Bug 21664

Summary: tcpdump several new security issues fixed in 4.9.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, mageia, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Source RPM: tcpdump-4.9.1-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-09-05 03:15:18 CEST 
The CHANGES file for tcpdump 4.9.2 reads as follows.

Sunday September 3, 2017 denis@ovsienko.info
  Summary for 4.9.2 tcpdump release
    Do not use getprotobynumber() for protocol name resolution.  Do not do
      any protocol name resolution if -n is specified.
    Improve errors detection in the test scripts.
    Fix a segfault with OpenSSL 1.1 and improve OpenSSL usage.
    Clean up IS-IS printing.
    Fix buffer overflow vulnerabilities:
      CVE-2017-11543 (SLIP)
      CVE-2017-13011 (bittok2str_internal)
    Fix infinite loop vulnerabilities:
      CVE-2017-12989 (RESP)
      CVE-2017-12990 (ISAKMP)
      CVE-2017-12995 (DNS)
      CVE-2017-12997 (LLDP)
    Fix buffer over-read vulnerabilities:
      CVE-2017-11541 (safeputs)
      CVE-2017-11542 (PIMv1)
      CVE-2017-12893 (SMB/CIFS)
      CVE-2017-12894 (lookup_bytestring)
      CVE-2017-12895 (ICMP)
      CVE-2017-12896 (ISAKMP)
      CVE-2017-12897 (ISO CLNS)
      CVE-2017-12898 (NFS)
      CVE-2017-12899 (DECnet)
      CVE-2017-12900 (tok2strbuf)
      CVE-2017-12901 (EIGRP)
      CVE-2017-12902 (Zephyr)
      CVE-2017-12985 (IPv6)
      CVE-2017-12986 (IPv6 routing headers)
      CVE-2017-12987 (IEEE 802.11)
      CVE-2017-12988 (telnet)
      CVE-2017-12991 (BGP)
      CVE-2017-12992 (RIPng)
      CVE-2017-12993 (Juniper)
      CVE-2017-11542 (PIMv1)
      CVE-2017-11541 (safeputs)
      CVE-2017-12994 (BGP)
      CVE-2017-12996 (PIMv2)
      CVE-2017-12998 (ISO IS-IS)
      CVE-2017-12999 (ISO IS-IS)
      CVE-2017-13000 (IEEE 802.15.4)
      CVE-2017-13001 (NFS)
      CVE-2017-13002 (AODV)
      CVE-2017-13003 (LMP)
      CVE-2017-13004 (Juniper)
      CVE-2017-13005 (NFS)
      CVE-2017-13006 (L2TP)
      CVE-2017-13007 (Apple PKTAP)
      CVE-2017-13008 (IEEE 802.11)
      CVE-2017-13009 (IPv6 mobility)
      CVE-2017-13010 (BEEP)
      CVE-2017-13012 (ICMP)
      CVE-2017-13013 (ARP)
      CVE-2017-13014 (White Board)
      CVE-2017-13015 (EAP)
      CVE-2017-11543 (SLIP)
      CVE-2017-13016 (ISO ES-IS)
      CVE-2017-13017 (DHCPv6)
      CVE-2017-13018 (PGM)
      CVE-2017-13019 (PGM)
      CVE-2017-13020 (VTP)
      CVE-2017-13021 (ICMPv6)
      CVE-2017-13022 (IP)
      CVE-2017-13023 (IPv6 mobility)
      CVE-2017-13024 (IPv6 mobility)
      CVE-2017-13025 (IPv6 mobility)
      CVE-2017-13026 (ISO IS-IS)
      CVE-2017-13027 (LLDP)
      CVE-2017-13028 (BOOTP)
      CVE-2017-13029 (PPP)
      CVE-2017-13030 (PIM)
      CVE-2017-13031 (IPv6 fragmentation header)
      CVE-2017-13032 (RADIUS)
      CVE-2017-13033 (VTP)
      CVE-2017-13034 (PGM)
      CVE-2017-13035 (ISO IS-IS)
      CVE-2017-13036 (OSPFv3)
      CVE-2017-13037 (IP)
      CVE-2017-13038 (PPP)
      CVE-2017-13039 (ISAKMP)
      CVE-2017-13040 (MPTCP)
      CVE-2017-13041 (ICMPv6)
      CVE-2017-13042 (HNCP)
      CVE-2017-13043 (BGP)
      CVE-2017-13044 (HNCP)
      CVE-2017-13045 (VQP)
      CVE-2017-13046 (BGP)
      CVE-2017-13047 (ISO ES-IS)
      CVE-2017-13048 (RSVP)
      CVE-2017-13049 (Rx)
      CVE-2017-13050 (RPKI-Router)
      CVE-2017-13051 (RSVP)
      CVE-2017-13052 (CFM)
      CVE-2017-13053 (BGP)
      CVE-2017-13054 (LLDP)
      CVE-2017-13055 (ISO IS-IS)
      CVE-2017-13687 (Cisco HDLC)
      CVE-2017-13688 (OLSR)
      CVE-2017-13689 (IKEv1)
      CVE-2017-13690 (IKEv2)
      CVE-2017-13725 (IPv6 routing headers)

Updated packages uploaded for Mageia 5, Mageia 6, and Cauldron:
tcpdump-4.9.2-1.mga5
tcpdump-4.9.2-1.mga6

from SRPMS:
tcpdump-4.9.2-1.mga5.src.rpm
tcpdump-4.9.2-1.mga6.src.rpm
David Walser 2017-09-05 03:15:26 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 PC LX 2017-09-05 13:14:38 CEST 
Installed and tested without issues.

Tests:
- Dumping random net activity;
- Filtering some (existing and new) pcap files;
- Capturing to pcap files.

Didn't do any CVE related tests but for normal usage it seems to be working.

System: Mageia 5, x86_64, Intel CPU, Realtek RTL8168c/8111c Ethernet.

$ rpm -q tcpdump
tcpdump-4.9.2-1.mga5
$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ lspcidrake | grep Ethernet
r8169           : Realtek Semiconductor Co., Ltd.|RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [NETWORK_ETHERNET] (rev: 02)
 dmesg | egrep -o 'RTL.*(8111|8168|8411)'
RTL8168c/8111

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => mageia

Comment 2 Lewis Smith 2017-09-06 12:20:24 CEST 
Advisory made from Comment 0. No references. Included *all* the CVEs cited; it should be easy to remove any that prove superflous.
@David : let me know if you want it changed.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK advisory
CC: (none) => lewyssmith

Comment 3 Samuel Verschelde 2017-09-06 15:06:19 CEST 
Moving 'advisory' from whiteboard to keywords now that madb has been updated to handle that keyword.

Keywords: (none) => advisory
Whiteboard: MGA5TOO MGA5-64-OK advisory => MGA5TOO MGA5-64-OK

Comment 4 Lewis Smith 2017-09-07 11:16:55 CEST 
Testing M6/64

BEFORE the update, installed: tcpdump-4.9.1-1.mga6.x86_64.rpm
(already in 'updates').
It has a good man page. With just a single ethernet connection, did (you seem to need to be root to run it):
 # tcpdump
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on enp4s0, link-type EN10MB (Ethernet), capture size x bytes
and generated traffic by refreshing tabs open in a browser. It pours out on the console, showing a lot of disconcerting exchanges...
 ^C810 packets captured
 1159 packets received by filter
 349 packets dropped by kernel

 # tcpdump -w tmp/tcpdump
 tcpdump: listening on enp4s0, link-type EN10MB (Ethernet), capture size x bytes
outputs to a file. This is binary, not directly viewable; apparently .pcap format.
 ^C905 packets captured
 905 packets received by filter
 0 packets dropped by kernel

 # tcpdump -r tmp/tcpdump | less
Reads it back, intelligibly.

AFTER update to: tcpdump-4.9.2-1.mga6
Ran through the same sequence. Without understanding the significance of what is logged, it all looks sensible and OK.

With filtering possibilities, this looks a handy interface monitor. Perhaps better usage would be with the options:
 -v  a bit more info
 -l  Make stdout line buffered. Useful if you want to see the data while capturing it.  E.g.,
 # tcpdump -l | tee <file>

Validating as we have a test for both releases.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-09-10 14:37:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0335.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED