import tcpdump-4.9.3-3.el8_9.1

.gitignore

@@ -1,2 +1,3 @@
 SOURCES/tcpdump-4.9.3.tar.gz
+SOURCES/tcpdump-4.9.3.tar.gz.sig
 SOURCES/tcpslice-1.2a3.tar.gz

.tcpdump.metadata

@@ -1,2 +1,3 @@
 59b309f3620ac4b709de2eaf7bf3a83bf04bc048 SOURCES/tcpdump-4.9.3.tar.gz
+cfc1a4a7fce082844312906046a4d53a0e87ce26 SOURCES/tcpdump-4.9.3.tar.gz.sig
 98790301cb1bf4399a95153bc62d49b3f5808994 SOURCES/tcpslice-1.2a3.tar.gz

SOURCES/0017-CVE-2021-41043.patch

@@ -0,0 +1,48 @@
+From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Thu, 30 Dec 2021 17:52:52 +0000
+Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice().
+
+This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110),
+see GitHub issue #11.
+
+In extract_slice() pcap_dump_open() takes a pcap_t argument to tell
+which DLT to use for the output file.  This used to be the pcap_t of the
+first input file, as main() requires at least one input file.  However,
+the loop before pcap_dump_open() closes all, including the first, input
+files that don't meet a test condition.  This way, when the first file
+didn't meet the condition, the call to pcap_dump_open() would end up as
+a use-after-free.  Make the pcap_dump_open() call before the loop, when
+the first array element is always valid, and fix this problem.
+---
+diff --git a/tcpslice-1.2a3/tcpslice.c b/tcpslice-1.2a3/tcpslice.c
+index 6d08473..7c0f4a0 100644
+--- a/tcpslice-1.2a3/tcpslice.c
++++ b/tcpslice-1.2a3/tcpslice.c
+@@ -841,6 +841,13 @@ extract_slice(struct state *states, const int numfiles, const char *write_file_n
+ 	TV_SUB(start_time, base_time, &relative_start);
+ 	TV_SUB(stop_time, base_time, &relative_stop);
+ 
++	/* Always write the output file, use the first input file's DLT. */
++	dumper = pcap_dump_open(states[0].p, write_file_name);
++	if (!dumper) {
++		error("error creating output file '%s': %s",
++		      write_file_name, pcap_geterr(states[0].p));
++	}
++
+ 	for (i = 0; i < numfiles; ++i) {
+ 		s = &states[i];
+ 
+@@ -879,12 +886,6 @@ extract_slice(struct state *states, const int numfiles, const char *write_file_n
+ 		get_next_packet(s);
+ 	}
+ 
+-	dumper = pcap_dump_open(states->p, write_file_name);
+-	if (! dumper) {
+-		error( "error creating output file %s: ",
+-			write_file_name, pcap_geterr( states->p ) );
+-	}
+-
+ 
+ 	/*
+ 	 * Now, loop thru all the packets in all the files,

SPECS/tcpdump.spec

@@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool
 Name: tcpdump
 Epoch: 14
 Version: 4.9.3
-Release: 3%{?dist}
+Release: 3%{?dist}.1
 License: BSD with advertising
 URL: http://www.tcpdump.org
 Group: Applications/Internet
@@ -26,6 +26,7 @@ Patch0013:      0013-tcpslice-stdlib.patch
 Patch0014:      0014-enhance-mptcp.patch
 Patch0015:      0015-CVE-2020-8037.patch
 Patch0016:      0016-direction-for-any.patch
+Patch0017:      0017-CVE-2021-41043.patch
 
 %define tcpslice_dir tcpslice-1.2a3
 
@@ -91,6 +92,9 @@ exit 0
 %{_mandir}/man8/tcpdump.8*
 
 %changelog
+* Fri Jan 05 2024 Michal Ruprich <mruprich@redhat.com> - 14:4.9.3-3.1
+- Resolves: RHEL-20814 - tcpslice: use-after-free in extract_slice()
+
 * Mon Jan 10 2022 Michal Ruprich <mruprich@redhat.com> - 14:4.9.3-3
 - Resolves: #2005451 - tcpdump support for direction and interface needed in RHEL8