OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 16-Jan-2004 13:39:00
Branch: OPENPKG_1_3_SOLID HEAD Handle: 2004011612385702
Modified files:
openpkg-web news.txt
Modified files: (Branch: OPENPKG_1_3_SOLID)
openpkg-src/tcpdump tcpdump.patch tcpdump.spec
Log:
SA-2004.002-tcpdump; CAN-2003-0989, CAN-2004-0055, CAN-2004-0057
Summary:
Revision Changes Path
1.1.6.2.2.1 +476 -0 openpkg-src/tcpdump/tcpdump.patch
1.25.2.3.2.2+1 -1 openpkg-src/tcpdump/tcpdump.spec
1.8098 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/tcpdump/tcpdump.patch
============================================================================
$ cvs diff -u -r1.1.6.2 -r1.1.6.2.2.1 tcpdump.patch
--- openpkg-src/tcpdump/tcpdump.patch 24 Jul 2003 20:45:28 -0000 1.1.6.2
+++ openpkg-src/tcpdump/tcpdump.patch 16 Jan 2004 12:38:59 -0000 1.1.6.2.2.1
@@ -16,3 +16,479 @@
#include <stdio.h>
#include <string.h>
+
+ tcpdump patch patrix; [EMAIL PROTECTED]
+
+ tcpdump 371 371 372 381
+ OpenPKG 120 121 130 20020822
+ --- --- --- ---
+ CAN-2002-0380 nfs y n n n see past OpenPKG-SA-2003.014-tcpdump
+ CAN-2002-1350 bgp y n n n see past OpenPKG-SA-2003.014-tcpdump
+ CAN-2003-0108 isakmp y n n n see past OpenPKG-SA-2003.014-tcpdump
+ depth y y y n (*)
+ CAN-2003-0989 isakmp y y y n updates CAN-2003-0108-isakmp
+ CAN-2003-1029 l2tp y y n n
+ CAN-2004-0055 radius y y y y
+ CAN-2004-0057 isakmp y y y y
+
+ (*) the vendor code fix for CAN-2003-0108 had two other unrelated code
+ changes piggybacked. We removed the cosmetics (constify) and
+ extracted an enhancement (depth).
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108 (depth)
+ Not directly related to the CVE security topic but piggybacked.
+
+ revision 1.34
+ date: 2002/09/05 00:43:21; author: guy; state: Exp; lines: +155 -127
+
+ 1.) print-isakmp.c: Constify. [undone to reduce patch]
+
+ 2.) [real security issue as of CAN-2003-0108]
+
+ 3.) Have "isakmp_sub_print()" take the depth as an argument, rather
+ than have it as a static variable, for cleanliness.
+
+Index: print-isakmp.c
+--- print-isakmp.c.CAN-2003-0108 2004-01-15 16:30:04.000000000 +0100
++++ print-isakmp.c 2004-01-15 16:31:28.000000000 +0100
+@@ -67,36 +67,36 @@
+ #define sockaddr_storage sockaddr
+ #endif
+
+-static u_char *isakmp_sa_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++static u_char *isakmp_sa_print(struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_p_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_t_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_ke_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_id_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_cert_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_cr_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_sig_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
+-static u_char *isakmp_hash_print(struct isakmp_gen *, u_char *,
+- u_int32_t, u_int32_t, u_int32_t);
+-static u_char *isakmp_nonce_print(struct isakmp_gen *, u_char *,
+- u_int32_t, u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
++static u_char *isakmp_hash_print(struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
++static u_char *isakmp_nonce_print(struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_n_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_d_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_vid_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
+-static u_char *isakmp_sub0_print(u_char, struct isakmp_gen *, u_char *,
+- u_int32_t, u_int32_t, u_int32_t);
+-static u_char *isakmp_sub_print(u_char, struct isakmp_gen *, u_char *,
+- u_int32_t, u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
++static u_char *isakmp_sub0_print(u_char, struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
++static u_char *isakmp_sub_print(u_char, struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
+ static char *numstr(int);
+ static void safememcpy(void *, void *, size_t);
+
+@@ -121,7 +121,7 @@
+
+ /* isakmp->np */
+ static u_char *(*npfunc[])(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t) = {
++ u_int32_t, u_int32_t, int) = {
+ NULL,
+ isakmp_sa_print,
+ isakmp_p_print,
+@@ -333,7 +333,7 @@
+ rawprint(caddr_t loc, size_t len)
+ {
+ static u_char *p;
+- int i;
++ size_t i;
+
+ p = (u_char *)loc;
+ for (i = 0; i < len; i++)
+@@ -342,7 +342,7 @@
+
+ struct attrmap {
+ char *type;
+- int nvalue;
++ u_int nvalue;
+ char *value[30]; /*XXX*/
+ };
+
+@@ -418,7 +418,7 @@
+
+ static u_char *
+ isakmp_sa_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_sa *p, sa;
+ u_int32_t *q;
+@@ -462,14 +462,14 @@
+
+ ext = (struct isakmp_gen *)np;
+
+- cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0);
++ cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, depth);
+
+ return cp;
+ }
+
+ static u_char *
+ isakmp_p_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_p *p, prop;
+ u_char *cp;
+@@ -488,7 +488,7 @@
+ ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
+
+ cp = isakmp_sub_print(ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
+- prop.prot_id);
++ prop.prot_id, depth);
+
+ return cp;
+ }
+@@ -551,7 +551,7 @@
+
+ static u_char *
+ isakmp_t_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_pl_t *p, t;
+ u_char *cp;
+@@ -613,7 +613,7 @@
+
+ static u_char *
+ isakmp_ke_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -630,7 +630,7 @@
+
+ static u_char *
+ isakmp_id_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ #define USE_IPSECDOI_IN_PHASE1 1
+ struct isakmp_pl_id *p, id;
+@@ -766,7 +766,7 @@
+
+ static u_char *
+ isakmp_cert_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_cert *p, cert;
+ static char *certstr[] = {
+@@ -790,7 +790,7 @@
+
+ static u_char *
+ isakmp_cr_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_cert *p, cert;
+ static char *certstr[] = {
+@@ -814,7 +814,7 @@
+
+ static u_char *
+ isakmp_hash_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -831,7 +831,7 @@
+
+ static u_char *
+ isakmp_sig_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -848,7 +848,7 @@
+
+ static u_char *
+ isakmp_nonce_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -865,7 +865,7 @@
+
+ static u_char *
+ isakmp_n_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_n *p, n;
+ u_char *cp;
+@@ -955,8 +955,9 @@
+ (*(u_int32_t *)cp) ? "en" : "dis");
+ break;
+ case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
+- isakmp_sub_print(ISAKMP_NPTYPE_SA,
+- (struct isakmp_gen *)cp, ep, phase, doi, proto);
++ if (isakmp_sub_print(ISAKMP_NPTYPE_SA,
++ (struct isakmp_gen *)cp, ep, phase, doi, proto, depth) ==
NULL)
++ return NULL;
+ break;
+ default:
+ /* NULL is dummy */
+@@ -971,7 +972,7 @@
+
+ static u_char *
+ isakmp_d_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_d *p, d;
+ u_int8_t *q;
+@@ -1007,7 +1008,7 @@
+
+ static u_char *
+ isakmp_vid_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -1024,7 +1025,7 @@
+
+ static u_char *
+ isakmp_sub0_print(u_char np, struct isakmp_gen *ext, u_char *ep,
+- u_int32_t phase, u_int32_t doi, u_int32_t proto)
++ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+ {
+ u_char *cp;
+ struct isakmp_gen e;
+@@ -1053,10 +1053,9 @@
+
+ static u_char *
+ isakmp_sub_print(u_char np, struct isakmp_gen *ext, u_char *ep,
+- u_int32_t phase, u_int32_t doi, u_int32_t proto)
++ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+ {
+ u_char *cp;
+- static int depth = 0;
+ int i;
+ struct isakmp_gen e;
+
+@@ -1075,7 +1080,7 @@
+ for (i = 0; i < depth; i++)
+ printf(" ");
+ printf("(");
+- cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
++ cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto, depth);
+ printf(")");
+ depth--;
+
+@@ -1180,35 +1185,36 @@
+ printf("[%s%s]", base.flags & ISAKMP_FLAG_E ? "E" : "",
+ base.flags & ISAKMP_FLAG_C ? "C" : "");
+ }
+- printf(":");
+
+- {
+- struct isakmp_gen *ext;
+- int nparen;
++ if (vflag) {
++ struct isakmp_gen *ext;
++ int nparen;
+
+ #define CHECKLEN(p, np) \
+- if (ep < (u_char *)(p)) { \
+- printf(" [|%s]", NPSTR(np)); \
+- goto done; \
+- }
++ if (ep < (u_char *)(p)) { \
++ printf(" [|%s]", NPSTR(np)); \
++ goto done; \
++ }
+
+- /* regardless of phase... */
+- if (base.flags & ISAKMP_FLAG_E) {
+- /*
+- * encrypted, nothing we can do right now.
+- * we hope to decrypt the packet in the future...
+- */
+- printf(" [encrypted %s]", NPSTR(base.np));
+- goto done;
+- }
++ printf(":");
+
+- nparen = 0;
+- CHECKLEN(p + 1, base.np)
++ /* regardless of phase... */
++ if (base.flags & ISAKMP_FLAG_E) {
++ /*
++ * encrypted, nothing we can do right now.
++ * we hope to decrypt the packet in the future...
++ */
++ printf(" [encrypted %s]", NPSTR(base.np));
++ goto done;
++ }
+
+- np = base.np;
+- ext = (struct isakmp_gen *)(p + 1);
+- isakmp_sub_print(np, ext, ep, phase, 0, 0);
+- }
++ nparen = 0;
++ CHECKLEN(p + 1, base.np)
++
++ np = base.np;
++ ext = (struct isakmp_gen *)(p + 1);
++ isakmp_sub_print(np, ext, ep, phase, 0, 0, 0);
++ }
+
+ done:
+ if (vflag) {
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0989 (isakmp)
+ tcpdump before 3.8.1 allows remote attackers to cause a denial of
+ service (infinite loop) via certain ISAKMP packets, a different
+ vulnerability than CAN-2004-0057.
+
+Index: print-isakmp.c
+--- print-isakmp.c.CAN-2003-0989 2004-01-15 16:30:04.000000000 +0100
++++ print-isakmp.c 2004-01-15 16:31:28.000000000 +0100
+@@ -1033,20 +1034,25 @@
+ cp = (u_char *)ext;
+ safememcpy(&e, ext, sizeof(e));
+
+- if (NPFUNC(np))
+- cp = (*NPFUNC(np))(ext, ep, phase, doi, proto);
+- else {
++ /*
++ * Since we can't have a payload length of less than 4 bytes,
++ * we need to bail out here if the generic header is nonsensical
++ * or truncated, otherwise we could loop forever processing
++ * zero-length items or otherwise misdissect the packet.
++ */
++ item_len = ntohs(e.len);
++ if (item_len <= 4)
++ return NULL;
++
++ if (NPFUNC(np)) {
++ /*
++ * XXX - what if item_len is too short, or too long,
++ * for this payload type?
++ */
++ cp = (*NPFUNC(np))(ext, ep, phase, doi, proto, depth);
++ } else {
+ printf("%s", NPSTR(np));
+- item_len = ntohs(e.len);
+- if (item_len == 0) {
+- /*
+- * We don't want to loop forever processing this
+- * bogus (zero-length) item; return NULL so that
+- * we stop dissecting.
+- */
+- cp = NULL;
+- } else
+- cp += item_len;
++ cp += item_len;
+ }
+ return cp;
+ }
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055 (radius)
+ The print_attr_string function in print-radius.c for tcpdump 3.8.1
+ and earlier allows remote attackers to cause a denial of service
+ (segmentation fault) via a RADIUS attribute with a large length
+ value.
+
+Index: print-radius.c
+===================================================================
+RCS file: /tcpdump/master/tcpdump/print-radius.c,v
+retrieving revision 1.23
+retrieving revision 1.24
+diff -u -d -u -d -r1.23 -r1.24
+--- print-radius.c.CAN-2004-0055 15 Dec 2003 13:52:15 -0000 1.23
++++ print-radius.c 7 Jan 2004 08:00:52 -0000 1.24
+@@ -476,7 +476,7 @@
+ break;
+ }
+
+- for (i=0; i < length ; i++, data++)
++ for (i=0; *data && i < length ; i++, data++)
+ printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
+
+ return;
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057 (isakmp)
+ The rawprint function in the ISAKMP decoding routines
+ (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote
+ attackers to cause a denial of service (segmentation fault) via
+ malformed ISAKMP packets that cause invalid "len" or "loc" values to
+ be used in a loop, a different vulnerability than CAN-2003-0989.
+
+Index: print-isakmp.c
+===================================================================
+RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v
+retrieving revision 1.41
+retrieving revision 1.42
+diff -u -d -u -d -r1.41 -r1.42
+--- print-isakmp.c.CAN-2004-0057 20 Dec 2003 10:03:19 -0000 1.41
++++ print-isakmp.c 7 Jan 2004 08:00:51 -0000 1.42
+@@ -327,9 +327,13 @@
+ static u_char *p;
+ size_t i;
+
++ TCHECK2(*loc, len);
++
+ p = (u_char *)loc;
+ for (i = 0; i < len; i++)
+ printf("%02x", p[i] & 0xff);
++trunc:
++ return;
+ }
+
+ struct attrmap {
+@@ -1111,6 +1115,8 @@
+ cp = (const u_char *)ext;
+
+ while (np) {
++ TCHECK2(*ext, sizeof(e));
++
+ safememcpy(&e, ext, sizeof(e));
+
+ if (ep < (u_char *)ext + ntohs(e.len)) {
+@@ -1136,6 +1142,8 @@
+ ext = (struct isakmp_gen *)cp;
+ }
+ return cp;
++trunc:
++ return NULL;
+ }
+
+ static char *
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/tcpdump/tcpdump.spec
============================================================================
$ cvs diff -u -r1.25.2.3.2.1 -r1.25.2.3.2.2 tcpdump.spec
--- openpkg-src/tcpdump/tcpdump.spec 29 Jul 2003 15:01:54 -0000 1.25.2.3.2.1
+++ openpkg-src/tcpdump/tcpdump.spec 16 Jan 2004 12:38:59 -0000 1.25.2.3.2.2
@@ -33,7 +33,7 @@
Group: Network
License: GPL
Version: 3.7.2
-Release: 1.3.0
+Release: 1.3.1
# list of sources
Source0: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.8097 -r1.8098 news.txt
--- openpkg-web/news.txt 16 Jan 2004 12:38:00 -0000 1.8097
+++ openpkg-web/news.txt 16 Jan 2004 12:38:57 -0000 1.8098
@@ -1,3 +1,4 @@
+16-Jan-2004: Upgraded package: P<tcpdump-3.7.2-1.3.1>
16-Jan-2004: Upgraded package: P<gd-2.0.21-20040116>
16-Jan-2004: Upgraded package: P<tcpdump-3.8.1-20040116>
16-Jan-2004: Upgraded package: P<squid-2.5.4-20040116>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
