2 changed files with 94 additions and 1 deletions
@ -0,0 +1,91 @@
|
||||
|
||||
tcpdump patch patrix; thl@dev.de.cw.com
|
||||
|
||||
tcpdump 371 371 372 381
|
||||
OpenPKG 120 121 130 20020822
|
||||
--- --- --- ---
|
||||
CAN-2002-0380 nfs y n n n see past OpenPKG-SA-2003.014-tcpdump
|
||||
CAN-2002-1350 bgp y n n n see past OpenPKG-SA-2003.014-tcpdump
|
||||
CAN-2003-0108 isakmp y n n n see past OpenPKG-SA-2003.014-tcpdump
|
||||
depth y y y n (*)
|
||||
CAN-2003-0989 isakmp y y y n updates CAN-2003-0108-isakmp
|
||||
CAN-2003-1029 l2tp y y n n
|
||||
CAN-2004-0055 radius y y y y
|
||||
CAN-2004-0057 isakmp y y y y
|
||||
|
||||
(*) the vendor code fix for CAN-2003-0108 had two other unrelated code
|
||||
changes piggybacked. We removed the cosmetics (constify) and
|
||||
extracted an enhancement (depth).
|
||||
|
||||
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055 (radius)
|
||||
The print_attr_string function in print-radius.c for tcpdump 3.8.1
|
||||
and earlier allows remote attackers to cause a denial of service
|
||||
(segmentation fault) via a RADIUS attribute with a large length
|
||||
value.
|
||||
|
||||
Index: print-radius.c
|
||||
===================================================================
|
||||
RCS file: /tcpdump/master/tcpdump/print-radius.c,v
|
||||
retrieving revision 1.23
|
||||
retrieving revision 1.24
|
||||
diff -u -d -u -d -r1.23 -r1.24
|
||||
--- print-radius.c.CAN-2004-0055 15 Dec 2003 13:52:15 -0000 1.23
|
||||
+++ print-radius.c 7 Jan 2004 08:00:52 -0000 1.24
|
||||
@@ -476,7 +476,7 @@
|
||||
break;
|
||||
}
|
||||
|
||||
- for (i=0; i < length ; i++, data++)
|
||||
+ for (i=0; *data && i < length ; i++, data++)
|
||||
printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
|
||||
|
||||
return;
|
||||
|
||||
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057 (isakmp)
|
||||
The rawprint function in the ISAKMP decoding routines
|
||||
(print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote
|
||||
attackers to cause a denial of service (segmentation fault) via
|
||||
malformed ISAKMP packets that cause invalid "len" or "loc" values to
|
||||
be used in a loop, a different vulnerability than CAN-2003-0989.
|
||||
|
||||
Index: print-isakmp.c
|
||||
===================================================================
|
||||
RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v
|
||||
retrieving revision 1.41
|
||||
retrieving revision 1.42
|
||||
diff -u -d -u -d -r1.41 -r1.42
|
||||
--- print-isakmp.c.CAN-2004-0057 20 Dec 2003 10:03:19 -0000 1.41
|
||||
+++ print-isakmp.c 7 Jan 2004 08:00:51 -0000 1.42
|
||||
@@ -327,9 +327,13 @@
|
||||
static u_char *p;
|
||||
size_t i;
|
||||
|
||||
+ TCHECK2(*loc, len);
|
||||
+
|
||||
p = (u_char *)loc;
|
||||
for (i = 0; i < len; i++)
|
||||
printf("%02x", p[i] & 0xff);
|
||||
+trunc:
|
||||
+ return;
|
||||
}
|
||||
|
||||
struct attrmap {
|
||||
@@ -1111,6 +1115,8 @@
|
||||
cp = (const u_char *)ext;
|
||||
|
||||
while (np) {
|
||||
+ TCHECK2(*ext, sizeof(e));
|
||||
+
|
||||
safememcpy(&e, ext, sizeof(e));
|
||||
|
||||
if (ep < (u_char *)ext + ntohs(e.len)) {
|
||||
@@ -1136,6 +1142,8 @@
|
||||
ext = (struct isakmp_gen *)cp;
|
||||
}
|
||||
return cp;
|
||||
+trunc:
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
static char *
|
||||
|
||||
Loading…
Reference in new issue