From 229a547d2cc3d1df3d1be8865921379f513cb92e Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 6 Mar 2024 03:43:30 +0300 Subject: [PATCH] import tcpdump-4.99.0-7.el9_3.1 --- SOURCES/0010-CVE-2021-41043.patch | 48 +++++++++++++++++++++++++++++++ SPECS/tcpdump.spec | 6 +++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0010-CVE-2021-41043.patch diff --git a/SOURCES/0010-CVE-2021-41043.patch b/SOURCES/0010-CVE-2021-41043.patch new file mode 100644 index 0000000..b2c3956 --- /dev/null +++ b/SOURCES/0010-CVE-2021-41043.patch @@ -0,0 +1,48 @@ +From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001 +From: Denis Ovsienko +Date: Thu, 30 Dec 2021 17:52:52 +0000 +Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice(). + +This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110), +see GitHub issue #11. + +In extract_slice() pcap_dump_open() takes a pcap_t argument to tell +which DLT to use for the output file. This used to be the pcap_t of the +first input file, as main() requires at least one input file. However, +the loop before pcap_dump_open() closes all, including the first, input +files that don't meet a test condition. This way, when the first file +didn't meet the condition, the call to pcap_dump_open() would end up as +a use-after-free. Make the pcap_dump_open() call before the loop, when +the first array element is always valid, and fix this problem. +--- +diff --git a/tcpslice-1.3/tcpslice.c b/tcpslice-1.3/tcpslice.c +index e7b9ba8..507dd1b 100644 +--- a/tcpslice-1.3/tcpslice.c ++++ b/tcpslice-1.3/tcpslice.c +@@ -838,6 +838,13 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name, + TV_SUB(start_time, base_time, &relative_start); + TV_SUB(stop_time, base_time, &relative_stop); + ++ /* Always write the output file, use the first input file's DLT. */ ++ global_dumper = pcap_dump_open(states[0].p, write_file_name); ++ if (!global_dumper) { ++ error("error creating output file '%s': %s", ++ write_file_name, pcap_geterr(states[0].p)); ++ } ++ + for (i = 0; i < numfiles; ++i) { + s = &states[i]; + +@@ -876,12 +883,6 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name, + get_next_packet(s); + } + +- global_dumper = pcap_dump_open(states->p, write_file_name); +- if (!global_dumper) { +- error( "error creating output file %s: %s", +- write_file_name, pcap_geterr( states->p ) ); +- } +- + + /* + * Now, loop thru all the packets in all the files, diff --git a/SPECS/tcpdump.spec b/SPECS/tcpdump.spec index 1f965da..c26ff2d 100644 --- a/SPECS/tcpdump.spec +++ b/SPECS/tcpdump.spec @@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool Name: tcpdump Epoch: 14 Version: 4.99.0 -Release: 7%{?dist} +Release: 7%{?dist}.1 License: BSD with advertising URL: http://www.tcpdump.org Requires(pre): shadow-utils @@ -17,6 +17,7 @@ Patch0002: 0002-Use-getnameinfo-instead-of-gethostbyaddr.patch Patch0003: 0003-Drop-root-priviledges-before-opening-first-savefile-.patch Patch0007: 0007-Introduce-nn-option.patch Patch0009: 0009-Change-n-flag-to-nn-in-TESTonce.patch +Patch0010: 0010-CVE-2021-41043.patch %define tcpslice_dir tcpslice-1.3 @@ -81,6 +82,9 @@ exit 0 %{_mandir}/man8/tcpdump.8* %changelog +* Thu Jan 18 2024 Michal Ruprich - 14:4.99.0-7.1 +- Resolves: RHEL-21789 - tcpslice: use-after-free in extract_slice() + * Wed May 24 2023 Michal Ruprich - 14:4.99.0-7 - Resolves: #2188429 - enable GUESS_TSO for large packets