In-safeputs-check-the-length-before-c.patch | 49 +++++++++++++ >>> ...1-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch | 43 +++++++++++ >>> ...543-Make-sure-the-SLIP-direction-octet-is.patch | 85 >>> ++++++++++++++++++++++ >>> .../recipes-support/tcpdump/tcpdump_4.9.1.bb | 3 + >>> 4 files changed, 180 insertions(+) >>> create mode 100644 meta-networking/recipes-suppor >>> t/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check- >>> the-length-before-c.patch >>> create mode 100644 meta-networking/recipes-suppor >>> t/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch >>> create mode 100644 meta-networking/recipes-suppor >>> t/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP- >>> direction-octet-is.patch >>> >>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE- >>> 2017-11541-In-safeputs-check-the-length-before-c.patch >>> b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE- >>> 2017-11541-In-safeputs-check-the-length-before-c.patch >>> new file mode 100644 >>> index 000000000..a83214b02 >>> --- /dev/null >>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE- >>> 2017-11541-In-safeputs-check-the-length-before-c.patch >>> @@ -0,0 +1,49 @@ >>> +From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001 >>> +From: Guy Harris <g...@alum.mit.edu> >>> +Date: Tue, 7 Feb 2017 11:40:36 -0800 >>> +Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before >>> + checking for a NUL terminator. >>> + >>> +safeputs() doesn't do packet bounds checking of its own; it assumes that >>> +the caller has checked the availability in the packet data of all maxlen >>> +bytes of data. This means we should check that we're within the >>> +specified limit before looking at the byte. >>> + >>> +This fixes a buffer over-read discovered by Kamil Frankowicz. >>> + >>> +Add a test using the capture file supplied by the reporter(s). >>> + >>> +CVE: CVE-2017-11541 >>> + >>> +Upstream-Status: Backport >>> +https://github.com/the-tcpdump-group/tcpdump/commit/21d702a >>> 136c5c16882e368af7c173df728242280 >>> + >>> +Drop the tests/* changes to workaroud patch error: >>> +File tests/hoobr_safeputs.pcap: git binary diffs are not supported. >>> + >>> +Signed-off-by: Wenzong Fan <wenzong....@windriver.com> >>> +--- >>> + tests/TESTLIST | 1 + >>> + tests/hoobr_safeputs.out | 2 ++ >>> + tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes >>> + util-print.c | 2 +- >>> + 4 files changed, 4 insertions(+), 1 deletion(-) >>> + create mode 100644 tests/hoobr_safeputs.out >>> + create mode 100644 tests/hoobr_safeputs.pcap >>> + >>> +diff --git a/util-print.c b/util-print.c >>> +index 394e7d59..ec3e8de8 100644 >>> +--- a/util-print.c >>> ++++ b/util-print.c >>> +@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo, >>> + { >>> + u_int idx = 0; >>> + >>> +- while (*s && idx < maxlen) { >>> ++ while (idx < maxlen && *s) { >>> + safeputchar(ndo, *s); >>> + idx++; >>> + s++; >>> +-- >>> +2.13.0 >>> + >>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE- >>> 2017-11542-PIMv1-Add-a-bounds-check.patch b/meta-networking/recipes-supp >>> ort/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch >>> new file mode 100644 >>> index 000000000..a177e7c0b >>> --- /dev/null >>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE- >>> 2017-11542-PIMv1-Add-a-bounds-check.patch >>> @@ -0,0 +1,43 @@ >>> +From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001 >>> +From: Guy Harris <g...@alum.mit.edu> >>> +Date: Tue, 7 Feb 2017 11:10:04 -0800 >>> +Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check. >>> + >>> +This fixes a buffer over-read discovered by Kamil Frankowicz. >>> + >>> +Add a test using the capture file supplied by the reporter(s). >>> + >>> +CVE: CVE-2017-11542 >>> + >>> +Upstream-Status: Backport >>> +https://github.com/the-tcpdump-group/tcpdump/commit/bed4806 >>> 2a64fca524156d7684af19f5b4a116fae >>> + >>> +Drop the tests/* changes to workaroud patch error: >>> +File tests/hoobr_pimv1.pcap: git binary diffs are not supported. >>> + >>> +Signed-off-by: Wenzong Fan <wenzong....@windriver.com> >>> +--- >>> + print-pim.c | 1 + >>> + tests/TESTLIST | 1 + >>> + tests/hoobr_pimv1.out | 25 +++++++++++++++++++++++++ >>> + tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes >>> + 4 files changed, 27 insertions(+) >>> + create mode 100644 tests/hoobr_pimv1.out >>> + create mode 100644 tests/hoobr_pimv1.pcap >>> + >>> +diff --git a/print-pim.c b/print-pim.c >>> +index 25525953..ed880ae7 100644 >>> +--- a/print-pim.c >>> ++++ b/print-pim.c >>> +@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo, >>> + pimv1_join_prune_print(ndo, &bp[8], len - 8); >>> + break; >>> + } >>> ++ ND_TCHECK(bp[4]); >>> + if ((bp[4] >> 4) != 1) >>> + ND_PRINT((ndo, " [v%d]", bp[4] >> 4)); >>> + return; >>> + >>> +-- >>> +2.13.0 >>> + >>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE- >>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch >>> b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE- >>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch >>> new file mode 100644 >>> index 000000000..36e3f6b0d >>> --- /dev/null >>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE- >>> 2017-11543-Make-sure-the-SLIP-direction-octet-is.patch >>> @@ -0,0 +1,85 @@ >>> +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001 >>> +From: Guy Harris <g...@alum.mit.edu> >>> +Date: Fri, 17 Mar 2017 12:49:04 -0700 >>> +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is >>> valid. >>> + >>> +Report if it's not, and don't use it as an out-of-bounds index into an >>> +array. >>> + >>> +This fixes a buffer overflow discovered by Wilfried Kirsch. >>> + >>> +Add a test using the capture file supplied by the reporter(s), modified >>> +so the capture file won't be rejected as an invalid capture. >>> + >>> +CVE: CVE-2017-11543 >>> + >>> +Upstream-Status: Backport >>> +https://github.com/the-tcpdump-group/tcpdump/commit/7039327 >>> 875525278d17edee59720e29a3e76b7b3 >>> + >>> +Drop the tests/* changes to workaroud patch error: >>> +File tests/slip-bad-direction.pcap: git binary diffs are not supported. >>> + >>> +Signed-off-by: Wenzong Fan <wenzong....@windriver.com> >>> +--- >>> + print-sl.c | 25 +++++++++++++++++++++++-- >>> + tests/TESTLIST | 3 +++ >>> + tests/slip-bad-direction.out | 1 + >>> + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes >>> + 4 files changed, 27 insertions(+), 2 deletions(-) >>> + create mode 100644 tests/slip-bad-direction.out >>> + create mode 100644 tests/slip-bad-direction.pcap >>> + >>> +diff --git a/print-sl.c b/print-sl.c >>> +index 3fd7e898..a02077b3 100644 >>> +--- a/print-sl.c >>> ++++ b/print-sl.c >>> +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo, >>> + u_int hlen; >>> + >>> + dir = p[SLX_DIR]; >>> +- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O ")); >>> ++ switch (dir) { >>> + >>> ++ case SLIPDIR_IN: >>> ++ ND_PRINT((ndo, "I ")); >>> ++ break; >>> ++ >>> ++ case SLIPDIR_OUT: >>> ++ ND_PRINT((ndo, "O ")); >>> ++ break; >>> ++ >>> ++ default: >>> ++ ND_PRINT((ndo, "Invalid direction %d ", dir)); >>> ++ dir = -1; >>> ++ break; >>> ++ } >>> + if (ndo->ndo_nflag) { >>> + /* XXX just dump the header */ >>> + register int i; >>> +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo, >>> + * has restored the IP header copy to IPPROTO_TCP. >>> + */ >>> + lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p; >>> ++ ND_PRINT((ndo, "utcp %d: ", lastconn)); >>> ++ if (dir == -1) { >>> ++ /* Direction is bogus, don't use it */ >>> ++ return; >>> ++ } >>> + hlen = IP_HL(ip); >>> + hlen += TH_OFF((const struct tcphdr *)&((const int >>> *)ip)[hlen]); >>> + lastlen[dir][lastconn] = length - (hlen << 2); >>> +- ND_PRINT((ndo, "utcp %d: ", lastconn)); >>> + break; >>> + >>> + default: >>> ++ if (dir == -1) { >>> ++ /* Direction is bogus, don't use it */ >>> ++ return; >>> ++ } >>> + if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { >>> + compressed_sl_print(ndo, &p[SLX_CHDR], ip, >>> + length, dir); >>> + >>> +-- >>> +2.13.0 >>> + >>> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb >>> b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb >>> index 261c78427..668d6f5e1 100644 >>> --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb >>> +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb >>> @@ -11,6 +11,9 @@ SRC_URI = " \ >>> file://tcpdump-configure-dlpi.patch \ >>> file://add-ptest.patch \ >>> file://run-ptest \ >>> + file://0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch \ >>> + file://0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch >>> \ >>> + file://0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch >>> \ >>> " >>> SRC_URI[md5sum] = "1e0293210b0dea5ef18e88e4150394b7" >>> >>> -- >> _______________________________________________ >> Openembedded-devel mailing list >> Openembedded-devel@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-devel >> -- Jose Lamego | OTC Embedded Platform & Tools | GDC -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel