[tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?

Guy Harris guy at alum.mit.edu
Mon Nov 24 14:06:08 EST 2014


On Nov 24, 2014, at 1:04 AM, Romain Francoise <rfrancoise at debian.org> wrote:

> On Sun, Nov 23, 2014 at 11:35:21PM -0800, Guy Harris wrote:
>> So did I. :-)
> 
>> (See branches tcpdump_4.1 through tcpdump_4.6.)
> 
> Ah, great, I need patches for Debian stable, which ships tcpdump 4.3.0.
> I was about to use Michal's patches for 4.4.0 from the fc19 srpm, but if
> you have "official" backports, even better.
> 
> The branch also has fixes for print-udp.c and print-ppp.c. Are these
> security-sensitive?

print-udp.c just makes the UDP dissector take the length field in the UDP header into account; I don't think it fixes security issues, but it does handle the "arguably this should never happen" case where the length is shorter than the IP payload.  (So was RFC 768 written before they'd decided to put a total length field into the IP header, or something such as that?  The length field doesn't serve any obvious purpose I can see, unless the intent was to run UDP atop something other than IPv4 as defined in RFC 791.)

print-ppp.c fixes a case where the un-escaping code could overrun a buffer and crash, so I'd call that one security-sensitive.

> Should I pick them up as well?

The print-ppp.c one, yes.  The print-udp.c one is your choice.

> If so, do they have CVE identifiers?

No.  Michal (Zalewski), that's a fix to the issue you reported; should it get a CVE?


More information about the tcpdump-workers mailing list