openpkg-packages/tcpdump/tcpdump.patch


    tcpdump patch patrix; thl@dev.de.cw.com

                  tcpdump   371 371 372 381
                  OpenPKG   120 121 130 20020822
                            --- --- --- ---
  CAN-2002-0380 nfs      y   n   n   n   see past OpenPKG-SA-2003.014-tcpdump
  CAN-2002-1350 bgp      y   n   n   n   see past OpenPKG-SA-2003.014-tcpdump
  CAN-2003-0108 isakmp   y   n   n   n   see past OpenPKG-SA-2003.014-tcpdump
                depth    y   y   y   n   (*)
  CAN-2003-0989 isakmp   y   y   y   n   updates CAN-2003-0108-isakmp
  CAN-2003-1029 l2tp     y   y   n   n
  CAN-2004-0055 radius   y   y   y   y
  CAN-2004-0057 isakmp   y   y   y   y

  (*) the vendor code fix for CAN-2003-0108 had two other unrelated code
      changes piggybacked. We removed the cosmetics (constify) and
      extracted an enhancement (depth).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055 (radius)
    The print_attr_string function in print-radius.c for tcpdump 3.8.1
    and earlier allows remote attackers to cause a denial of service
    (segmentation fault) via a RADIUS attribute with a large length
    value.

Index: print-radius.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-radius.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -d -u -d -r1.23 -r1.24
--- print-radius.c.CAN-2004-0055	15 Dec 2003 13:52:15 -0000	1.23
+++ print-radius.c	7 Jan 2004 08:00:52 -0000	1.24
@@ -476,7 +476,7 @@
         break;
    }
 
-   for (i=0; i < length ; i++, data++)
+   for (i=0; *data && i < length ; i++, data++)
        printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
 
    return;

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057 (isakmp)
    The rawprint function in the ISAKMP decoding routines
    (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote
    attackers to cause a denial of service (segmentation fault) via
    malformed ISAKMP packets that cause invalid "len" or "loc" values to
    be used in a loop, a different vulnerability than CAN-2003-0989.

Index: print-isakmp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -d -u -d -r1.41 -r1.42
--- print-isakmp.c.CAN-2004-0057	20 Dec 2003 10:03:19 -0000	1.41
+++ print-isakmp.c	7 Jan 2004 08:00:51 -0000	1.42
@@ -327,9 +327,13 @@
 	static u_char *p;
 	size_t i;
 
+	TCHECK2(*loc, len);
+	
 	p = (u_char *)loc;
 	for (i = 0; i < len; i++)
 		printf("%02x", p[i] & 0xff);
+trunc:
+   return;
 }
 
 struct attrmap {
@@ -1111,6 +1115,8 @@
 	cp = (const u_char *)ext;
 
 	while (np) {
+		TCHECK2(*ext, sizeof(e));
+		
 		safememcpy(&e, ext, sizeof(e));
 
 		if (ep < (u_char *)ext + ntohs(e.len)) {
@@ -1136,6 +1142,8 @@
 		ext = (struct isakmp_gen *)cp;
 	}
 	return cp;
+trunc:
+	return NULL;
 }
 
 static char *
SA-2004.002-tcpdump; CAN-2004-0055, CAN-2004-0057 22 years ago
			`tcpdump patch patrix; thl@dev.de.cw.com`

			`tcpdump 371 371 372 381`
			`OpenPKG 120 121 130 20020822`
			`--- --- --- ---`
			`CAN-2002-0380 nfs y n n n see past OpenPKG-SA-2003.014-tcpdump`
			`CAN-2002-1350 bgp y n n n see past OpenPKG-SA-2003.014-tcpdump`
			`CAN-2003-0108 isakmp y n n n see past OpenPKG-SA-2003.014-tcpdump`
			`depth y y y n (*)`
			`CAN-2003-0989 isakmp y y y n updates CAN-2003-0108-isakmp`
			`CAN-2003-1029 l2tp y y n n`
			`CAN-2004-0055 radius y y y y`
			`CAN-2004-0057 isakmp y y y y`

			`(*) the vendor code fix for CAN-2003-0108 had two other unrelated code`
			`changes piggybacked. We removed the cosmetics (constify) and`
			`extracted an enhancement (depth).`

			`http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055 (radius)`
			`The print_attr_string function in print-radius.c for tcpdump 3.8.1`
			`and earlier allows remote attackers to cause a denial of service`
			`(segmentation fault) via a RADIUS attribute with a large length`
			`value.`

			`Index: print-radius.c`
			`===================================================================`
			`RCS file: /tcpdump/master/tcpdump/print-radius.c,v`
			`retrieving revision 1.23`
			`retrieving revision 1.24`
			`diff -u -d -u -d -r1.23 -r1.24`
			`--- print-radius.c.CAN-2004-0055 15 Dec 2003 13:52:15 -0000 1.23`
			`+++ print-radius.c 7 Jan 2004 08:00:52 -0000 1.24`
			`@@ -476,7 +476,7 @@`
			`break;`
			`}`

			`- for (i=0; i < length ; i++, data++)`
			`+ for (i=0; *data && i < length ; i++, data++)`
			`printf("%c",(data < 32 \|\| data > 128) ? '.' : *data );`

			`return;`

			`http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057 (isakmp)`
			`The rawprint function in the ISAKMP decoding routines`
			`(print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote`
			`attackers to cause a denial of service (segmentation fault) via`
			`malformed ISAKMP packets that cause invalid "len" or "loc" values to`
			`be used in a loop, a different vulnerability than CAN-2003-0989.`

			`Index: print-isakmp.c`
			`===================================================================`
			`RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v`
			`retrieving revision 1.41`
			`retrieving revision 1.42`
			`diff -u -d -u -d -r1.41 -r1.42`
			`--- print-isakmp.c.CAN-2004-0057 20 Dec 2003 10:03:19 -0000 1.41`
			`+++ print-isakmp.c 7 Jan 2004 08:00:51 -0000 1.42`
			`@@ -327,9 +327,13 @@`
			`static u_char *p;`
			`size_t i;`

			`+ TCHECK2(*loc, len);`
			`+`
			`p = (u_char *)loc;`
			`for (i = 0; i < len; i++)`
			`printf("%02x", p[i] & 0xff);`
			`+trunc:`
			`+ return;`
			`}`

			`struct attrmap {`
			`@@ -1111,6 +1115,8 @@`
			`cp = (const u_char *)ext;`

			`while (np) {`
			`+ TCHECK2(*ext, sizeof(e));`
			`+`
			`safememcpy(&e, ext, sizeof(e));`

			`if (ep < (u_char *)ext + ntohs(e.len)) {`
			`@@ -1136,6 +1142,8 @@`
			`ext = (struct isakmp_gen *)cp;`
			`}`
			`return cp;`
			`+trunc:`
			`+ return NULL;`
			`}`

			`static char *`