Bug#781362: tcpdump: regression after fix CVE-2015-2153

2015-04-04 Thread Romain Francoise 
On Sat, Mar 28, 2015 at 01:14:06AM +0100, Artur Rona wrote:
 In Ubuntu, we've applied the attached patch to achieve the following:

   * debian/patches/60_cve-2015-2153-fix-regression.diff:
 - Fix regression due to 60_cve-2015-2153.diff

 We thought you might be interested in doing the same.

Indeed I do, thanks for the heads-up.

-- 
Romain Francoise rfranco...@debian.org
http://people.debian.org/~rfrancoise/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#781362: tcpdump: regression after fix CVE-2015-2153

2015-03-27 Thread Artur Rona 

Package: src:tcpdump
Version: 4.6.2-4
Tags: patch
Usertags: origin-ubuntu ubuntu-patch vivid

In Ubuntu, we've applied the attached patch to achieve the following:

  * debian/patches/60_cve-2015-2153-fix-regression.diff:
- Fix regression due to 60_cve-2015-2153.diff

We thought you might be interested in doing the same.
Description: RPKI to Router Protocol: Fix Segmentation Faults and other problems.
 - Fix/add ND_TCHECK2 tests,
 - Fix a buffer overflow,
 - Remove a debug printf
Origin: upstream, https://github.com/the-tcpdump-group/tcpdump/commit/fb6e5377f392555b8c725f66b8b701f0061a3695

diff -pruN -x '*~' tcpdump-4.6.2.orig/print-rpki-rtr.c tcpdump-4.6.2/print-rpki-rtr.c
--- tcpdump-4.6.2.orig/print-rpki-rtr.c	2015-03-22 12:55:55.349173971 +0100
+++ tcpdump-4.6.2/print-rpki-rtr.c	2015-03-22 12:49:56.987396951 +0100
@@ -178,7 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *
 pdu_header = (rpki_rtr_pdu *)tptr;
 pdu_type = pdu_header-pdu_type;
 pdu_len = EXTRACT_32BITS(pdu_header-length);
-ND_TCHECK2(tptr, pdu_len);
+ND_TCHECK2(*tptr, pdu_len);
 hexdump = FALSE;
 
 ND_PRINT((ndo, %sRPKI-RTRv%u, %s PDU (%u), length: %u,
@@ -255,6 +255,7 @@ rpki_rtr_pdu_print (netdissect_options *
 
 	pdu = (rpki_rtr_pdu_error_report *)tptr;
 	encapsulated_pdu_length = EXTRACT_32BITS(pdu-encapsulated_pdu_length);
+	ND_TCHECK2(*tptr, encapsulated_pdu_length);
 	tlen = pdu_len;
 
 	error_code = EXTRACT_16BITS(pdu-pdu_header.u.error_code);
@@ -287,9 +288,10 @@ rpki_rtr_pdu_print (netdissect_options *
 		tptr += 4;
 		tlen -= 4;
 	}
+	ND_TCHECK2(*tptr, text_length);
 	if (text_length  (text_length = tlen )) {
 		memcpy(buf, tptr, min(sizeof(buf)-1, text_length));
-		buf[text_length] = '\0';
+		buf[min(sizeof(buf) - 1, text_length)] = '\0';
 		ND_PRINT((ndo, %sError text: %s, indent_string(indent+2), buf));
 	}
 	}
@@ -336,13 +338,13 @@ rpki_rtr_print(netdissect_options *ndo,
 	pdu_header = (rpki_rtr_pdu *)tptr;
 pdu_type = pdu_header-pdu_type;
 pdu_len = EXTRACT_32BITS(pdu_header-length);
+	ND_TCHECK2(*tptr, pdu_len);
 
 /* infinite loop check */
 if (!pdu_type || !pdu_len) {
 break;
 }
 
-ND_TCHECK2(*tptr, pdu_len);
 if (tlen  pdu_len) {
 goto trunc;
 }