Bug 33537 - libpcap new security issues CVE-2023-7256 and CVE-2024-8006
Summary: libpcap new security issues CVE-2023-7256 and CVE-2024-8006
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-06 10:46 CEST by Nicolas Salguero
Modified: 2024-09-11 22:43 CEST (History)
3 users (show)

See Also:
Source RPM: libpcap-1.10.4-1.mga9.src.rpm
CVE: CVE-2023-7256, CVE-2024-8006
Status comment:


Attachments

Description Nicolas Salguero 2024-09-06 10:46:31 CEST
Slackware has issued an advisory on August 31:
https://lwn.net/Articles/988357/
Nicolas Salguero 2024-09-06 10:47:10 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.10.5
CVE: (none) => CVE-2023-7256, CVE-2024-8006
Source RPM: (none) => libpcap-1.10.4-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-09-06 11:34:56 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns. This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for the same allocated memory block. (CVE-2023-7256)

Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence. (CVE-2024-8006)

References:
https://lwn.net/Articles/988357/
========================

Updated packages in core/updates_testing:
========================
lib(64)pcap1-1.10.5-1.mga9
lib(64)pcap-devel-1.10.5-1.mga9
libpcap-doc-1.10.5-1.mga9

from SRPM:
libpcap-1.10.5-1.mga9.src.rpm

Status comment: Fixed upstream in 1.10.5 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9

katnatek 2024-09-06 19:56:07 CEST

Keywords: (none) => advisory

Comment 2 PC LX 2024-09-09 11:10:43 CEST
Installed and tested without issues.

Tested with wireshark, dumpcap, iftop, and nethogs.
All OK.



System: Mageia 9, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.43-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jul 27 17:18:39 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep lib.*pcap1
lib64pcap1-1.10.5-1.mga9
libpcap1-1.10.5-1.mga9
$ ldd $(which nethogs) | grep libpcap
        libpcap.so.1 => /usr/lib64/libpcap.so.1 (0x00007f6ccd74c000)
$ ldd $(which iftop) | grep libpcap
        libpcap.so.1 => /usr/lib64/libpcap.so.1 (0x00007ff49edc8000)
$ ldd $(which wireshark) | grep libpcap
        libpcap.so.1 => /usr/lib64/libpcap.so.1 (0x00007fc77138f000)
# ldd $(which dumpcap) | grep libpcap
        libpcap.so.1 => /usr/lib64/libpcap.so.1 (0x00007ff83ba85000)

CC: (none) => mageia

Comment 3 katnatek 2024-09-10 19:02:32 CEST
RH x96_64

LC_ALL=C urpmi --auto --auto-update
adding 3 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (32-bit)"
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64pcap1-1.10.5-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64pcap1            ##################################################################################################
      1/1: removing lib64pcap1-1.10.4-1.mga9.x86_64
                                 ##################################################################################################

Follow Herman's test in bug#31358 comment#3

tcpdump -i eno1 -nn -s0 -v
tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:01:17.537275 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::1250:72ff:fee6:7020 > 2806:104e:1b:8f62:e269:95ff:fedd:cd47: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2806:104e:1b:8f62:e269:95ff:fedd:cd47
          source link-address option (1), length 8 (1): 10:50:72:e6:70:20
11:01:17.537332 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2806:104e:1b:8f62:e269:95ff:fedd:cd47 > fe80::1250:72ff:fee6:7020: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2806:104e:1b:8f62:e269:95ff:fedd:cd47, Flags [solicited]
11:01:18.150254 IP (tos 0x0, ttl 246, id 54321, offset 0, flags [none], proto TCP (6), length 44)
    64.62.197.61.49148 > 192.168.1.3.3389: Flags [S], cksum 0xab64 (correct), seq 1833365174, win 65535, options [mss 536], length 0
11:01:18.491331 IP (tos 0x0, ttl 255, id 5865, offset 0, flags [DF], proto UDP (17), length 62)
    192.168.1.3.5353 > 224.0.0.251.5353: 0 PTR (QM)? _rtsp._tcp.local. (34)
11:01:18.517834 IP (tos 0x20, ttl 64, id 16255, offset 0, flags [DF], proto TCP (6), length 104)
    192.168.1.3.40000 > 164.68.97.42.22: Flags [P.], cksum 0xc774 (incorrect -> 0x7b2f), seq 1644059070:1644059122, ack 202017259, win 166, options [nop,nop,TS val 1855677953 ecr 3586770551], length 52
11:01:18.719052 IP (tos 0x48, ttl 48, id 38897, offset 0, flags [DF], proto TCP (6), length 88)
    164.68.97.42.22 > 192.168.1.3.40000: Flags [P.], cksum 0xa9c0 (correct), seq 1:37, ack 52, win 270, options [nop,nop,TS val 3586785560 ecr 1855677953], length 36
11:01:18.719119 IP (tos 0x20, ttl 64, id 16256, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.3.40000 > 164.68.97.42.22: Flags [.], cksum 0xc740 (incorrect -> 0x1454), ack 37, win 166, options [nop,nop,TS val 1855678154 ecr 3586785560], length 0
11:01:19.073225 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::1250:72ff:fee6:7020 > fe80::e269:95ff:fedd:cd47: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::e269:95ff:fedd:cd47
          source link-address option (1), length 8 (1): 10:50:72:e6:70:20
11:01:19.073283 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::e269:95ff:fedd:cd47 > fe80::1250:72ff:fee6:7020: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::e269:95ff:fedd:cd47, Flags [solicited]
11:01:20.493311 IP (tos 0x0, ttl 255, id 6111, offset 0, flags [DF], proto UDP (17), length 62)
    192.168.1.3.5353 > 224.0.0.251.5353: 0 PTR (QM)? _rtsp._tcp.local. (34)
11:01:21.528710 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1280)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 1252
11:01:21.528740 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 953)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 925
11:01:21.533892 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1280)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 1252
11:01:21.533960 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1280)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 1252
11:01:21.534005 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 118)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 90
11:01:21.540841 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 36
11:01:21.541131 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 61)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 33
11:01:21.545716 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 36
11:01:21.565171 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 62)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 34
11:01:21.584768 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 1113)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 1085
11:01:21.585040 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 67)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 39
11:01:21.585040 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 304)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 276
11:01:21.585514 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 68)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 40
11:01:21.585550 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 32
11:01:21.589306 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 125)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 97
11:01:21.589689 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 230)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 202
11:01:21.589775 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 42
11:01:21.589901 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 61)
    192.168.1.3.33226 > 192.178.52.206.443: UDP, length 33
11:01:21.597090 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 57)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 29
11:01:21.602072 IP (tos 0x80, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 57)
    192.178.52.206.443 > 192.168.1.3.33226: UDP, length 29
^C
30 packets captured
30 packets received by filter
0 packets dropped by kernel

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-09-11 02:33:29 CEST
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-09-11 22:43:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0295.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.