Bug#973917: buster-pu: package tcpdump/4.9.3-1~deb10u2

2020-11-19 Thread Romain Francoise 
Hi Adam,

On Thu, Nov 19, 2020 at 9:31 PM Adam D. Barratt
 wrote:
> Please go ahead.

Thanks, uploaded.

Bug#973917: buster-pu: package tcpdump/4.9.3-1~deb10u2

2020-11-19 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2020-11-07 at 12:45 +, Romain Francoise wrote:
> I am seeking permission to upload a new version of tcpdump to
> stable-proposed-updates to address CVE-2020-8037 (bug #973877).
> 

Please go ahead.

Regards,

Adam

Bug#973917: buster-pu: package tcpdump/4.9.3-1~deb10u2

2020-11-07 Thread Romain Francoise 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I am seeking permission to upload a new version of tcpdump to
stable-proposed-updates to address CVE-2020-8037 (bug #973877).

Full debdiff attached.

Thanks,
diffstat for tcpdump-4.9.3 tcpdump-4.9.3

 changelog|7 
 patches/series   |1 
 patches/upstream-32027e1993.diff |   61 +++
 3 files changed, 69 insertions(+)

diff -Nru tcpdump-4.9.3/debian/changelog tcpdump-4.9.3/debian/changelog
--- tcpdump-4.9.3/debian/changelog  2019-10-19 16:55:18.0 +0200
+++ tcpdump-4.9.3/debian/changelog  2020-11-07 13:36:24.0 +0100
@@ -1,3 +1,10 @@
+tcpdump (4.9.3-1~deb10u2) buster; urgency=high
+
+  * Cherry-pick commit 32027e1993 from the upstream tcpdump-4.9 branch to fix
+untrusted input issue in the PPP printer (CVE-2020-8037, closes: #973877).
+
+ -- Romain Francoise   Sat, 07 Nov 2020 13:36:24 +0100
+
 tcpdump (4.9.3-1~deb10u1) buster-security; urgency=high
 
   * New upstream release, with fixes for 24 different CVEs (closes: #941698).
diff -Nru tcpdump-4.9.3/debian/patches/series 
tcpdump-4.9.3/debian/patches/series
--- tcpdump-4.9.3/debian/patches/series 2019-10-19 00:20:22.0 +0200
+++ tcpdump-4.9.3/debian/patches/series 2020-11-07 13:34:47.0 +0100
@@ -2,3 +2,4 @@
 man-section.diff
 platform-quirks.diff
 disable-tests.diff
+upstream-32027e1993.diff
diff -Nru tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff 
tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff
--- tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff   1970-01-01 
01:00:00.0 +0100
+++ tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff   2020-11-07 
13:34:39.0 +0100
@@ -0,0 +1,61 @@
+commit 32027e199368dad9508965aae8cd8de5b6ab5231
+Author: Guy Harris 
+Date:   Sat Apr 18 14:04:59 2020 -0700
+
+PPP: When un-escaping, don't allocate a too-large buffer.
+
+The buffer should be big enough to hold the captured data, but it
+doesn't need to be big enough to hold the entire on-the-network packet,
+if we haven't captured all of it.
+
+(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 891761728b..33fb034127 100644
+--- a/print-ppp.c
 b/print-ppp.c
+@@ -1367,19 +1367,29 @@ trunc:
+   return 0;
+ }
+ 
++/*
++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
++ * The length argument is the on-the-wire length, not the captured
++ * length; we can only un-escape the captured part.
++ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+  const u_char *p, int length)
+ {
++  u_int caplen = ndo->ndo_snapend - p;
+   u_char *b, *t, c;
+   const u_char *s;
+-  int i, proto;
++  u_int i;
++  int proto;
+   const void *se;
+ 
++  if (caplen == 0)
++  return;
++
+ if (length <= 0)
+ return;
+ 
+-  b = (u_char *)malloc(length);
++  b = (u_char *)malloc(caplen);
+   if (b == NULL)
+   return;
+ 
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+* Do this so that we dont overwrite the original packet
+* contents.
+*/
+-  for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
++  for (s = p, t = b, i = caplen; i != 0; i--) {
+   c = *s++;
+   if (c == 0x7d) {
+-  if (i <= 1 || !ND_TTEST(*s))
++  if (i <= 1)
+   break;
+   i--;
+   c = *s++ ^ 0x20;