Bug 31782 - tcpdump new security issue CVE-2023-1801
Summary: tcpdump new security issue CVE-2023-1801
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-04-10 21:29 CEST by David Walser
Modified: 2023-04-24 02:21 CEST (History)
5 users (show)

See Also:
Source RPM: tcpdump-4.99.2-1.mga8.src.rpm
CVE: CVE-2023-1801
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-10 21:29:32 CEST 
tcpdump 4.99.4 has been released on April 7, along with libpcap 1.10.4:
https://git.tcpdump.org/libpcap/blob/HEAD:/CHANGES
https://git.tcpdump.org/tcpdump/blob/HEAD:/CHANGES

The tcpdump update fixes a CVE, coverity warnings, and a few other bugs.

Mageia 8 is also affected.
David Walser 2023-04-10 21:37:16 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 4.99.4

Comment 1 David Walser 2023-04-10 23:41:05 CEST 
Updates submitted to Cauldron updates_testing, with a freeze move request.
Comment 2 Lewis Smith 2023-04-11 20:37:20 CEST 
Thanks for doing Cauldron.
That leaves Mageia 8. tcpdump is dealt with by different packagers, so have to assign this update globally.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2023-04-12 09:51:01 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

The SMB protocol decoder in tcpdump version 4.99.3 can perform an out-of-bounds write when decoding a crafted network packet. (CVE-2023-1801)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1801
https://git.tcpdump.org/tcpdump/blob/HEAD:/CHANGES
========================

Updated package in core/updates_testing:
========================
tcpdump-4.99.2-1.1.mga8

from SRPM:
tcpdump-4.99.2-1.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2023-1801
CC: (none) => nicolas.salguero
Source RPM: tcpdump-4.99.3-1.mga9.src.rpm => tcpdump-4.99.2-1.mga8.src.rpm
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 4.99.4 => (none)
Status: NEW => ASSIGNED

PC LX 2023-04-13 10:38:11 CEST

CC: (none) => mageia

Comment 4 Thomas Andrews 2023-04-19 00:55:20 CEST 
No installation issues. Used some commands from bug 25565 comment 3 on a Probook 6550b running with an active vpn:

# tcpdump -tttt
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2023-04-18 18:39:55.703814 IP _gateway > all-systems.mcast.net: igmp query v2
2023-04-18 18:39:55.758863 IP linux.local.48783 > 185.141.119.58.openvpn: UDP, length 92
2023-04-18 18:39:55.794518 IP 185.141.119.58.openvpn > linux.local.48783: UDP, length 503
2023-04-18 18:39:55.795007 IP linux.local.48783 > 185.141.119.58.openvpn: UDP, length 94
2023-04-18 18:39:55.830613 IP 185.141.119.58.openvpn > linux.local.48783: UDP, length 149
2023-04-18 18:39:55.931609 IP6 linux.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 1.1.168.192.in-addr.arpa. (42)
2023-04-18 18:39:55.931794 IP linux.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 1.1.168.192.in-addr.arpa. (42)
2023-04-18 18:39:56.932291 IP6 linux.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 1.1.168.192.in-addr.arpa. (42)
2023-04-18 18:39:56.932409 IP linux.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 1.1.168.192.in-addr.arpa. (42)
2023-04-18 18:39:58.934285 IP6 linux.local.mdns > ff02::fb.mdns: 0 PTR (QM)? 1.1.168.192.in-addr.arpa. (42)
2023-04-18 18:39:58.934407 IP linux.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 1.1.168.192.in-addr.arpa. (42)

And more...

^C
32 packets captured
55 packets received by filter
23 packets dropped by kernel

(My understanding is that dropping some TCP packets while connected to a UDP VPN is not at all unusual.)

# tcpdump -w tmp/tmp.pcap
tcpdump: listening on wlo1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Stopped with ^C after a few seconds, then:

9 packets captured
9 packets received by filter
0 packets dropped by kernel

# tcpdump -tttt -r tmp/tmp.pcap
reading from file tmp/tmp.pcap, link-type EN10MB (Ethernet), snapshot length 262144
2023-04-18 18:46:50.066329 IP linux.local.48783 > 185.141.119.58.openvpn: UDP, length 122
2023-04-18 18:46:50.101624 IP 185.141.119.58.openvpn > linux.local.48783: UDP, length 76
2023-04-18 18:46:50.107527 IP 185.141.119.58.openvpn > linux.local.48783: UDP, length 122
2023-04-18 18:46:50.148040 IP linux.local.48783 > 185.141.119.58.openvpn: UDP, length 76
2023-04-18 18:46:51.502814 IP 185.141.119.58.openvpn > linux.local.48783: UDP, length 76
2023-04-18 18:46:51.503341 IP linux.local.48783 > 185.141.119.58.openvpn: UDP, length 100
2023-04-18 18:46:51.503421 IP linux.local.48783 > 185.141.119.58.openvpn: UDP, length 76
2023-04-18 18:46:51.538758 IP 185.141.119.58.openvpn > linux.local.48783: UDP, length 64
2023-04-18 18:46:51.543759 IP 185.141.119.58.openvpn > linux.local.48783: UDP, length 64

Looks OK to me. Validating. Advisory in comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2023-04-24 00:03:24 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-04-24 02:21:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0154.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.