diff --git a/.gitignore b/.gitignore index d12f0c1..2cd0b7a 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,5 @@ tcpdump-4.1.1.tar.gz /tcpdump-4.9.1.tar.gz /tcpdump-4.9.2.tar.gz.sig /tcpdump-4.9.2.tar.gz +/tcpdump-4.9.3.tar.gz +/tcpdump-4.9.3.tar.gz.sig diff --git a/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch b/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch deleted file mode 100644 index c5e54ae..0000000 --- a/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch +++ /dev/null @@ -1,26 +0,0 @@ -From f19e0376b8e98b38240d28eb9e6f78c465bb1c6e Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 20 Oct 2014 13:34:24 +0200 -Subject: [PATCH 1/8] icmp6: print Reachable Time and Retransmit Time from - ICMPv6 as milliseconds - ---- - print-icmp6.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/print-icmp6.c b/print-icmp6.c -index 7fe639d..cfaa2df 100644 ---- a/print-icmp6.c -+++ b/print-icmp6.c -@@ -1034,7 +1034,7 @@ icmp6_print(netdissect_options *ndo, - p = (const struct nd_router_advert *)dp; - ND_TCHECK(p->nd_ra_retransmit); - ND_PRINT((ndo,"\n\thop limit %u, Flags [%s]" \ -- ", pref %s, router lifetime %us, reachable time %us, retrans time %us", -+ ", pref %s, router lifetime %us, reachable time %ums, retrans time %ums", - (u_int)p->nd_ra_curhoplimit, - bittok2str(icmp6_opt_ra_flag_values,"none",(p->nd_ra_flags_reserved)), - get_rtpref(p->nd_ra_flags_reserved), --- -2.9.3 - diff --git a/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch b/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch deleted file mode 100644 index 2e4551c..0000000 --- a/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d5508c13119404102104a3935e7445c9fddf79b5 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Fri, 3 Feb 2017 09:43:03 +0100 -Subject: [PATCH 8/8] Don't print out we dropped root, we are always dropping - it - ---- - tcpdump.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/tcpdump.c b/tcpdump.c -index 29f7f87..18c4a5c 100644 ---- a/tcpdump.c -+++ b/tcpdump.c -@@ -618,8 +618,6 @@ droproot(const char *username, const char *chroot_dir) - int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG); - if (ret < 0) { - fprintf(stderr, "error : ret %d\n", ret); -- } else { -- fprintf(stderr, "dropped privs to %s\n", username); - } - } - #else -@@ -632,9 +630,6 @@ droproot(const char *username, const char *chroot_dir) - pcap_strerror(errno)); - exit_tcpdump(1); - } -- else { -- fprintf(stderr, "dropped privs to %s\n", username); -- } - #endif /* HAVE_LIBCAP_NG */ - } - else { --- -2.9.3 - diff --git a/0009-Change-n-flag-to-nn-in-TESTonce.patch b/0009-Change-n-flag-to-nn-in-TESTonce.patch index 53a9556..d106be3 100644 --- a/0009-Change-n-flag-to-nn-in-TESTonce.patch +++ b/0009-Change-n-flag-to-nn-in-TESTonce.patch @@ -10,18 +10,15 @@ flag than upstream does. We use -nn in those cases. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/TESTonce b/tests/TESTonce -index 7026624..e348701 100755 +index 425abaa..81283d9 100755 --- a/tests/TESTonce +++ b/tests/TESTonce -@@ -21,7 +21,7 @@ if ($^O eq 'MSWin32') { +@@ -43,7 +43,7 @@ if ($^O eq 'MSWin32') { else { # we used to do this as a nice pipeline, but the problem is that $r fails to # to be set properly if the tcpdump core dumps. -- $r = system "../tcpdump 2>/dev/null -n -t -r $input $options >NEW/$output"; -+ $r = system "../tcpdump 2>/dev/null -nn -t -r $input $options >NEW/$output"; - if($r != 0) { - # this means tcpdump failed. - open(OUTPUT, ">>"."NEW/$output") || die "fail to open $output\n"; --- -2.13.5 - +- $cmd = "$TCPDUMP 2>${rawstderrlog} -t -n -r $input $options >tests/NEW/${outputbase}"; ++ $cmd = "$TCPDUMP 2>${rawstderrlog} -t -nn -r $input $options >tests/NEW/${outputbase}"; + print "CMD: $cmd\n" if $debug; + $r = system $cmd; + if($r == -1) { diff --git a/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch b/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch deleted file mode 100644 index 30502b8..0000000 --- a/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0ae4aa1881bbe40443bff802b5e4aa6ca0696dd9 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 11 Apr 2017 09:37:53 +0200 -Subject: [PATCH 10/13] Expect miliseconds instead of seconds in icmp capture. - -Again this is caused by our patch, so we need to modify tests -accordingly. ---- - tests/icmpv6.out | 2 +- - tests/icmpv6_opt24-v.out | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/icmpv6.out b/tests/icmpv6.out -index bb7775e..8979540 100644 ---- a/tests/icmpv6.out -+++ b/tests/icmpv6.out -@@ -1,5 +1,5 @@ - IP6 (hlim 255, next-header ICMPv6 (58) payload length: 176) fe80::b299:28ff:fec8:d66c > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 176 -- hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0s, retrans time 0s -+ hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0ms, retrans time 0ms - prefix info option (3), length 32 (4): 2222:3333:4444:5555:6600::/72, Flags [onlink, auto], valid time 2592000s, pref. time 604800s - 0x0000: 48c0 0027 8d00 0009 3a80 0000 0000 2222 - 0x0010: 3333 4444 5555 6600 0000 0000 0000 -diff --git a/tests/icmpv6_opt24-v.out b/tests/icmpv6_opt24-v.out -index 2b7cf09..00512df 100644 ---- a/tests/icmpv6_opt24-v.out -+++ b/tests/icmpv6_opt24-v.out -@@ -1,5 +1,5 @@ - IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120 -- hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s -+ hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms - source link-address option (1), length 8 (1): 14:cf:92:87:23:d6 - mtu option (5), length 8 (1): 1500 - prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s -@@ -7,7 +7,7 @@ IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87 - rdnss option (25), length 24 (3): lifetime 1800s, addr: fd8d:4fb3:5b2e::1 - dnssl option (31), length 16 (2): lifetime 1800s, domain(s): lan. - IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120 -- hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s -+ hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms - source link-address option (1), length 8 (1): 14:cf:92:87:23:d6 - mtu option (5), length 8 (1): 1500 - prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s --- -2.13.5 diff --git a/0011-Evp-cipher-buffers.patch b/0011-Evp-cipher-buffers.patch index a271419..057f888 100644 --- a/0011-Evp-cipher-buffers.patch +++ b/0011-Evp-cipher-buffers.patch @@ -1,133 +1,29 @@ diff --git a/print-esp.c b/print-esp.c -index 511ee8a3..5b282526 100644 +index 6fabff1..5818cc8 100644 --- a/print-esp.c +++ b/print-esp.c -@@ -192,8 +192,8 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, - const u_char *iv; - unsigned int len; - EVP_CIPHER_CTX *ctx; -- unsigned int block_size, output_buffer_size; -- u_char *output_buffer; -+ unsigned int block_size, buffer_size; -+ u_char *input_buffer, *output_buffer; - - /* initiator arg is any non-zero value */ - if(initiator) initiator=1; -@@ -228,19 +228,41 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, - (*ndo->ndo_warning)(ndo, "espkey init failed"); - set_cipher_parameters(ctx, NULL, NULL, iv, 0); - /* -- * Allocate a buffer for the decrypted data. -- * The output buffer must be separate from the input buffer, and -- * its size must be a multiple of the cipher block size. -+ * Allocate buffers for the encrypted and decrypted data. -+ * Both buffers' sizes must be a multiple of the cipher block -+ * size, and the output buffer must be separate from the input -+ * buffer. - */ - block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx); -- output_buffer_size = len + (block_size - len % block_size); -- output_buffer = (u_char *)malloc(output_buffer_size); -+ buffer_size = len + (block_size - len % block_size); -+ -+ /* -+ * Attempt to allocate the input buffer. -+ */ -+ input_buffer = (u_char *)malloc(buffer_size); -+ if (input_buffer == NULL) { -+ (*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer"); -+ EVP_CIPHER_CTX_free(ctx); +@@ -242,6 +242,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, + if (input_buffer == NULL) { + EVP_CIPHER_CTX_free(ctx); + (*ndo->ndo_error)(ndo, "can't allocate memory for encrypted data buffer"); + return 0; -+ } -+ /* -+ * Copy the input data to the encrypted data buffer, and pad it -+ * with zeroes. -+ */ -+ memcpy(input_buffer, buf, len); -+ memset(input_buffer + len, 0, buffer_size - len); -+ -+ /* -+ * Attempt to allocate the output buffer. -+ */ -+ output_buffer = (u_char *)malloc(buffer_size); - if (output_buffer == NULL) { - (*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer"); -+ free(input_buffer); + } + /* + * Copy the input data to the encrypted data buffer, and pad it +@@ -259,7 +260,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, EVP_CIPHER_CTX_free(ctx); - return 0; + (*ndo->ndo_error)(ndo, "can't allocate memory for decryption buffer"); } -- EVP_Cipher(ctx, output_buffer, buf, len); +- EVP_Cipher(ctx, output_buffer, input_buffer, len); + EVP_Cipher(ctx, output_buffer, input_buffer, buffer_size); EVP_CIPHER_CTX_free(ctx); /* -@@ -249,6 +272,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, - * but changing this would require a more complicated fix. - */ - memcpy(buf, output_buffer, len); -+ free(input_buffer); - free(output_buffer); - - ndo->ndo_packetp = buf; -@@ -666,8 +690,8 @@ esp_print(netdissect_options *ndo, - const u_char *ivoff; - const u_char *p; - EVP_CIPHER_CTX *ctx; -- unsigned int block_size, output_buffer_size; -- u_char *output_buffer; -+ unsigned int block_size, buffer_size; -+ u_char *input_buffer, *output_buffer; - #endif - - esp = (const struct newesp *)bp; -@@ -784,21 +808,43 @@ esp_print(netdissect_options *ndo, - len = ep - (p + ivlen); - - /* -- * Allocate a buffer for the decrypted data. -- * The output buffer must be separate from the -- * input buffer, and its size must be a multiple -- * of the cipher block size. -+ * Allocate buffers for the encrypted and decrypted -+ * data. Both buffers' sizes must be a multiple of -+ * the cipher block size, and the output buffer must -+ * be separate from the input buffer. - */ - block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx); -- output_buffer_size = len + (block_size - len % block_size); -- output_buffer = (u_char *)malloc(output_buffer_size); -+ buffer_size = len + (block_size - len % block_size); -+ -+ /* -+ * Attempt to allocate the input buffer. -+ */ -+ input_buffer = (u_char *)malloc(buffer_size); -+ if (input_buffer == NULL) { -+ (*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer"); -+ EVP_CIPHER_CTX_free(ctx); -+ return 0; -+ } -+ /* -+ * Copy the input data to the encrypted data buffer, -+ * and pad it with zeroes. -+ */ -+ memcpy(input_buffer, p + ivlen, len); -+ memset(input_buffer + len, 0, buffer_size - len); -+ -+ /* -+ * Attempt to allocate the output buffer. -+ */ -+ output_buffer = (u_char *)malloc(buffer_size); - if (output_buffer == NULL) { - (*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer"); -+ free(input_buffer); +@@ -815,6 +816,7 @@ esp_print(netdissect_options *ndo, + if (input_buffer == NULL) { EVP_CIPHER_CTX_free(ctx); - return -1; + (*ndo->ndo_error)(ndo, "can't allocate memory for encrypted data buffer"); ++ return 0; } - -- EVP_Cipher(ctx, output_buffer, p + ivlen, len); -+ EVP_Cipher(ctx, output_buffer, input_buffer, len); -+ free(input_buffer); - EVP_CIPHER_CTX_free(ctx); /* - * XXX - of course this is wrong, because buf is a + * Copy the input data to the encrypted data buffer, diff --git a/sources b/sources index 9b0583b..ac3cf6f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (tcpslice-1.2a3.tar.gz) = 04e12d592807022c78eb4941580ed103995680c69af885bb8f13828a12ec570f7fe93c34c1b20a01d3d99f445d5da17a1fcfbe25b2e3b41abe28304c034654c5 -SHA512 (tcpdump-4.9.2.tar.gz.sig) = 76a41de2fc414018e01a9177e6946d9792fa8ded575ec264c7eb67a036bcdad3f451aa76e7b611430b8dd55de2403977c990e00f8b735aa8e6e4395463c8b1a6 -SHA512 (tcpdump-4.9.2.tar.gz) = e1bc19a5867d6e3628f3941bdf3ec831bf13784f1233ca1bccc46aac1702f47ee9357d7ff0ca62cddf211b3c8884488c21144cabddd92c861e32398cd8f7c44b +SHA512 (tcpdump-4.9.3.tar.gz) = 22354dbbf6ab3f7519035b41702a8dc93472dc808e88e76414a06dd69eca822e3d6b94ec608cfeffe25572125757824e97e6a4a7ec81d45e990429e8faf774cb +SHA512 (tcpdump-4.9.3.tar.gz.sig) = b8b189a522b924c717c30f09a9d60ede76cfbb0ffc6cd185fec1887230d06117663b6f55e7489c0e34b744a89e05e78509ca8a1551a94f6e091cbafc643b0c8c diff --git a/tcpdump.spec b/tcpdump.spec index e2897fc..a463de2 100644 --- a/tcpdump.spec +++ b/tcpdump.spec @@ -1,8 +1,8 @@ Summary: A network traffic monitoring tool Name: tcpdump Epoch: 14 -Version: 4.9.2 -Release: 9%{?dist} +Version: 4.9.3 +Release: 1%{?dist} License: BSD with advertising URL: http://www.tcpdump.org Requires(pre): shadow-utils @@ -12,16 +12,13 @@ Source0: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz Source1: ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz Source2: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz.sig -Patch0001: 0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch Patch0002: 0002-Use-getnameinfo-instead-of-gethostbyaddr.patch Patch0003: 0003-Drop-root-priviledges-before-opening-first-savefile-.patch Patch0004: 0004-tcpslice-update-tcpslice-patch-to-1.2a3.patch Patch0005: 0005-tcpslice-remove-unneeded-include.patch Patch0006: 0006-tcpslice-don-t-test-the-pointer-but-pointee-for-NULL.patch Patch0007: 0007-Introduce-nn-option.patch -Patch0008: 0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch Patch0009: 0009-Change-n-flag-to-nn-in-TESTonce.patch -Patch0010: 0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch Patch0011: 0011-Evp-cipher-buffers.patch Patch0012: 0012-Add-printing-support-for-vsockmon-devices.patch @@ -88,6 +85,10 @@ exit 0 %{_mandir}/man8/tcpdump.8* %changelog +* Tue Oct 15 2019 Michal Ruprich - 14:4.9.3-1 +- New version 4.9.3 +- Fixes CVE-2017-16808, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14466, CVE-2018-14461, CVE-2018-14462, CVE-2018-14465, CVE-2018-14881, CVE-2018-14464, CVE-2018-14463, CVE-2018-14467, CVE-2018-10103, CVE-2018-10105, CVE-2018-14880, CVE-2018-16451, CVE-2018-14882, CVE-2018-16227, CVE-2018-16229, CVE-2018-16301, CVE-2018-16230, CVE-2018-16452, CVE-2018-16300, CVE-2018-16228, CVE-2019-15166, CVE-2019-15167 + * Mon Sep 16 2019 Michal Ruprich - 14:4.9.2-9 - Adding getent to pre scriptlet to avoid audit messages (rhbz#1715420)