Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630110 (CVE-2017-12893, CVE-2017-12894, CVE-2017-12895, CVE-2017-12896, CVE-2017-12897, CVE-2017-12898, CVE-2017-12899, CVE-2017-12900, CVE-2017-12901, CVE-2017-12902, CVE-2017-12985, CVE-2017-12986, CVE-2017-12987, CVE-2017-12988, CVE-2017-12989, CVE-2017-12990, CVE-2017-12991, CVE-2017-12992, CVE-2017-12993, CVE-2017-12994, CVE-2017-12995, CVE-2017-12996, CVE-2017-12997, CVE-2017-12998, CVE-2017-12999, CVE-2017-13000, CVE-2017-13001, CVE-2017-13002, CVE-2017-13003, CVE-2017-13004, CVE-2017-13005, CVE-2017-13006, CVE-2017-13007, CVE-2017-13008, CVE-2017-13009, CVE-2017-13010, CVE-2017-13011, CVE-2017-13012, CVE-2017-13013, CVE-2017-13014, CVE-2017-13015, CVE-2017-13016, CVE-2017-13017, CVE-2017-13018, CVE-2017-13019, CVE-2017-13020, CVE-2017-13021, CVE-2017-13022, CVE-2017-13023, CVE-2017-13024, CVE-2017-13025, CVE-2017-13026, CVE-2017-13027, CVE-2017-13028, CVE-2017-13029, CVE-2017-13030, CVE-2017-13031, CVE-2017-13032, CVE-2017-13033, CVE-2017-13034, CVE-2017-13035, CVE-2017-13036, CVE-2017-13037, CVE-2017-13038, CVE-2017-13039, CVE-2017-13040, CVE-2017-13041, CVE-2017-13042, CVE-2017-13043, CVE-2017-13044, CVE-2017-13045, CVE-2017-13046, CVE-2017-13047, CVE-2017-13048, CVE-2017-13049, CVE-2017-13050, CVE-2017-13051, CVE-2017-13052, CVE-2017-13053, CVE-2017-13054, CVE-2017-13055, CVE-2017-13687, CVE-2017-13688, CVE-2017-13689, CVE-2017-13690, CVE-2017-13725) - <net-analyzer/tcpdump-4.9.2: Multiple vulnerabilities
Summary: <net-analyzer/tcpdump-4.9.2: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-12893, CVE-2017-12894, CVE-2017-12895, CVE-2017-12896, CVE-2017-12897, CVE-2017-12898, CVE-2017-12899, CVE-2017-12900, CVE-2017-12901, CVE-2017-12902, CVE-2017-12985, CVE-2017-12986, CVE-2017-12987, CVE-2017-12988, CVE-2017-12989, CVE-2017-12990, CVE-2017-12991, CVE-2017-12992, CVE-2017-12993, CVE-2017-12994, CVE-2017-12995, CVE-2017-12996, CVE-2017-12997, CVE-2017-12998, CVE-2017-12999, CVE-2017-13000, CVE-2017-13001, CVE-2017-13002, CVE-2017-13003, CVE-2017-13004, CVE-2017-13005, CVE-2017-13006, CVE-2017-13007, CVE-2017-13008, CVE-2017-13009, CVE-2017-13010, CVE-2017-13011, CVE-2017-13012, CVE-2017-13013, CVE-2017-13014, CVE-2017-13015, CVE-2017-13016, CVE-2017-13017, CVE-2017-13018, CVE-2017-13019, CVE-2017-13020, CVE-2017-13021, CVE-2017-13022, CVE-2017-13023, CVE-2017-13024, CVE-2017-13025, CVE-2017-13026, CVE-2017-13027, CVE-2017-13028, CVE-2017-13029, CVE-2017-13030, CVE-2017-13031, CVE-2017-13032, CVE-2017-13033, CVE-2017-13034, CVE-2017-13035, CVE-2017-13036, CVE-2017-13037, CVE-2017-13038, CVE-2017-13039, CVE-2017-13040, CVE-2017-13041, CVE-2017-13042, CVE-2017-13043, CVE-2017-13044, CVE-2017-13045, CVE-2017-13046, CVE-2017-13047, CVE-2017-13048, CVE-2017-13049, CVE-2017-13050, CVE-2017-13051, CVE-2017-13052, CVE-2017-13053, CVE-2017-13054, CVE-2017-13055, CVE-2017-13687, CVE-2017-13688, CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
: 630078 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-09-06 19:21 UTC by Kristian Fiskerstrand
Modified: 2017-12-06 22:47 UTC (History)
5 users (show)

See Also:
Package list:
net-analyzer/tcpdump-4.9.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2017-09-06 19:21:54 UTC
Multiple vulnerabilities fixed in 4.9.2

In addition to the non-public ones provided in encrypted email, we have

####################################################################################
#
# tcpdump vulnerabilities in this block ONLY are public and
# fixes for them ONLY are public as well.
#
# * a segfault in 4.9.0 STP decoder (CVE-2017-11108, fixed in 4.9.1)
# * a buffer overflow in 4.9.1 SLIP decoder (CVE-2017-11543, fixed in PRE-4.9.2)
# * a buffer over-read in 4.9.1 safeputs() (CVE-2017-11541, fixed in PRE-4.9.2)
# * a buffer over-read in 4.9.1 PIMv1 decoder (CVE-2017-11542, fixed in PRE-4.9.2)
# * a segfault in 4.9.1 ESP decoder with OpenSSL 1.1 (fixed in PRE-4.9.2)
#
# Bugfixes for those issues are available in the public tcpdump git repository and
# at the following link: http://www.tcpdump.org/pre-4.9.2/
#
# (end of public vulnerabilities block)
#
####################################################################################

Whether a CVE is needed for ESP decoder issue is being processed by Redhat /DWF

Although upstream says "For the avoidance of doubt, this means the distributions are free to release updated packages as soon as they consider appropriate. "

lets hold off a little bit in terms of what we consider appropriate. We should be ready to release the information if public information starts being discussed, or if other major distros starts pushing updates.

So far there are updates from

  - https://mageia.pkgs.org/cauldron/mageia-core-release-i586/tcpdump-4.9.2-1.mga7.i586.rpm.html
  - https://lists.fedoraproject.org/archives/list/scm-commits@lists.fedoraproject.org/message/327ZF6HDWZVITDAOQNLK7QJYMTJTWPGY/
Comment 1 Sergey Popov gentoo-dev Security 2017-09-07 08:42:12 UTC
*** Bug 630078 has been marked as a duplicate of this bug. ***
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2017-09-07 08:56:17 UTC
Adding upstream as CC to provide access, sorry, seems I missed bug 630078 when I opened this bug report.
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2017-09-07 20:13:56 UTC
Cat is out of the bag with
http://www.openwall.com/lists/oss-security/2017/09/07/8
referencing also:
https://git.archlinux.org/svntogit/packages.git/commit/trunk/PKGBUILD?h=packages/tcpdump&id=ae8cb07d00feb32a4f8a500fc8fa668d3f8c5275

So I don't see any point in holding back bump at this point, although we won't do a full security release just yet.
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2017-09-07 20:51:06 UTC
Unrestricting as per comments from upstream
Comment 5 Jeroen Roovers gentoo-dev 2017-09-08 04:12:41 UTC
WTF was netmon@ not CC'd?
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2017-09-08 07:17:23 UTC
(In reply to Jeroen Roovers from comment #5)
> WTF was netmon@ not CC'd?

My mistake, I should've added it as CC when I removed the restriction of the bug.

Restricted bugs can not CC/assign projects/aliases as that won't grant access to anyone, nor is it appropriate to do so for embargo handling.

ZeroChaos is member of the netmon project and he has acknowledged the pre-release embargo policy at https://wiki.gentoo.org/wiki/Project:Security/Pre-Release-Disclosure , as such it was handled with involvement of a minimum set of trusted parties.
Comment 7 Rick Farina (Zero_Chaos) gentoo-dev 2017-09-08 15:14:15 UTC
Jer,

Is there any specific reason why you dropped the stable ebuild and downgraded the users?  Your ebuild is extremely minimally different from the one I used, and certainly doesn't seem like the downgrade was worth it.
Comment 8 Sergei Trofimovich gentoo-dev 2017-09-09 11:54:23 UTC
ia64 stable
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-12 00:23:37 UTC
amd64 tested, ok
Comment 11 Rick Farina (Zero_Chaos) gentoo-dev 2017-09-12 20:51:20 UTC
adding QA as stable ebuild was dropped with no explanation which forces users to downgrade to known vulnerable software.
Comment 12 Jeroen Roovers gentoo-dev 2017-09-13 10:01:18 UTC
(In reply to Rick Farina (Zero_Chaos) from comment #11)
> adding QA as stable ebuild was dropped with no explanation which forces
> users to downgrade to known vulnerable software.

I requested years ago that you submit your changes to packages to netmon@ for review after you managed to repeatedly introduce some pretty severe QA issues.
Comment 13 Tobias Klausmann gentoo-dev 2017-09-14 17:50:17 UTC
Stable on alpha.
Comment 14 Markus Meier gentoo-dev 2017-09-15 04:41:11 UTC
arm stable, tested by Yury German
Comment 15 Kristian Fiskerstrand gentoo-dev Security 2017-09-16 13:48:26 UTC
commit b698a62ba12a09474e84f1b75d81da25f6809207 (HEAD -> master, origin/master, origin/HEAD)
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Sat Sep 16 15:47:22 2017 +0200

    net-analyzer/tcpdump: Restore stable 4.9.2 for amd64 and x86
    
    Restoring stable keywords for amd64 and x86 that were removed in commit
    2b45ef99159553b83e9a0bac9a597a1a300fe025.
    
    Fixes: 2b45ef99159553b83e9a0bac9a597a1a300fe025
    Gentoo-Bug: 630110
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.1
Comment 16 Sergei Trofimovich gentoo-dev 2017-09-23 21:02:12 UTC
ppc64 stable
Comment 17 Sergei Trofimovich gentoo-dev 2017-09-24 17:36:14 UTC
ppc stable
Comment 18 Sergei Trofimovich gentoo-dev 2017-09-24 19:31:45 UTC
hppa stable
Comment 19 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-25 02:55:19 UTC
GLSA Vote: Yes
New GLSA Request filed.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-25 02:55:36 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2017-09-25 11:56:14 UTC
This issue was resolved and addressed in
 GLSA 201709-23 at https://security.gentoo.org/glsa/201709-23
by GLSA coordinator Aaron Bauman (b-man).
Comment 22 Sergei Trofimovich gentoo-dev 2017-12-06 22:47:16 UTC
sparc stable (thanks to Rolf Eike Beer)