Bug 156139 - CAN-2005-1267,1278,1279,1280 Multiple DoS issues in tcpdump
CAN-2005-1267,1278,1279,1280 Multiple DoS issues in tcpdump
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: tcpdump (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1, 2, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-27 16:23 EDT by Marc Deslauriers
Modified: 2007-04-18 13:24 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-04 20:25:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patches for Fedora 2 (1.46 KB, application/octet-stream)
2005-04-29 09:33 EDT, Martin Stransky
no flags Details
Patch for Fedora 1 (1.00 KB, text/plain)
2005-04-29 09:34 EDT, Martin Stransky
no flags Details
Proposed FLSA-2006-156139 advisory for tcpdump (5.78 KB, text/plain)
2006-04-02 20:21 EDT, David Eisenstein
no flags Details

  None (edit)
Description Marc Deslauriers 2005-04-27 16:23:53 EDT
+++ This bug was initially created as a clone of Bug #156040 +++

The following two DoS issues were reported to bugtraq:

tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite loop DOS exploits
http://www.securityfocus.com/archive/1/396932/2005-04-23/2005-04-29/0

tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS
http://www.securityfocus.com/archive/1/396930/2005-04-23/2005-04-29/0
Comment 1 Martin Stransky 2005-04-29 09:33:45 EDT
Created attachment 113837 [details]
Patches for Fedora 2

Here are patches for fedora 2.
Comment 2 Martin Stransky 2005-04-29 09:34:51 EDT
Created attachment 113838 [details]
Patch for Fedora 1

Here is patch for Fedora 1.
Comment 3 John Dalbec 2005-04-29 12:30:50 EDT
05.17.29 CVE: Not Available
Platform: Cross Platform
Title: tcpdump BGP Decoding Routines Denial of Service
Description: tcpdump is a network-monitoring tool. It is reported to
be vulnerable to a denial of service issue due to improper checks
while decoding the BGP packets. tcpdump versions 3.8.3 and earlier are
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13380 
Comment 4 John Dalbec 2005-04-29 12:37:47 EDT
05.17.33 CVE: Not Available
Platform: Cross Platform
Title: tcpdump ISIS Decoding Routines Denial of Service
Description: tcpdump is a network-monitoring tool. tcpdump is
susceptible to a denial of service vulnerability. Specifically, the
decoding routine for ISIS (Intermediate System to Intermediate System)
packets is vulnerable. A remote attacker may cause tcpdump to hang by
sending malformed ISIS packets, resulting in denial of service.
tcpdump versions up to and including 3.9.x are reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/13392 
Comment 5 mschout 2005-05-10 18:35:20 EDT
I ran the 3 exploit C programs and pointed them at a redhat 7.3 machine and a
FC1 machine that were running tcpdump.  All machines had no firewall rules
during the test.

In all 3 cases on both the FC1 and RHL7.3 machines, nothing happened.  tcpdump
did not go into an infinite loop.  Perhaps I was simply not able to reproduce
this, but I notice that the security focus advisory says:

  the ISIS bug is in 3.8.x/3.9.1/CVS. (did not check below 3.8.x)
  the BGP and LDP bugs seem to be only in 3.8.x. (did not check below 3.8.x)

RHL7.3 uses tcpdump 3.6,3
FC1 uses tcpdump 3.7.2

Due to the fact that I can not reproduce the porblem on either an RHL7.3
machine, or an FC1 machine, I am under the impression that these versions of
tcpdump are not vulnerable.

I could be wrong though.
Comment 6 mschout 2005-05-10 18:36:02 EDT
Just wanted to add that I was running "tcpdump -v" as suggested in the exploit
code comments.
Comment 7 Pekka Savola 2005-05-21 16:09:44 EDT
Red Hat had analyzed that this does not affect RHEL21 (which also has 3.6.x);
Debian maintainer thought BGP dissector in 3.6.x would be vulnerable, but
nothing has come out of there in almost a month.

I think we're pretty close to agreeing that this doesn't affect RHL73.
Comment 8 Marc Deslauriers 2005-06-11 19:14:48 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates packages to QA for rh9, fc1 and fc2.

Thanks for the patches Martin!

Changelog:
* Sat Jun 11 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
14:3.7.2-7.9.4.legacy
- - fix for Multiple DoS issues in tcpdump
  (CAN-2005-1280, CAN-2005-1279, CAN-2005-1278)

rh9:
083c57861f7cf4f5da968f85d3f96924480f80ef  tcpdump-3.7.2-7.9.4.legacy.i386.rpm
9eeaf4d582b71d2ddea2069f5f73cb48b206326b  tcpdump-3.7.2-7.9.4.legacy.src.rpm
14bbd7920b19221fb114371be7732f9f7af97d67  arpwatch-2.1a11-7.9.4.legacy.i386.rpm
b4f151cc60ab8f3890cad71c568a74b70460a430  libpcap-0.7.2-7.9.4.legacy.i386.rpm

9 Source:
http://www.infostrategique.com/linuxrpms/legacy/9/tcpdump-3.7.2-7.9.4.legacy.src.rpm
9 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/9/

fc1:
6a8582df0bf0fa180980e45192fa2c5fe0098bfb  tcpdump-3.7.2-8.fc1.3.legacy.i386.rpm
1cdc55893463c839281e3926260c0692efece12f  tcpdump-3.7.2-8.fc1.3.legacy.src.rpm
f3c1b949356bd6f4ed8e6d8762bdbf385e784bb2  arpwatch-2.1a11-8.fc1.3.legacy.i386.rpm
0042e70613e2b9c50ce78d3cdac573fef1cbce2a  libpcap-0.7.2-8.fc1.3.legacy.i386.rpm

fc1 Source:
http://www.infostrategique.com/linuxrpms/legacy/1/tcpdump-3.7.2-8.fc1.3.legacy.src.rpm
fc1 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/1/

fc2:
2074a09830bb771bba38d993066683aaeaaa6269  tcpdump-3.8.2-6.FC2.2.legacy.i386.rpm
37d25942b9226692d0261df9618ca6340bfe0946  tcpdump-3.8.2-6.FC2.2.legacy.src.rpm
fe3ff2fd14aa8b0fd9e7a80ee926b442021f38d9  arpwatch-2.1a13-6.FC2.2.legacy.i386.rpm
4c9b8fb68b4444775cd6f2465834f576902faec4  libpcap-0.8.3-6.FC2.2.legacy.i386.rpm

fc2 Source:
http://www.infostrategique.com/linuxrpms/legacy/2/tcpdump-3.8.2-6.FC2.2.legacy.src.rpm
fc2 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCq3BALMAs/0C4zNoRAtKiAKC1iwDxClG19BezER9hkeU225E/1ACfT7RX
F1AuY6gXAGiLADjsKBZCrOc=
=+pWp
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2005-06-13 08:02:18 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Sigh.  There appears to be another tcpdump BGP vulnerability:
 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159209
 
(I noticed this when I went looking for the patches in FC3 tree.)
 
In any case, I verified the packages so far that they came, and am giving
them a publish in any case (though I think it may make sense to re-spin
before building them for updates-testing).
 
...
 
QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - patches verified to come from RHEL3/RHEL4
 - source integrity OK
 
+PUBLISH RHL9,FC1,FC2
 
2a63dfe8422c135d41ec0655d1957b2ac6e348a2  tcpdump-3.7.2-7.9.3.legacy.src.rpm
9eeaf4d582b71d2ddea2069f5f73cb48b206326b  tcpdump-3.7.2-7.9.4.legacy.src.rpm
1cdc55893463c839281e3926260c0692efece12f  tcpdump-3.7.2-8.fc1.3.legacy.src.rpm
37d25942b9226692d0261df9618ca6340bfe0946  tcpdump-3.8.2-6.FC2.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCrXWgGHbTkzxSL7QRAu4HAJ0YG6+nWzLxmTOzIWBzNJYdjltBsgCgsO0U
yM7C/L7LFNS2oWJjzJZ5pG8=
=3sez
-----END PGP SIGNATURE-----
Comment 10 Marc Deslauriers 2005-06-23 19:07:46 EDT
lets re-spin them.
Comment 11 Marc Bejarano 2005-08-18 02:55:04 EDT
new BGP vuln is CAN-2005-1267 and should be added to summary
Comment 12 Jeff Sheltren 2006-03-11 20:28:15 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've rebuilt the FC2 package using the patch for CAN-2005-1267
from the FC3 package.
RH7.3, RH9, and FC1 are not vulnerable to CAN-2005-1267, so Marc's
packages are fine for those distros.

The updated FC2 package can be found here:
http://www.cs.ucsb.edu/~jeff/legacy/tcpdump-3.8.2-6.FC2.3.legacy.src.rpm

71d8c5db55250e79e1cff713831a3fe1d7ec7456  tcpdump-3.8.2-6.FC2.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFEE3nVKe7MLJjUbNMRAjbyAJ9HDysLvZrewnU5Ojnl+0w+31KSOQCcDuGS
fwLVswzU1c8dasXShCy5OFk=
=UZSE
-----END PGP SIGNATURE-----
Comment 13 Pekka Savola 2006-03-12 06:46:40 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patch verified to be identical to RHEL4

RHEL seems to have enabled 2GB+ file size support by adjustingcompile flags,
which could be useful, but probably beyond the scope of FL project.

+PUBLISH FC2

71d8c5db55250e79e1cff713831a3fe1d7ec7456  tcpdump-3.8.2-6.FC2.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEFAtcGHbTkzxSL7QRArlPAJ9Ne+V9G1kh/0JMQrwanh6Kf3bMSgCgijGe
KNFZroVpm1lATnkazmk07No=
=A1SN
-----END PGP SIGNATURE-----
Comment 14 Marc Deslauriers 2006-03-15 20:27:06 EST
Packages were pushed to updates-testing.
Comment 15 Pekka Savola 2006-03-16 01:03:24 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signature OK, upgrades OK.  Rpm-build-compare.sh on
the binaries also looks OK.  Basic testing OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEGQDpGHbTkzxSL7QRAl7pAJ9B01KiyUx7QItpAqdktfyNXZpYzgCgzauT
HzHJeJ3x2odgeK9WHvUpA80=
=JUkB
-----END PGP SIGNATURE-----
Comment 16 Tom Yates 2006-03-23 07:35:08 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

0beccb4a6dd929174bc2d70d680a2e3c4a094391 tcpdump-3.7.2-7.9.4.legacy.i386.rpm

installs OK.  i use tcpdump quite a lot and it seems to be fine still.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIpdIePtvKV31zw4RArM+AJ9/4tCzdpNgZ62rH5DA4q0YyLT5JgCaApQM
2hly2jEnUIyqXX6N2q///oU=
=SVeS
-----END PGP SIGNATURE-----
Comment 17 Pekka Savola 2006-03-23 08:19:39 EST
Timeout reduced to 1 week and also over.
Comment 18 David Eisenstein 2006-04-02 20:21:21 EDT
Created attachment 127217 [details]
Proposed FLSA-2006-156139 advisory for tcpdump

Attached is a proposed advisory for tcpdump for its release to updates.
Comment 19 Marc Deslauriers 2006-04-04 20:25:52 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.