tcpdump patch patrix; thl@dev.de.cw.com

                  tcpdump   371 371 372 381
                  OpenPKG   120 121 130 20020822
                            --- --- --- ---
  CAN-2002-0380 nfs      y   n   n   n   see past OpenPKG-SA-2003.014-tcpdump
  CAN-2002-1350 bgp      y   n   n   n   see past OpenPKG-SA-2003.014-tcpdump
  CAN-2003-0108 isakmp   y   n   n   n   see past OpenPKG-SA-2003.014-tcpdump
                depth    y   y   y   n   (*)
  CAN-2003-0989 isakmp   y   y   y   n   updates CAN-2003-0108-isakmp
  CAN-2003-1029 l2tp     y   y   n   n
  CAN-2004-0055 radius   y   y   y   y
  CAN-2004-0057 isakmp   y   y   y   y

  (*) the vendor code fix for CAN-2003-0108 had two other unrelated code
      changes piggybacked. We removed the cosmetics (constify) and
      extracted an enhancement (depth).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055 (radius)
    The print_attr_string function in print-radius.c for tcpdump 3.8.1
    and earlier allows remote attackers to cause a denial of service
    (segmentation fault) via a RADIUS attribute with a large length
    value.

Index: print-radius.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-radius.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -d -u -d -r1.23 -r1.24
--- print-radius.c.CAN-2004-0055	15 Dec 2003 13:52:15 -0000	1.23
+++ print-radius.c	7 Jan 2004 08:00:52 -0000	1.24
@@ -476,7 +476,7 @@
         break;
    }
 
-   for (i=0; i < length ; i++, data++)
+   for (i=0; *data && i < length ; i++, data++)
        printf("%c",(*data < 32 || *data > 128) ? '.' : *data );
 
    return;

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057 (isakmp)
    The rawprint function in the ISAKMP decoding routines
    (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote
    attackers to cause a denial of service (segmentation fault) via
    malformed ISAKMP packets that cause invalid "len" or "loc" values to
    be used in a loop, a different vulnerability than CAN-2003-0989.

Index: print-isakmp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -d -u -d -r1.41 -r1.42
--- print-isakmp.c.CAN-2004-0057	20 Dec 2003 10:03:19 -0000	1.41
+++ print-isakmp.c	7 Jan 2004 08:00:51 -0000	1.42
@@ -327,9 +327,13 @@
 	static u_char *p;
 	size_t i;
 
+	TCHECK2(*loc, len);
+	
 	p = (u_char *)loc;
 	for (i = 0; i < len; i++)
 		printf("%02x", p[i] & 0xff);
+trunc:
+   return;
 }
 
 struct attrmap {
@@ -1111,6 +1115,8 @@
 	cp = (const u_char *)ext;
 
 	while (np) {
+		TCHECK2(*ext, sizeof(e));
+		
 		safememcpy(&e, ext, sizeof(e));
 
 		if (ep < (u_char *)ext + ntohs(e.len)) {
@@ -1136,6 +1142,8 @@
 		ext = (struct isakmp_gen *)cp;
 	}
 	return cp;
+trunc:
+	return NULL;
 }
 
 static char *