tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?

From: Michal Sekletar <msekleta () redhat com>
Date: Mon, 24 Nov 2014 08:16:56 +0100
On Fri, Nov 21, 2014 at 11:01:15PM +0100, Romain Francoise wrote:

On Fri, Nov 21, 2014 at 03:47:06PM -0500, Michael Richardson wrote:

It's supposed to happen, but I'm checking.
Should be there now.  Is cron failing to do it's thing?


Ok, the fixes still aren't on master, but now there's a tcpdump-4.7
branch with the commits I need.


Please, can somebody with push access fix this.

Also it would be nice if we agree on single place where development happens and
stick to that.

Because bpf.tcpdump.org has a bad track-record (IIRC multiple power, network
failures in the past) I am for sticking with GitHub.



So I apparently need all of these?

3f5693a 10 days ago Guy Harris Report a too-long unreachable destination list.
54d2912 10 days ago Guy Harris Not using offsetof() any more, so no need for <stddef.h>.
e302ff0 10 days ago Guy Harris Further cleanups.
3e8a443 10 days ago Guy Harris Clean up error message printing.
ab4e52b 10 days ago Guy Harris Add initial bounds check, get rid of union aodv.
4038f83 10 days ago Guy Harris Do more bounds checking and length checking.
9255c9b 10 days ago Guy Harris Do bounds checking and length checking.

 print-aodv.c   | 481 ++++++++++++++++++++++++++-------------------------------
 print-geonet.c | 270 ++++++++++++++++++--------------
 print-olsr.c   |  56 +++++--
 3 files changed, 417 insertions(+), 390 deletions(-)

That's a lot bigger than typical security patches. :(


Yes, I spent good couple hours backporting those to older versions we have in
Fedora 19 and 20.




It's in the tcpdump.org/beta/ directory, but I didn't want to release
until the distros had a chance to patch.


But did you notify the distros? Because I didn't get advance notice, and
the others haven't released security updates yet either.


I was notified by Red Hat Security Response Team once CVEs where public. In the
disclosure report there was a mention of existing patches therefore I
checked GitHub because that is place where most of the development happens these
days, and found no fixes.

I started to work on the patches ASAP and after submitting the first one
as Pull Request #413 I was told that patches actually do exist but the legacy
place where tcpdump/libpcap code lives was not synced to GitHub for days.

Michal



Thanks,
-- 
Romain Francoise <rfrancoise () debian org>
http://people.debian.org/~rfrancoise/
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: