From 6f0ed176f23059e89f8bc4c1a466928b88a61a03 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sun, 1 Sep 2024 07:04:29 +0800 Subject: [PATCH] tcpdump: upgrade 4.99.4 -> 4.99.5 ChangeLog: https://git.tcpdump.org/tcpdump/blob/HEAD:/CHANGES Signed-off-by: Yi Zhao Signed-off-by: Khem Raj --- .../tcpdump/tcpdump/CVE-2024-2397.patch | 129 ------------------ .../recipes-support/tcpdump/tcpdump/run-ptest | 0 .../{tcpdump_4.99.4.bb => tcpdump_4.99.5.bb} | 5 +- 3 files changed, 2 insertions(+), 132 deletions(-) delete mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch mode change 100755 => 100644 meta-networking/recipes-support/tcpdump/tcpdump/run-ptest rename meta-networking/recipes-support/tcpdump/{tcpdump_4.99.4.bb => tcpdump_4.99.5.bb} (88%) diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch deleted file mode 100644 index 69348030bbd..00000000000 --- a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch +++ /dev/null @@ -1,129 +0,0 @@ -From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 12 Mar 2024 00:37:23 -0700 -Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer. - -This both saves the buffer for freeing later and saves the packet -pointer and snapend to be restored when packet processing is complete, -even if an exception is thrown with longjmp. - -This means that the hex/ASCII printing in pretty_print_packet() -processes the packet data as captured or read from the savefile, rather -than as modified by the PPP printer, so that the bounds checking is -correct. - -That fixes CVE-2024-2397, which was caused by an exception being thrown -by the hex/ASCII printer (which should only happen if those routines are -called by a packet printer, not if they're called for the -X/-x/-A -flag), which jumps back to the setjmp() that surrounds the packet -printer. Hilarity^Winfinite looping ensues. - -Also, restore ndo->ndo_packetp before calling the hex/ASCII printing -routine, in case nd_pop_all_packet_info() didn't restore it. - -Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2] -CVE: CVE-2024-2397 -Signed-off-by: Hitendra Prajapati ---- - print-ppp.c | 31 +++++++++++++++++-------------- - print.c | 8 ++++++-- - 2 files changed, 23 insertions(+), 16 deletions(-) - -diff --git a/print-ppp.c b/print-ppp.c -index aba243d..e5ae064 100644 ---- a/print-ppp.c -+++ b/print-ppp.c -@@ -42,6 +42,8 @@ - #include - #endif - -+#include -+ - #include "netdissect.h" - #include "extract.h" - #include "addrtoname.h" -@@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo, - u_char *b, *t, c; - const u_char *s; - u_int i, proto; -- const void *sb, *se; - - if (caplen == 0) - return; -@@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo, - if (length == 0) - return; - -- b = (u_char *)nd_malloc(ndo, caplen); -- if (b == NULL) -- return; -+ b = (u_char *)malloc(caplen); -+ if (b == NULL) { -+ (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, -+ "%s: malloc", __func__); -+ } - - /* - * Unescape all the data into a temporary, private, buffer. -@@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo, - } - - /* -- * Change the end pointer, so bounds checks work. -- * Change the pointer to packet data to help debugging. -+ * Switch to the output buffer for dissection, and save it -+ * on the buffer stack so it can be freed; our caller must -+ * pop it when done. - */ -- sb = ndo->ndo_packetp; -- se = ndo->ndo_snapend; -- ndo->ndo_packetp = b; -- ndo->ndo_snapend = t; -+ if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) { -+ free(b); -+ (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, -+ "%s: can't push buffer on buffer stack", __func__); -+ } - length = ND_BYTES_AVAILABLE_AFTER(b); - - /* now lets guess about the payload codepoint format */ -@@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo, - } - - cleanup: -- ndo->ndo_packetp = sb; -- ndo->ndo_snapend = se; -+ nd_pop_packet_info(ndo); - return; - - trunc: -- ndo->ndo_packetp = sb; -- ndo->ndo_snapend = se; -+ nd_pop_packet_info(ndo); - nd_print_trunc(ndo); - } - -diff --git a/print.c b/print.c -index 9c0ab86..33706b9 100644 ---- a/print.c -+++ b/print.c -@@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h, - nd_pop_all_packet_info(ndo); - - /* -- * Restore the original snapend, as a printer might have -- * changed it. -+ * Restore the originals snapend and packetp, as a printer -+ * might have changed them. -+ * -+ * XXX - nd_pop_all_packet_info() should have restored the -+ * original values, but, just in case.... - */ - ndo->ndo_snapend = sp + h->caplen; -+ ndo->ndo_packetp = sp; - if (ndo->ndo_Xflag) { - /* - * Print the raw packet data in hex and ASCII. --- -2.25.1 - diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/run-ptest b/meta-networking/recipes-support/tcpdump/tcpdump/run-ptest old mode 100755 new mode 100644 diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.5.bb similarity index 88% rename from meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb rename to meta-networking/recipes-support/tcpdump/tcpdump_4.99.5.bb index b05b832dd84..32b869f2415 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.5.bb @@ -21,13 +21,12 @@ RDEPENDS:${PN}-ptest += " make perl \ " SRC_URI = " \ - http://www.tcpdump.org/release/${BP}.tar.gz \ + http://www.tcpdump.org/release/${BP}.tar.xz \ file://add-ptest.patch \ file://run-ptest \ - file://CVE-2024-2397.patch \ " -SRC_URI[sha256sum] = "0232231bb2f29d6bf2426e70a08a7e0c63a0d59a9b44863b7f5e2357a6e49fea" +SRC_URI[sha256sum] = "d76395ab82d659d526291b013eee200201380930793531515abfc6e77b4f2ee5" UPSTREAM_CHECK_REGEX = "tcpdump-(?P\d+(\.\d+)+)\.tar"