[tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?
Michal Sekletar
msekleta at redhat.com
Mon Nov 24 02:16:56 EST 2014
On Fri, Nov 21, 2014 at 11:01:15PM +0100, Romain Francoise wrote:
> On Fri, Nov 21, 2014 at 03:47:06PM -0500, Michael Richardson wrote:
> > It's supposed to happen, but I'm checking.
> > Should be there now. Is cron failing to do it's thing?
>
> Ok, the fixes still aren't on master, but now there's a tcpdump-4.7
> branch with the commits I need.
Please, can somebody with push access fix this.
Also it would be nice if we agree on single place where development happens and
stick to that.
Because bpf.tcpdump.org has a bad track-record (IIRC multiple power, network
failures in the past) I am for sticking with GitHub.
>
> So I apparently need all of these?
>
> 3f5693a 10 days ago Guy Harris Report a too-long unreachable destination list.
> 54d2912 10 days ago Guy Harris Not using offsetof() any more, so no need for <stddef.h>.
> e302ff0 10 days ago Guy Harris Further cleanups.
> 3e8a443 10 days ago Guy Harris Clean up error message printing.
> ab4e52b 10 days ago Guy Harris Add initial bounds check, get rid of union aodv.
> 4038f83 10 days ago Guy Harris Do more bounds checking and length checking.
> 9255c9b 10 days ago Guy Harris Do bounds checking and length checking.
>
> print-aodv.c | 481 ++++++++++++++++++++++++++-------------------------------
> print-geonet.c | 270 ++++++++++++++++++--------------
> print-olsr.c | 56 +++++--
> 3 files changed, 417 insertions(+), 390 deletions(-)
>
> That's a lot bigger than typical security patches. :(
Yes, I spent good couple hours backporting those to older versions we have in
Fedora 19 and 20.
>
> > It's in the tcpdump.org/beta/ directory, but I didn't want to release
> > until the distros had a chance to patch.
>
> But did you notify the distros? Because I didn't get advance notice, and
> the others haven't released security updates yet either.
I was notified by Red Hat Security Response Team once CVEs where public. In the
disclosure report there was a mention of existing patches therefore I
checked GitHub because that is place where most of the development happens these
days, and found no fixes.
I started to work on the patches ASAP and after submitting the first one
as Pull Request #413 I was told that patches actually do exist but the legacy
place where tcpdump/libpcap code lives was not synced to GitHub for days.
Michal
>
> Thanks,
> --
> Romain Francoise <rfrancoise at debian.org>
> http://people.debian.org/~rfrancoise/
> _______________________________________________
> tcpdump-workers mailing list
> tcpdump-workers at lists.tcpdump.org
> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
More information about the tcpdump-workers
mailing list