Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 46258 - TCPDUMP: ISAKMP payload handling denial-of-service vulnerabilities
Summary: TCPDUMP: ISAKMP payload handling denial-of-service vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Highest blocker (vote)
Assignee: Gentoo Security
: 38206 (view as bug list)
Depends on: 38206
  Show dependency tree
Reported: 2004-03-30 10:40 UTC by Tobias Weisserth
Modified: 2004-04-06 13:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---
condordes: Assigned_To+


Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Weisserth 2004-03-30 10:40:32 UTC
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the
   packet display functions for the ISAKMP protocol.  Upon receiving
   specially crafted ISAKMP packets, TCPDUMP will try to read beyond
   the end of the packet capture buffer and crash.

The vendor was notified and they have released an updated version
   of TCPDUMP, version 3.8.2, which fixes these defects.  Subsequently,
   the version number was bumped to 3.8.3 to match libpcap.

See the URL for more info.

Reproducible: Always
Steps to Reproduce:
Comment 1 solar (RETIRED) gentoo-dev 2004-03-30 12:02:30 UTC

Feel free to start including your recommended tip for resolution on bugs you 
report. Also I know it may seem redundant but could you include the url in the 
body of the report. Reason: Any reporter/commenter can pretty much overwrite 
the  URL field here.

bumped portage to tcpdump-3.8.3
KEYWORDS="~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~ia64 ~amd64"

current stable tcpdump for arches looks like.
tcpdump-3.7.2.ebuild:KEYWORDS="x86 ppc sparc alpha mips hppa ia64"
tcpdump-3.8.1.ebuild:KEYWORDS="~x86 ppc sparc alpha ~mips hppa ia64 amd64"

Arch maintainers please test and mark stable when ready.
Comment 2 Jason Wever (RETIRED) gentoo-dev 2004-03-30 12:21:29 UTC
Are we going to be updating libpcap as well (as recommended in the advisory) or just tcpdump?
Comment 3 solar (RETIRED) gentoo-dev 2004-03-30 13:06:47 UTC
libpcap-0.8.3 just added to the portage tree as 
KEYWORDS="~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~amd64 ~ia64"
Comment 4 solar (RETIRED) gentoo-dev 2004-03-30 13:20:03 UTC
The depends on the tcpdump could use some love.
First arch testing please try current pcap.
Comment 5 Jason Wever (RETIRED) gentoo-dev 2004-03-30 13:29:40 UTC
Seems to do the trick for me here with both old and new libpcap.  marked both libpcap and tcpdump stable on sparc.
Comment 6 solar (RETIRED) gentoo-dev 2004-03-30 13:31:31 UTC
mboman, others..

Do you know why libpcap.ebuild installs pcap to /usr/lib/ ?
Oversight or is this pkg supposed to have some funky magic going like 
openssl? Should it not be /usr/lib/ ?
Comment 7 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-30 23:06:19 UTC
AFAICT, this is a dup of bug 38206.
Comment 8 Jason Huebel (RETIRED) gentoo-dev 2004-03-31 11:19:40 UTC
stable on amd64
Comment 9 Kurt Lieber (RETIRED) gentoo-dev 2004-03-31 11:56:37 UTC
sparc, ppc, x86: plztest
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2004-03-31 11:59:52 UTC
It's already stable on sparc...
Comment 11 solar (RETIRED) gentoo-dev 2004-03-31 12:45:36 UTC
The QA going here has me worried.. You guys are marking stable without 
paying attention at all to comment #6 in regards to both libpcap which
is now KEYWORDS="~x86 ~ppc sparc ~alpha ~mips ~hppa amd64 ~ia64" and the
depends for tcpdump-3.8.3
Comment 12 Jason Wever (RETIRED) gentoo-dev 2004-03-31 12:49:43 UTC
Comment #6 didn't exist when I stabilized it.  If it's causing known breaks in programs I'm willing to downgrade it.
Comment 13 solar (RETIRED) gentoo-dev 2004-03-31 13:20:16 UTC
Also comment #4

Here is precisely what I think needs to happen for tcpdump.

-	ssl? ( >=dev-libs/openssl-0.6.9 )"
+	ssl? ( >=dev-libs/openssl-0.9.6m )"

And for libpcap
-	gcc -Wl,-soname, -shared -fPIC -o *.o
+	gcc -Wl,-soname, -shared -fPIC -o${PV:0:3} *.o
 	assert "couldn't make a shared lib"
@@ -31,9 +31,9 @@ src_install() {
 	einstall || die
 	insopts -m 755
-	insinto /usr/lib ; doins
-	dosym /usr/lib/ /usr/lib/
-	dosym /usr/lib/ /usr/lib/
+	insinto /usr/lib ; doins${PV:0:3}
+	dosym /usr/lib/${PV:0:3} /usr/lib/
+	dosym /usr/lib/${PV:0:3} /usr/lib/

On my local box I have made these changes then
emerge -C libpcap tcpdump
emerge tcpdump

I can merge these changes if a second developer says that these changes 
look like the ideal solution.
Comment 14 Jason Wever (RETIRED) gentoo-dev 2004-03-31 14:08:01 UTC
The changes work for me and look good.  If we want to make sure users are using them though, we may have to -r1 each of them since they are live for all ~arch users.
Comment 15 solar (RETIRED) gentoo-dev 2004-03-31 22:00:45 UTC
updated both packages in portage to -r1 and added generic metadata.xml to tcpdump
Comment 16 Andy Dustman 2004-04-01 09:19:16 UTC
See bug #37184 comment #14. -finline-functions needs to be filtered from CFLAGS for the same reasons as -O3; -O3 implies -finline-functions, and it is the real cause of the build problems. Here's the patch I came up with for 3.8.1:

--- tcpdump-3.8.1.ebuild        2004-01-15 09:37:48.000000000 -0500
+++ tcpdump-3.8.1-r1.ebuild     2004-02-11 09:26:35.146081000 -0500
@@ -22,6 +22,7 @@
 src_compile() {
        replace-flags -O[3-9] -O2
+       filter-flags -finline-functions
        econf `use_with ssl crypto` `use_enable ipv6` || die
        make CCOPT="$CFLAGS" || die
Comment 17 solar (RETIRED) gentoo-dev 2004-04-03 03:49:36 UTC
Added filter-flags -finline-functions and moved to stable on x86

Current status on tcpdump is as.

KEYWORDS="x86 ppc ~sparc ~alpha ~mips ~hppa ~amd64 ~ia64"

KEYWORDS="x86 ppc ~sparc ~alpha ~mips ~hppa ~ia64 ~amd64"

sparc & amd64 have the prev revision of both marked stable.
This basicly covers core arches now.
Comment 18 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-04 12:24:30 UTC
Is this ready for a GLSA then?

I drafted one for bug 38206, which seems like it should apply to both of these.
Comment 19 solar (RETIRED) gentoo-dev 2004-04-04 14:41:32 UTC

Yeah.. It's good to go. 
unless amd64, sparc mark -r1 stable before you send it out 
we just need to be sure to Note the following versions.
Comment 20 Jason Wever (RETIRED) gentoo-dev 2004-04-04 15:20:35 UTC
sparc is stable with the -r1s for tcpdump and libpcap
Comment 21 Jon Portnoy (RETIRED) gentoo-dev 2004-04-04 15:33:37 UTC
I just marked both -r1s stable on amd64.
Comment 22 solar (RETIRED) gentoo-dev 2004-04-04 16:08:12 UTC

For the GLSA you can now use.
Comment 23 Aron Griffis (RETIRED) gentoo-dev 2004-04-04 20:15:39 UTC
These are marked stable on alpha and ia64 now
Comment 24 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-04 23:36:45 UTC
Can two people from security@ please review ?

(And can someone who has access please change the unaffected versions listed in the GLSA to the -r1s that were just added?)

Comment 25 SpanKY gentoo-dev 2004-04-05 00:11:14 UTC
hppa & ppc should be set now
Comment 26 SpanKY gentoo-dev 2004-04-05 00:24:13 UTC
and mips should be set now
Comment 27 Andrea Barisani (RETIRED) gentoo-dev 2004-04-05 00:55:49 UTC
The GLSA looks fine to me, there is only a typo: 'responsbile' 
Comment 28 Kurt Lieber (RETIRED) gentoo-dev 2004-04-05 01:12:20 UTC
fixed the typo andrea found, changed versions to -r1, added space between 'emerge sync' and the rest of the <code> section to be consistent with earlier GLSAs.

Also, I upgraded the severity from normal to high since this vuln. allows for remote execution of arbitrary code, albeit not as root.

Comment 29 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-05 09:16:47 UTC
klieber -- Can you add the '-r1's to the code in the resolution as well?

...and then is this ready to send?
Comment 30 Kurt Lieber (RETIRED) gentoo-dev 2004-04-05 09:20:47 UTC
done and I moved it to 200404-02.  It can't go out until 01 goes out (or I need to swap numbers with 01)

Comment 31 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-06 00:22:51 UTC
*** Bug 38206 has been marked as a duplicate of this bug. ***
Comment 32 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-06 13:21:17 UTC
GLSA 200404-03.