[tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?

Michal Sekletar msekleta at redhat.com
Mon Nov 24 02:16:56 EST 2014

On Fri, Nov 21, 2014 at 11:01:15PM +0100, Romain Francoise wrote:
> On Fri, Nov 21, 2014 at 03:47:06PM -0500, Michael Richardson wrote:
> > It's supposed to happen, but I'm checking.
> > Should be there now.  Is cron failing to do it's thing?
> Ok, the fixes still aren't on master, but now there's a tcpdump-4.7
> branch with the commits I need.

Please, can somebody with push access fix this.

Also it would be nice if we agree on single place where development happens and
stick to that.

Because bpf.tcpdump.org has a bad track-record (IIRC multiple power, network
failures in the past) I am for sticking with GitHub.

> So I apparently need all of these?
> 3f5693a 10 days ago Guy Harris Report a too-long unreachable destination list.
> 54d2912 10 days ago Guy Harris Not using offsetof() any more, so no need for <stddef.h>.
> e302ff0 10 days ago Guy Harris Further cleanups.
> 3e8a443 10 days ago Guy Harris Clean up error message printing.
> ab4e52b 10 days ago Guy Harris Add initial bounds check, get rid of union aodv.
> 4038f83 10 days ago Guy Harris Do more bounds checking and length checking.
> 9255c9b 10 days ago Guy Harris Do bounds checking and length checking.
>  print-aodv.c   | 481 ++++++++++++++++++++++++++-------------------------------
>  print-geonet.c | 270 ++++++++++++++++++--------------
>  print-olsr.c   |  56 +++++--
>  3 files changed, 417 insertions(+), 390 deletions(-)
> That's a lot bigger than typical security patches. :(

Yes, I spent good couple hours backporting those to older versions we have in
Fedora 19 and 20.

> > It's in the tcpdump.org/beta/ directory, but I didn't want to release
> > until the distros had a chance to patch.
> But did you notify the distros? Because I didn't get advance notice, and
> the others haven't released security updates yet either.

I was notified by Red Hat Security Response Team once CVEs where public. In the
disclosure report there was a mention of existing patches therefore I
checked GitHub because that is place where most of the development happens these
days, and found no fixes.

I started to work on the patches ASAP and after submitting the first one
as Pull Request #413 I was told that patches actually do exist but the legacy
place where tcpdump/libpcap code lives was not synced to GitHub for days.


> Thanks,
> -- 
> Romain Francoise <rfrancoise at debian.org>
> http://people.debian.org/~rfrancoise/
> _______________________________________________
> tcpdump-workers mailing list
> tcpdump-workers at lists.tcpdump.org
> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

More information about the tcpdump-workers mailing list