Bug 1419066 (CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486)

Summary: tcpdump: multiple overflow issues in protocol decoding
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmoppert, jbubeck, luhliari, mdshaikh, mruprich, msehnout, msekleta, myllynen, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20170202,reported=20170118,source=upstream,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H,cwe=(CWE-125|CWE-190),rhel-5/tcpdump=wontfix,rhel-6/tcpdump=wontfix,rhel-7/tcpdump=affected,fedora-all/tcpdump=affected
Fixed In Version: tcpdump 4.9.0 Doc Type: If docs needed, set a value
Doc Text:
Multiple out of bounds read and integer overflow vulnerabilities were found in tcpdump affecting the decoding of various protocols. An attacker could create a crafted pcap file or send specially crafted packets to the network segment where tcpdump is running in live capture mode (without -w) which could cause it to display incorrect data, crash or enter an infinite loop.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-03 02:46:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1419114, 1447507    
Bug Blocks: 1415638, 1419144    

Description Adam Mariš 2017-02-03 15:13:34 UTC
Multiple buffer overflows, and one integer overflow, in protocol decoding were found that may cause incorrect decoding, segmentation fault or (in the case of integer overflow) an infinite loop. These issues can be be exploited either locally, by making the target user decode a crafted .pcap file using tcpdump, or remotely by sending crafted packets to the network segment where the target system is running tcpdump decoding the live packet capture.  Ability to send crafted packets to the target network segment is limited by the protocols' ability to cross network segments, or presence of firewall rules.

Upstream changelog:

http://www.tcpdump.org/tcpdump-changes.txt

Comment 1 Adam Mariš 2017-02-03 15:13:46 UTC
Acknowledgments:

Name: the Tcpdump project

Comment 2 Adam Mariš 2017-02-03 15:35:20 UTC
Created tcpdump tracking bugs for this issue:

Affects: fedora-all [bug 1419114]

Comment 4 Doran Moppert 2017-02-13 06:49:53 UTC
Statement:

Red Hat Product Security has rated these issues as having Moderate security impact. These issues may be fixed in a future minor release of Red Hat Enterprise Linux 7. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 5 Doran Moppert 2017-02-13 06:50:02 UTC
Mitigation:

When invoked with the "-w" option, to write raw packets to a pcap file (for forensic purposes or offline examination), tcpdump does not use the protocol decoding subsystem and is not affected by these flaws. Red Hat Product Security recommends that any unattended uses of tcpdump use this option to ensure uninterrupted packet capture.

Comment 6 Doran Moppert 2017-02-13 07:36:58 UTC
Detail of individual CVEs:

CVE-2016-7922 Buffer overflow in AH parser in print-ah.c:ah_print()
CVE-2016-7923 Buffer overflow in ARP parser in print-arp.c:arp_print()
CVE-2016-7924 Buffer overflow in ATM parser in print-atm.c:oam_print()
CVE-2016-7925 Buffer overflow in compressed SLIP parser in print-sl.c:sl_if_print()
CVE-2016-7926 Buffer overflow in Ethernet parser in print-ether.c:ethertype_print()
CVE-2016-7927 Buffer overflow in IEEE 802.11 parser in print-802_11.c:ieee802_11_radio_print()
CVE-2016-7928 Buffer overflow in IPComp parser in print-ipcomp.c:ipcomp_print()
CVE-2016-7929 Buffer overflow in Juniper PPPoE ATM parser in print-juniper.c:juniper_parse_header()
CVE-2016-7930 Buffer overflow in LLC parser in print-llc.c:llc_print()
CVE-2016-7931 Buffer overflow in MPLS parser in print-mpls.c:mpls_print()
CVE-2016-7932 Buffer overflow in PIM parser in print-pim.c:pimv2_check_checksum()
CVE-2016-7933 Buffer overflow in PPP parser in print-ppp.c:ppp_hdlc_if_print()
CVE-2016-7934 Buffer overflow in RTCP parser in print-udp.c:rtcp_print()
CVE-2016-7935 Buffer overflow in RTP parser in print-udp.c:rtp_print()
CVE-2016-7936 Buffer overflow in UDP parser in print-udp.c:udp_print()
CVE-2016-7937 Buffer overflow in VAT parser in print-udp.c:vat_print()
CVE-2016-7938 Integer overflow in ZeroMQ parser in print-zeromq.c:zmtp1_print_frame()
CVE-2016-7939 Buffer overflow in GRE parser in print-gre.c, multiple functions
CVE-2016-7940 Buffer overflow in STP parser in print-stp.c, multiple functions
CVE-2016-7973 Buffer overflow in AppleTalk parser in print-atalk.c, multiple functions
CVE-2016-7974 Buffer overflow in IP parser in print-ip.c, multiple functions
CVE-2016-7975 Buffer overflow in TCP parser in print-tcp.c:tcp_print()
CVE-2016-7983 Buffer overflow in BOOTP parser in print-bootp.c:bootp_print()
CVE-2016-7984 Buffer overflow in TFTP parser in print-tftp.c:tftp_print()
CVE-2016-7985 Buffer overflow in CALM FAST parser in print-calm-fast.c:calm_fast_print()
CVE-2016-7986 Buffer overflow in GeoNetworking parser in print-geonet.c, multiple functions
CVE-2016-7992 Buffer overflow in Classical IP over ATM parser in print-cip.c:cip_if_print()
CVE-2016-7993 Buffer overflow in util-print.c:relts_print() in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM)
CVE-2016-8574 Buffer overflow in FRF.15 parser in print-fr.c:frf15_print()
CVE-2016-8575 Buffer overflow in Q.933 parser in print-fr.c:q933_print()
CVE-2017-5202 Buffer overflow in ISO CLNS parser in print-isoclns.c:clnp_print()
CVE-2017-5203 Buffer overflow in BOOTP parser in print-bootp.c:bootp_print()
CVE-2017-5204 Buffer overflow in IPv6 parser in print-ip6.c:ip6_print()
CVE-2017-5205 Buffer overflow in ISAKMP parser in print-isakmp.c:ikev2_e_print()
CVE-2017-5341 Buffer overflow in OTV parser in print-otv.c:otv_print()
CVE-2017-5342 Buffer overflow in print-ether.c:ether_print() in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE)
CVE-2017-5482 Buffer overflow in Q.933 parser in print-fr.c:q933_print()
CVE-2017-5483 Buffer overflow in SNMP parser in print-snmp.c:asn1_parse()
CVE-2017-5484 Buffer overflow in ATM parser in print-atm.c:sig_print()
CVE-2017-5485 Buffer overflow in ISO CLNS parser in addrtoname.c:lookup_nsap()
CVE-2017-5486 Buffer overflow in ISO CLNS parser in print-isoclns.c:clnp_print()

Comment 7 Doran Moppert 2017-02-20 03:44:26 UTC
*** Bug 1419112 has been marked as a duplicate of this bug. ***

Comment 8 Doran Moppert 2017-02-20 03:47:42 UTC
*** Bug 1419067 has been marked as a duplicate of this bug. ***

Comment 9 Doran Moppert 2017-02-20 03:47:58 UTC
*** Bug 1419068 has been marked as a duplicate of this bug. ***

Comment 10 Doran Moppert 2017-02-20 03:48:13 UTC
*** Bug 1419070 has been marked as a duplicate of this bug. ***

Comment 11 Doran Moppert 2017-02-20 03:48:29 UTC
*** Bug 1419071 has been marked as a duplicate of this bug. ***

Comment 12 Doran Moppert 2017-02-20 03:48:44 UTC
*** Bug 1419072 has been marked as a duplicate of this bug. ***

Comment 13 Doran Moppert 2017-02-20 03:48:58 UTC
*** Bug 1419073 has been marked as a duplicate of this bug. ***

Comment 14 Doran Moppert 2017-02-20 03:49:15 UTC
*** Bug 1419074 has been marked as a duplicate of this bug. ***

Comment 15 Doran Moppert 2017-02-20 03:49:32 UTC
*** Bug 1419075 has been marked as a duplicate of this bug. ***

Comment 16 Doran Moppert 2017-02-20 03:49:46 UTC
*** Bug 1419076 has been marked as a duplicate of this bug. ***

Comment 17 Doran Moppert 2017-02-20 03:50:02 UTC
*** Bug 1419077 has been marked as a duplicate of this bug. ***

Comment 18 Doran Moppert 2017-02-20 03:50:20 UTC
*** Bug 1419078 has been marked as a duplicate of this bug. ***

Comment 19 Doran Moppert 2017-02-20 03:50:33 UTC
*** Bug 1419079 has been marked as a duplicate of this bug. ***

Comment 20 Doran Moppert 2017-02-20 03:50:49 UTC
*** Bug 1419080 has been marked as a duplicate of this bug. ***

Comment 21 Doran Moppert 2017-02-20 03:51:04 UTC
*** Bug 1419081 has been marked as a duplicate of this bug. ***

Comment 22 Doran Moppert 2017-02-20 03:51:20 UTC
*** Bug 1419082 has been marked as a duplicate of this bug. ***

Comment 23 Doran Moppert 2017-02-20 03:51:37 UTC
*** Bug 1419083 has been marked as a duplicate of this bug. ***

Comment 24 Doran Moppert 2017-02-20 03:51:54 UTC
*** Bug 1419085 has been marked as a duplicate of this bug. ***

Comment 25 Doran Moppert 2017-02-20 03:52:08 UTC
*** Bug 1419087 has been marked as a duplicate of this bug. ***

Comment 26 Doran Moppert 2017-02-20 03:52:22 UTC
*** Bug 1419088 has been marked as a duplicate of this bug. ***

Comment 27 Doran Moppert 2017-02-20 03:52:38 UTC
*** Bug 1419089 has been marked as a duplicate of this bug. ***

Comment 28 Doran Moppert 2017-02-20 03:52:53 UTC
*** Bug 1419090 has been marked as a duplicate of this bug. ***

Comment 29 Doran Moppert 2017-02-20 03:53:10 UTC
*** Bug 1419091 has been marked as a duplicate of this bug. ***

Comment 30 Doran Moppert 2017-02-20 03:53:24 UTC
*** Bug 1419093 has been marked as a duplicate of this bug. ***

Comment 31 Doran Moppert 2017-02-20 03:53:37 UTC
*** Bug 1419094 has been marked as a duplicate of this bug. ***

Comment 32 Doran Moppert 2017-02-20 03:53:56 UTC
*** Bug 1419095 has been marked as a duplicate of this bug. ***

Comment 33 Doran Moppert 2017-02-20 03:54:13 UTC
*** Bug 1419097 has been marked as a duplicate of this bug. ***

Comment 34 Doran Moppert 2017-02-20 03:54:27 UTC
*** Bug 1419098 has been marked as a duplicate of this bug. ***

Comment 35 Doran Moppert 2017-02-20 03:54:43 UTC
*** Bug 1419099 has been marked as a duplicate of this bug. ***

Comment 36 Doran Moppert 2017-02-20 03:54:59 UTC
*** Bug 1419100 has been marked as a duplicate of this bug. ***

Comment 37 Doran Moppert 2017-02-20 03:55:14 UTC
*** Bug 1419101 has been marked as a duplicate of this bug. ***

Comment 38 Doran Moppert 2017-02-20 03:55:28 UTC
*** Bug 1419102 has been marked as a duplicate of this bug. ***

Comment 39 Doran Moppert 2017-02-20 03:55:42 UTC
*** Bug 1419103 has been marked as a duplicate of this bug. ***

Comment 40 Doran Moppert 2017-02-20 03:55:56 UTC
*** Bug 1419104 has been marked as a duplicate of this bug. ***

Comment 41 Doran Moppert 2017-02-20 03:56:11 UTC
*** Bug 1419106 has been marked as a duplicate of this bug. ***

Comment 42 Doran Moppert 2017-02-20 03:56:27 UTC
*** Bug 1419107 has been marked as a duplicate of this bug. ***

Comment 43 Doran Moppert 2017-02-20 03:56:43 UTC
*** Bug 1419108 has been marked as a duplicate of this bug. ***

Comment 44 Doran Moppert 2017-02-20 03:56:59 UTC
*** Bug 1419109 has been marked as a duplicate of this bug. ***

Comment 45 Doran Moppert 2017-02-20 03:57:16 UTC
*** Bug 1419110 has been marked as a duplicate of this bug. ***

Comment 46 Doran Moppert 2017-02-20 03:57:33 UTC
*** Bug 1419111 has been marked as a duplicate of this bug. ***

Comment 54 errata-xmlrpc 2017-08-01 12:14:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1871 https://access.redhat.com/errata/RHSA-2017:1871