OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 16-Jan-2004 13:42:52
Branch: OPENPKG_1_2_SOLID HEAD Handle: 2004011612425002
Modified files:
openpkg-web news.txt
Modified files: (Branch: OPENPKG_1_2_SOLID)
openpkg-src/tcpdump tcpdump.patch tcpdump.spec
Log:
SA-2004.002-tcpdump; CAN-2002-0380, CAN-2002-1350, CAN-2003-0108,
CAN-2003-0989, CAN-2003-1029, CAN-2004-0055, CAN-2004-0057
Summary:
Revision Changes Path
1.1.4.4 +766 -0 openpkg-src/tcpdump/tcpdump.patch
1.25.2.1.2.4+1 -1 openpkg-src/tcpdump/tcpdump.spec
1.8099 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/tcpdump/tcpdump.patch
============================================================================
$ cvs diff -u -r1.1.4.3 -r1.1.4.4 tcpdump.patch
--- openpkg-src/tcpdump/tcpdump.patch 16 Jan 2004 12:40:29 -0000 1.1.4.3
+++ openpkg-src/tcpdump/tcpdump.patch 16 Jan 2004 12:42:52 -0000 1.1.4.4
@@ -0,0 +1,766 @@
+
+ tcpdump patch patrix; [EMAIL PROTECTED]
+
+ tcpdump 371 371 372 381
+ OpenPKG 120 121 130 20020822
+ --- --- --- ---
+ CAN-2002-0380 nfs y n n n see past OpenPKG-SA-2003.014-tcpdump
+ CAN-2002-1350 bgp y n n n see past OpenPKG-SA-2003.014-tcpdump
+ CAN-2003-0108 isakmp y n n n see past OpenPKG-SA-2003.014-tcpdump
+ depth y y y n (*)
+ CAN-2003-0989 isakmp y y y n updates CAN-2003-0108-isakmp
+ CAN-2003-1029 l2tp y y n n
+ CAN-2004-0055 radius y y y y
+ CAN-2004-0057 isakmp y y y y
+
+ (*) the vendor code fix for CAN-2003-0108 had two other unrelated code
+ changes piggybacked. We removed the cosmetics (constify) and
+ extracted an enhancement (depth).
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0380 (nfs)
+ Buffer overflow in tcpdump 3.6.2 and earlier allows remote attackers
+ to cause a denial of service and possibly execute arbitrary code via
+ an NFS packet.
+
+--- print-nfs.c.CAN-2002-0380 Sun Jul 8 10:01:43 2001
++++ print-nfs.c Tue Mar 4 10:33:39 2003
+@@ -716,10 +716,16 @@
+
+ case NFSPROC_FSINFO:
+ printf(" fsinfo");
++ if ((dp = parsereq(rp, length)) != NULL &&
++ parsefh(dp, v3) != NULL)
++ return;
+ break;
+
+ case NFSPROC_PATHCONF:
+ printf(" pathconf");
++ if ((dp = parsereq(rp, length)) != NULL &&
++ parsefh(dp, v3) != NULL)
++ return;
+ break;
+
+ case NFSPROC_COMMIT:
+@@ -1027,7 +1033,6 @@
+ printf(" ERROR: %s",
+ tok2str(status2str, "unk %d", errnum));
+ nfserr = 1;
+- return (NULL);
+ }
+ return (dp + 1);
+ trunc:
+@@ -1109,8 +1114,10 @@
+ int er;
+
+ dp = parsestatus(dp, &er);
+- if (dp == NULL || er)
++ if (dp == NULL)
+ return (0);
++ if (er)
++ return (1);
+
+ return (parsefattr(dp, verbose, v3) != NULL);
+ }
+@@ -1120,8 +1127,10 @@
+ {
+ int er;
+
+- if (!(dp = parsestatus(dp, &er)) || er)
++ if (!(dp = parsestatus(dp, &er)))
+ return (0);
++ if (er)
++ return (1);
+
+ dp = parsefh(dp, 0);
+ if (dp == NULL)
+@@ -1136,8 +1145,10 @@
+ int er;
+
+ dp = parsestatus(dp, &er);
+- if (dp == NULL || er)
++ if (dp == NULL)
+ return(0);
++ if (er)
++ return(1);
+ if (v3 && !(dp = parse_post_op_attr(dp, vflag)))
+ return (0);
+ putchar(' ');
+@@ -1151,8 +1162,10 @@
+ int er;
+
+ dp = parsestatus(dp, &er);
+- if (dp == NULL || (!v3 && er))
++ if (dp == NULL)
+ return (0);
++ if (!v3 && er)
++ return (1);
+
+ if (qflag)
+ return(1);
+@@ -1164,7 +1177,7 @@
+ return (0);
+ }
+
+- TCHECK2(dp, (v3 ? NFSX_V3STATFS : NFSX_V2STATFS));
++ TCHECK2(*dp, (v3 ? NFSX_V3STATFS : NFSX_V2STATFS));
+
+ sfsp = (const struct nfs_statfs *)dp;
+
+@@ -1205,8 +1218,10 @@
+ int er;
+
+ dp = parsestatus(dp, &er);
+- if (dp == NULL || er)
++ if (dp == NULL)
+ return (0);
++ if (er)
++ return (1);
+ if (qflag)
+ return (1);
+
+@@ -1242,7 +1257,7 @@
+ if (!ntohl(dp[0]))
+ return (dp + 1);
+ dp++;
+- TCHECK2(dp, 24);
++ TCHECK2(*dp, 24);
+ if (verbose > 1) {
+ return parse_wcc_attr(dp);
+ } else {
+@@ -1379,9 +1394,9 @@
+ (u_int32_t) ntohl(sfp->fs_timedelta.nfsv3_sec),
+ (u_int32_t) ntohl(sfp->fs_timedelta.nfsv3_nsec));
+ }
+- return (0);
+-trunc:
+ return (1);
++trunc:
++ return (0);
+ }
+
+ static int
+@@ -1409,9 +1424,9 @@
+ ntohl(spp->pc_chownrestricted) ? "chownres" : "",
+ ntohl(spp->pc_caseinsensitive) ? "igncase" : "",
+ ntohl(spp->pc_casepreserving) ? "keepcase" : "");
+- return (0);
+-trunc:
+ return (1);
++trunc:
++ return (0);
+ }
+
+ static void
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1350 (bgp)
+ The BGP decoding routines in tcpdump before 3.6.2-2.2 do not
+ properly copy data, which allows remote attackers to cause a denial
+ of service and possibly execute arbitrary code.
+
+--- print-bgp.c.CAN-2002-1350 Thu Oct 18 11:52:17 2001
++++ print-bgp.c Tue Mar 4 10:33:39 2003
+@@ -469,11 +469,19 @@
+ switch (af) {
+ case AFNUM_INET:
+ advance = decode_prefix4(p, buf, sizeof(buf));
++ if (advance < 0) {
++ p = dat + len;
++ break;
++ }
+ printf(" %s", buf);
+ break;
+ #ifdef INET6
+ case AFNUM_INET6:
+ advance = decode_prefix6(p, buf, sizeof(buf));
++ if (advance < 0) {
++ p = dat + len;
++ break;
++ }
+ printf(" %s", buf);
+ break;
+ #endif
+@@ -505,11 +513,19 @@
+ switch (af) {
+ case AFNUM_INET:
+ advance = decode_prefix4(p, buf, sizeof(buf));
++ if (advance < 0) {
++ p = dat + len;
++ break;
++ }
+ printf(" %s", buf);
+ break;
+ #ifdef INET6
+ case AFNUM_INET6:
+ advance = decode_prefix6(p, buf, sizeof(buf));
++ if (advance < 0) {
++ p = dat + len;
++ break;
++ }
+ printf(" %s", buf);
+ break;
+ #endif
+@@ -598,6 +614,7 @@
+ printf(" (Withdrawn routes: %d bytes)", len);
+ #else
+ char buf[MAXHOSTNAMELEN + 100];
++ int wpfx;
+
+ TCHECK2(p[2], len);
+ i = 2;
+@@ -605,7 +622,10 @@
+ printf(" (Withdrawn routes:");
+
+ while(i < 2 + len) {
+- i += decode_prefix4(&p[i], buf, sizeof(buf));
++ wpfx = decode_prefix4(&p[i], buf, sizeof(buf));
++ if (wpfx < 0)
++ break;
++ i += wpfx;
+ printf(" %s", buf);
+ }
+ printf(")\n");
+@@ -666,9 +686,9 @@
+ while (dat + length > p) {
+ char buf[MAXHOSTNAMELEN + 100];
+ i = decode_prefix4(p, buf, sizeof(buf));
+- printf(" %s", buf);
+ if (i < 0)
+ break;
++ printf(" %s", buf);
+ p += i;
+ }
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108 (isakmp)
+ sakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers
+ to cause a denial of service (CPU consumption) via a certain
+ malformed ISAKMP packet to UDP port 500, which causes tcpdump to
+ enter an infinite loop.
+
+--- print-isakmp.c.CAN-2003-0108 Fri Oct 26 05:41:29 2001
++++ print-isakmp.c Tue Mar 4 10:33:39 2003
+@@ -1028,6 +1028,7 @@
+ {
+ u_char *cp;
+ struct isakmp_gen e;
++ u_int item_len;
+
+ cp = (u_char *)ext;
+ safememcpy(&e, ext, sizeof(e));
+@@ -1036,7 +1037,16 @@
+ cp = (*NPFUNC(np))(ext, ep, phase, doi, proto);
+ else {
+ printf("%s", NPSTR(np));
+- cp += ntohs(e.len);
++ item_len = ntohs(e.len);
++ if (item_len == 0) {
++ /*
++ * We don't want to loop forever processing this
++ * bogus (zero-length) item; return NULL so that
++ * we stop dissecting.
++ */
++ cp = NULL;
++ } else
++ cp += item_len;
+ }
+ return cp;
+ }
+@@ -1068,6 +1078,11 @@
+ cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
+ printf(")");
+ depth--;
++
++ if (cp == NULL) {
++ /* Zero-length subitem */
++ return NULL;
++ }
+
+ np = e.np;
+ ext = (struct isakmp_gen *)cp;
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108 (depth)
+ Not directly related to the CVE security topic but piggybacked.
+
+ revision 1.34
+ date: 2002/09/05 00:43:21; author: guy; state: Exp; lines: +155 -127
+
+ 1.) print-isakmp.c: Constify. [undone to reduce patch]
+
+ 2.) [real security issue as of CAN-2003-0108]
+
+ 3.) Have "isakmp_sub_print()" take the depth as an argument, rather
+ than have it as a static variable, for cleanliness.
+
+Index: print-isakmp.c
+--- print-isakmp.c.CAN-2003-0108 2004-01-15 16:30:04.000000000 +0100
++++ print-isakmp.c 2004-01-15 16:31:28.000000000 +0100
+@@ -67,36 +67,36 @@
+ #define sockaddr_storage sockaddr
+ #endif
+
+-static u_char *isakmp_sa_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++static u_char *isakmp_sa_print(struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_p_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_t_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_ke_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_id_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_cert_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_cr_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_sig_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
+-static u_char *isakmp_hash_print(struct isakmp_gen *, u_char *,
+- u_int32_t, u_int32_t, u_int32_t);
+-static u_char *isakmp_nonce_print(struct isakmp_gen *, u_char *,
+- u_int32_t, u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
++static u_char *isakmp_hash_print(struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
++static u_char *isakmp_nonce_print(struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_n_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_d_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
+ static u_char *isakmp_vid_print(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t);
+-static u_char *isakmp_sub0_print(u_char, struct isakmp_gen *, u_char *,
+- u_int32_t, u_int32_t, u_int32_t);
+-static u_char *isakmp_sub_print(u_char, struct isakmp_gen *, u_char *,
+- u_int32_t, u_int32_t, u_int32_t);
++ u_int32_t, u_int32_t, int);
++static u_char *isakmp_sub0_print(u_char, struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
++static u_char *isakmp_sub_print(u_char, struct isakmp_gen *, u_char *, u_int32_t,
++ u_int32_t, u_int32_t, int);
+ static char *numstr(int);
+ static void safememcpy(void *, void *, size_t);
+
+@@ -121,7 +121,7 @@
+
+ /* isakmp->np */
+ static u_char *(*npfunc[])(struct isakmp_gen *, u_char *, u_int32_t,
+- u_int32_t, u_int32_t) = {
++ u_int32_t, u_int32_t, int) = {
+ NULL,
+ isakmp_sa_print,
+ isakmp_p_print,
+@@ -333,7 +333,7 @@
+ rawprint(caddr_t loc, size_t len)
+ {
+ static u_char *p;
+- int i;
++ size_t i;
+
+ p = (u_char *)loc;
+ for (i = 0; i < len; i++)
+@@ -342,7 +342,7 @@
+
+ struct attrmap {
+ char *type;
+- int nvalue;
++ u_int nvalue;
+ char *value[30]; /*XXX*/
+ };
+
+@@ -418,7 +418,7 @@
+
+ static u_char *
+ isakmp_sa_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_sa *p, sa;
+ u_int32_t *q;
+@@ -462,14 +462,14 @@
+
+ ext = (struct isakmp_gen *)np;
+
+- cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0);
++ cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, depth);
+
+ return cp;
+ }
+
+ static u_char *
+ isakmp_p_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_p *p, prop;
+ u_char *cp;
+@@ -488,7 +488,7 @@
+ ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
+
+ cp = isakmp_sub_print(ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
+- prop.prot_id);
++ prop.prot_id, depth);
+
+ return cp;
+ }
+@@ -551,7 +551,7 @@
+
+ static u_char *
+ isakmp_t_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_pl_t *p, t;
+ u_char *cp;
+@@ -613,7 +613,7 @@
+
+ static u_char *
+ isakmp_ke_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -630,7 +630,7 @@
+
+ static u_char *
+ isakmp_id_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ #define USE_IPSECDOI_IN_PHASE1 1
+ struct isakmp_pl_id *p, id;
+@@ -766,7 +766,7 @@
+
+ static u_char *
+ isakmp_cert_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_cert *p, cert;
+ static char *certstr[] = {
+@@ -790,7 +790,7 @@
+
+ static u_char *
+ isakmp_cr_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_cert *p, cert;
+ static char *certstr[] = {
+@@ -814,7 +814,7 @@
+
+ static u_char *
+ isakmp_hash_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -831,7 +831,7 @@
+
+ static u_char *
+ isakmp_sig_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -848,7 +848,7 @@
+
+ static u_char *
+ isakmp_nonce_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -865,7 +865,7 @@
+
+ static u_char *
+ isakmp_n_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_n *p, n;
+ u_char *cp;
+@@ -955,8 +955,9 @@
+ (*(u_int32_t *)cp) ? "en" : "dis");
+ break;
+ case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
+- isakmp_sub_print(ISAKMP_NPTYPE_SA,
+- (struct isakmp_gen *)cp, ep, phase, doi, proto);
++ if (isakmp_sub_print(ISAKMP_NPTYPE_SA,
++ (struct isakmp_gen *)cp, ep, phase, doi, proto, depth) ==
NULL)
++ return NULL;
+ break;
+ default:
+ /* NULL is dummy */
+@@ -971,7 +972,7 @@
+
+ static u_char *
+ isakmp_d_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi0, u_int32_t proto0)
++ u_int32_t doi0, u_int32_t proto0, int depth)
+ {
+ struct isakmp_pl_d *p, d;
+ u_int8_t *q;
+@@ -1007,7 +1008,7 @@
+
+ static u_char *
+ isakmp_vid_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
+- u_int32_t doi, u_int32_t proto)
++ u_int32_t doi, u_int32_t proto, int depth)
+ {
+ struct isakmp_gen e;
+
+@@ -1024,7 +1025,7 @@
+
+ static u_char *
+ isakmp_sub0_print(u_char np, struct isakmp_gen *ext, u_char *ep,
+- u_int32_t phase, u_int32_t doi, u_int32_t proto)
++ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+ {
+ u_char *cp;
+ struct isakmp_gen e;
+@@ -1053,10 +1053,9 @@
+
+ static u_char *
+ isakmp_sub_print(u_char np, struct isakmp_gen *ext, u_char *ep,
+- u_int32_t phase, u_int32_t doi, u_int32_t proto)
++ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+ {
+ u_char *cp;
+- static int depth = 0;
+ int i;
+ struct isakmp_gen e;
+
+@@ -1075,7 +1080,7 @@
+ for (i = 0; i < depth; i++)
+ printf(" ");
+ printf("(");
+- cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
++ cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto, depth);
+ printf(")");
+ depth--;
+
+@@ -1180,35 +1185,36 @@
+ printf("[%s%s]", base.flags & ISAKMP_FLAG_E ? "E" : "",
+ base.flags & ISAKMP_FLAG_C ? "C" : "");
+ }
+- printf(":");
+
+- {
+- struct isakmp_gen *ext;
+- int nparen;
++ if (vflag) {
++ struct isakmp_gen *ext;
++ int nparen;
+
+ #define CHECKLEN(p, np) \
+- if (ep < (u_char *)(p)) { \
+- printf(" [|%s]", NPSTR(np)); \
+- goto done; \
+- }
++ if (ep < (u_char *)(p)) { \
++ printf(" [|%s]", NPSTR(np)); \
++ goto done; \
++ }
+
+- /* regardless of phase... */
+- if (base.flags & ISAKMP_FLAG_E) {
+- /*
+- * encrypted, nothing we can do right now.
+- * we hope to decrypt the packet in the future...
+- */
+- printf(" [encrypted %s]", NPSTR(base.np));
+- goto done;
+- }
++ printf(":");
+
+- nparen = 0;
+- CHECKLEN(p + 1, base.np)
++ /* regardless of phase... */
++ if (base.flags & ISAKMP_FLAG_E) {
++ /*
++ * encrypted, nothing we can do right now.
++ * we hope to decrypt the packet in the future...
++ */
++ printf(" [encrypted %s]", NPSTR(base.np));
++ goto done;
++ }
+
+- np = base.np;
+- ext = (struct isakmp_gen *)(p + 1);
+- isakmp_sub_print(np, ext, ep, phase, 0, 0);
+- }
++ nparen = 0;
++ CHECKLEN(p + 1, base.np)
++
++ np = base.np;
++ ext = (struct isakmp_gen *)(p + 1);
++ isakmp_sub_print(np, ext, ep, phase, 0, 0, 0);
++ }
+
+ done:
+ if (vflag) {
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0989 (isakmp)
+ tcpdump before 3.8.1 allows remote attackers to cause a denial of
+ service (infinite loop) via certain ISAKMP packets, a different
+ vulnerability than CAN-2004-0057.
+
+Index: print-isakmp.c
+--- print-isakmp.c.CAN-2003-0989 2004-01-15 16:30:04.000000000 +0100
++++ print-isakmp.c 2004-01-15 16:31:28.000000000 +0100
+@@ -1033,20 +1034,25 @@
+ cp = (u_char *)ext;
+ safememcpy(&e, ext, sizeof(e));
+
+- if (NPFUNC(np))
+- cp = (*NPFUNC(np))(ext, ep, phase, doi, proto);
+- else {
++ /*
++ * Since we can't have a payload length of less than 4 bytes,
++ * we need to bail out here if the generic header is nonsensical
++ * or truncated, otherwise we could loop forever processing
++ * zero-length items or otherwise misdissect the packet.
++ */
++ item_len = ntohs(e.len);
++ if (item_len <= 4)
++ return NULL;
++
++ if (NPFUNC(np)) {
++ /*
++ * XXX - what if item_len is too short, or too long,
++ * for this payload type?
++ */
++ cp = (*NPFUNC(np))(ext, ep, phase, doi, proto, depth);
++ } else {
+ printf("%s", NPSTR(np));
+- item_len = ntohs(e.len);
+- if (item_len == 0) {
+- /*
+- * We don't want to loop forever processing this
+- * bogus (zero-length) item; return NULL so that
+- * we stop dissecting.
+- */
+- cp = NULL;
+- } else
+- cp += item_len;
++ cp += item_len;
+ }
+ return cp;
+ }
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1029 (l2tp)
+ The L2TP protocol parser in tcpdump 3.8.1 and earlier allows remote
+ attackers to cause a denial of service (infinite loop and memory
+ consumption) via a packet with invalid data to UDP port 1701,
+ which causes l2tp_avp_print to use a bad length value when calling
+ print_octets.
+
+diff -u -d -u -d -r1.16 -r1.17
+--- print-l2tp.c.CAN-2003-1029 16 Nov 2003 09:36:26 -0000 1.16
++++ print-l2tp.c 26 Dec 2003 23:20:58 -0000 1.17
+@@ -474,8 +474,17 @@
+ TCHECK(*ptr); /* Flags & Length */
+ len = EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_LEN_MASK;
+
+- /* If it is not long enough to decode the entire AVP, we'll
+- abandon. */
++ /* If it is not long enough to contain the header, we'll give up. */
++ if (len < 6)
++ goto trunc;
++
++ /* If it goes past the end of the remaining length of the packet,
++ we'll give up. */
++ if (len > (u_int)length)
++ goto trunc;
++
++ /* If it goes past the end of the remaining length of the captured
++ data, we'll give up. */
+ TCHECK2(*ptr, len);
+ /* After this point, no need to worry about truncation */
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055 (radius)
+ The print_attr_string function in print-radius.c for tcpdump 3.8.1
+ and earlier allows remote attackers to cause a denial of service
+ (segmentation fault) via a RADIUS attribute with a large length
+ value.
+
+Index: print-radius.c
+===================================================================
+RCS file: /tcpdump/master/tcpdump/print-radius.c,v
+retrieving revision 1.23
+retrieving revision 1.24
+diff -u -d -u -d -r1.23 -r1.24
+--- print-radius.c.CAN-2004-0055 15 Dec 2003 13:52:15 -0000 1.23
++++ print-radius.c 7 Jan 2004 08:00:52 -0000 1.24
+@@ -476,7 +476,7 @@
+ break;
+ }
+
+- for (i=0; i < length ; i++, data++)
++ for (i=0; *data && i < length ; i++, data++)
+ printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
+
+ return;
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057 (isakmp)
+ The rawprint function in the ISAKMP decoding routines
+ (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote
+ attackers to cause a denial of service (segmentation fault) via
+ malformed ISAKMP packets that cause invalid "len" or "loc" values to
+ be used in a loop, a different vulnerability than CAN-2003-0989.
+
+Index: print-isakmp.c
+===================================================================
+RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v
+retrieving revision 1.41
+retrieving revision 1.42
+diff -u -d -u -d -r1.41 -r1.42
+--- print-isakmp.c.CAN-2004-0057 20 Dec 2003 10:03:19 -0000 1.41
++++ print-isakmp.c 7 Jan 2004 08:00:51 -0000 1.42
+@@ -327,9 +327,13 @@
+ static u_char *p;
+ size_t i;
+
++ TCHECK2(*loc, len);
++
+ p = (u_char *)loc;
+ for (i = 0; i < len; i++)
+ printf("%02x", p[i] & 0xff);
++trunc:
++ return;
+ }
+
+ struct attrmap {
+@@ -1111,6 +1115,8 @@
+ cp = (const u_char *)ext;
+
+ while (np) {
++ TCHECK2(*ext, sizeof(e));
++
+ safememcpy(&e, ext, sizeof(e));
+
+ if (ep < (u_char *)ext + ntohs(e.len)) {
+@@ -1136,6 +1142,8 @@
+ ext = (struct isakmp_gen *)cp;
+ }
+ return cp;
++trunc:
++ return NULL;
+ }
+
+ static char *
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/tcpdump/tcpdump.spec
============================================================================
$ cvs diff -u -r1.25.2.1.2.3 -r1.25.2.1.2.4 tcpdump.spec
--- openpkg-src/tcpdump/tcpdump.spec 4 Mar 2003 09:45:17 -0000 1.25.2.1.2.3
+++ openpkg-src/tcpdump/tcpdump.spec 16 Jan 2004 12:42:52 -0000 1.25.2.1.2.4
@@ -33,7 +33,7 @@
Group: Network
License: GPL
Version: 3.7.1
-Release: 1.2.1
+Release: 1.2.2
# list of sources
Source0: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.8098 -r1.8099 news.txt
--- openpkg-web/news.txt 16 Jan 2004 12:38:57 -0000 1.8098
+++ openpkg-web/news.txt 16 Jan 2004 12:42:50 -0000 1.8099
@@ -1,3 +1,4 @@
+16-Jan-2004: Upgraded package: P<tcpdump-3.7.1-1.2.2>
16-Jan-2004: Upgraded package: P<tcpdump-3.7.2-1.3.1>
16-Jan-2004: Upgraded package: P<gd-2.0.21-20040116>
16-Jan-2004: Upgraded package: P<tcpdump-3.8.1-20040116>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
