diff options
author | 2007-07-10 13:41:14 +0000 | |
---|---|---|
committer | 2007-07-10 13:41:14 +0000 | |
commit | 49020943b59cfb84abdee8af07e4fe3d56ca56e3 (patch) | |
tree | da16c45451341308cc8ba0f955bd32ed50230fd9 /net-analyzer/tcpdump | |
parent | Added patch to compile against kernel 2.6.22, thanks to Helmut Auer <helmut@h... (diff) | |
download | historical-49020943b59cfb84abdee8af07e4fe3d56ca56e3.tar.gz historical-49020943b59cfb84abdee8af07e4fe3d56ca56e3.tar.bz2 historical-49020943b59cfb84abdee8af07e4fe3d56ca56e3.zip |
Fix vulnerability reported in bug 184815. Thank mu-b <mu-b AT digit-labs.org>. Force tcpdump to drop privileges by default. Thank Jukka Ruohonen <drear AT iki.fi> for report (bug #176391).
Package-Manager: portage-2.1.3_rc7
Diffstat (limited to 'net-analyzer/tcpdump')
-rw-r--r-- | net-analyzer/tcpdump/ChangeLog | 12 | ||||
-rw-r--r-- | net-analyzer/tcpdump/Manifest | 26 | ||||
-rw-r--r-- | net-analyzer/tcpdump/files/digest-tcpdump-3.9.5-r3 | 3 | ||||
-rw-r--r-- | net-analyzer/tcpdump/files/digest-tcpdump-3.9.6-r1 | 3 | ||||
-rw-r--r-- | net-analyzer/tcpdump/files/tcpdump-3.9.6-bgp-integer-overflow.patch | 21 | ||||
-rw-r--r-- | net-analyzer/tcpdump/tcpdump-3.9.5-r3.ebuild | 86 | ||||
-rw-r--r-- | net-analyzer/tcpdump/tcpdump-3.9.6-r1.ebuild | 86 |
7 files changed, 232 insertions, 5 deletions
diff --git a/net-analyzer/tcpdump/ChangeLog b/net-analyzer/tcpdump/ChangeLog index 96f1b519259f..089be2b681a7 100644 --- a/net-analyzer/tcpdump/ChangeLog +++ b/net-analyzer/tcpdump/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for net-analyzer/tcpdump # Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/tcpdump/ChangeLog,v 1.98 2007/06/23 09:39:49 cedk Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/tcpdump/ChangeLog,v 1.99 2007/07/10 13:41:14 pva Exp $ + +*tcpdump-3.9.6-r1 (10 Jul 2007) +*tcpdump-3.9.5-r3 (10 Jul 2007) + + 10 Jul 2007; <pva@gentoo.org> + +files/tcpdump-3.9.6-bgp-integer-overflow.patch, +tcpdump-3.9.5-r3.ebuild, + +tcpdump-3.9.6-r1.ebuild: + Fix vulnerability reported in bug 184815. Thank mu-b <mu-b AT + digit-labs.org>. Force tcpdump to drop privileges by default. Thank Jukka + Ruohonen <drear AT iki.fi> for report (bug #176391). *tcpdump-3.9.6 (23 Jun 2007) diff --git a/net-analyzer/tcpdump/Manifest b/net-analyzer/tcpdump/Manifest index 9c6d8c1363d5..96dd522f0896 100644 --- a/net-analyzer/tcpdump/Manifest +++ b/net-analyzer/tcpdump/Manifest @@ -14,20 +14,32 @@ AUX tcpdump-3.9.5-print-802_11.c.diff 365 RMD160 2b1186b691a9e25416eea1c7b1c3599 MD5 361356159496cb5a083bc49a8f4241a4 files/tcpdump-3.9.5-print-802_11.c.diff 365 RMD160 2b1186b691a9e25416eea1c7b1c3599dfc4b703f files/tcpdump-3.9.5-print-802_11.c.diff 365 SHA256 83c188a5bf08199a3c4abf481fa2a2813ff29954e12b5df81002bd40e1d5dab4 files/tcpdump-3.9.5-print-802_11.c.diff 365 +AUX tcpdump-3.9.6-bgp-integer-overflow.patch 905 RMD160 0f344c018dfa373720280b8d68787719365dd171 SHA1 848af722425dead317f02c4f5f72aadc553da006 SHA256 aa4f20c089516657ddee98f69df922cbe2a47917e953249e64d3e5bc52f211f7 +MD5 97255748538244986a75bd74520e91eb files/tcpdump-3.9.6-bgp-integer-overflow.patch 905 +RMD160 0f344c018dfa373720280b8d68787719365dd171 files/tcpdump-3.9.6-bgp-integer-overflow.patch 905 +SHA256 aa4f20c089516657ddee98f69df922cbe2a47917e953249e64d3e5bc52f211f7 files/tcpdump-3.9.6-bgp-integer-overflow.patch 905 DIST tcpdump-3.9.5.tar.gz 712411 RMD160 e0409ad55deda1b2a74950522720610c6c94d771 SHA1 a9850177809196008ed3e6212cb651ed1500353c SHA256 6a1617253f12bf2ac440eeb8709baeb907c6b801442bf2229a6bb84489cf38f4 DIST tcpdump-3.9.6.tar.gz 712992 RMD160 9b098d50ab381ab8cc7d59a96a9acc41b570d929 SHA1 a07907268c200f90a8b7c5dbc6a1427917cc1058 SHA256 242b27388ada00d0c40097cef0d56ac5bdbb0a5d81dffb480cdd91b109e10d8d EBUILD tcpdump-3.9.5-r2.ebuild 1943 RMD160 50ab9ac319913633766cfce82e08b2648ee9489c SHA1 cc1931e9904c0a6d6794c10e6b92ed22c63dc424 SHA256 393db6ecfb9176290c37c6593498f8decce9c16027e5a7aacbe65c3dcef5c550 MD5 49ef4f339ca898521cf0719482256c59 tcpdump-3.9.5-r2.ebuild 1943 RMD160 50ab9ac319913633766cfce82e08b2648ee9489c tcpdump-3.9.5-r2.ebuild 1943 SHA256 393db6ecfb9176290c37c6593498f8decce9c16027e5a7aacbe65c3dcef5c550 tcpdump-3.9.5-r2.ebuild 1943 +EBUILD tcpdump-3.9.5-r3.ebuild 2238 RMD160 6f59617696cd6c0dd8f585ac9cb1710c92f4bcdb SHA1 2738a8185ffeb2a5169c521076b6f1c83d449124 SHA256 fac0d6608997323fe3800499d7e2030397cb2ebb8b945fb3fb21eac147e2f321 +MD5 461ad6ad490225274b670d0f02ed42e4 tcpdump-3.9.5-r3.ebuild 2238 +RMD160 6f59617696cd6c0dd8f585ac9cb1710c92f4bcdb tcpdump-3.9.5-r3.ebuild 2238 +SHA256 fac0d6608997323fe3800499d7e2030397cb2ebb8b945fb3fb21eac147e2f321 tcpdump-3.9.5-r3.ebuild 2238 +EBUILD tcpdump-3.9.6-r1.ebuild 2242 RMD160 fb9c755e99d5aef11bd9a54e64b3abd58919d147 SHA1 1aabfdda226b63712a653a137ee77d560535f818 SHA256 6694f10de6d11c5b547f3aed64134007324dd4dea75df86a4de3db3a97c0d65a +MD5 e5a169df4f3c69415e6d70a9b0b69f23 tcpdump-3.9.6-r1.ebuild 2242 +RMD160 fb9c755e99d5aef11bd9a54e64b3abd58919d147 tcpdump-3.9.6-r1.ebuild 2242 +SHA256 6694f10de6d11c5b547f3aed64134007324dd4dea75df86a4de3db3a97c0d65a tcpdump-3.9.6-r1.ebuild 2242 EBUILD tcpdump-3.9.6.ebuild 1962 RMD160 896a372de51d1514205005562df73f4f75022e89 SHA1 eef5edeae74fcd00ca238806db0fb195f22c2912 SHA256 f75b80dbcc87eaaa21ca81eaea9d789b83a7701e525360051748fe017a2044ce MD5 79ea7b3adcfff574067f6215ae7adaf9 tcpdump-3.9.6.ebuild 1962 RMD160 896a372de51d1514205005562df73f4f75022e89 tcpdump-3.9.6.ebuild 1962 SHA256 f75b80dbcc87eaaa21ca81eaea9d789b83a7701e525360051748fe017a2044ce tcpdump-3.9.6.ebuild 1962 -MISC ChangeLog 12944 RMD160 bd19bc33838637247135eab71d8fbe33807d09a0 SHA1 3810ad70519e6dc028373755d095ea74440be74b SHA256 eab472d9880aefb267a8fe1418e87595865edda590343643d3c09146b6aff9a0 -MD5 41516e6fe94ab5c3cdcd8c1a179987a0 ChangeLog 12944 -RMD160 bd19bc33838637247135eab71d8fbe33807d09a0 ChangeLog 12944 -SHA256 eab472d9880aefb267a8fe1418e87595865edda590343643d3c09146b6aff9a0 ChangeLog 12944 +MISC ChangeLog 13341 RMD160 c60e96dbf13721898c616ce2a9fc60458bcdc4c8 SHA1 27d40eaa2f9162b6fe97f4b1793f87a26001f946 SHA256 82e66f1af175fac3a52de0833690399dfa0d8ef9a04572ec24adeb2c524ecd1c +MD5 9c9e04a519501a8f5df89873a87ecf22 ChangeLog 13341 +RMD160 c60e96dbf13721898c616ce2a9fc60458bcdc4c8 ChangeLog 13341 +SHA256 82e66f1af175fac3a52de0833690399dfa0d8ef9a04572ec24adeb2c524ecd1c ChangeLog 13341 MISC metadata.xml 268 RMD160 896e1ec3be866fe1d515b55473f0ac763b9f8a12 SHA1 9a77e6e1b7e0c4469583dc9d9a20065d6ac74ab6 SHA256 01030866e2f7de584ec505f71cfbfbbb48f8a790a0ea50a3da1974b74423f827 MD5 1465cdeb961745379a8ae1402b3e51ab metadata.xml 268 RMD160 896e1ec3be866fe1d515b55473f0ac763b9f8a12 metadata.xml 268 @@ -35,6 +47,12 @@ SHA256 01030866e2f7de584ec505f71cfbfbbb48f8a790a0ea50a3da1974b74423f827 metadata MD5 529ef132e81950340671aa911a76e183 files/digest-tcpdump-3.9.5-r2 241 RMD160 eb77d5212d7f489fa7ff696bfb37f6bb534a5ab9 files/digest-tcpdump-3.9.5-r2 241 SHA256 e7b50f54579db8c825c28d89b19081abf1c5407bd89276f47b03ada1968e085e files/digest-tcpdump-3.9.5-r2 241 +MD5 529ef132e81950340671aa911a76e183 files/digest-tcpdump-3.9.5-r3 241 +RMD160 eb77d5212d7f489fa7ff696bfb37f6bb534a5ab9 files/digest-tcpdump-3.9.5-r3 241 +SHA256 e7b50f54579db8c825c28d89b19081abf1c5407bd89276f47b03ada1968e085e files/digest-tcpdump-3.9.5-r3 241 MD5 32d5d11bfd7605409e0c5c40d704f64c files/digest-tcpdump-3.9.6 241 RMD160 c0864c48cd0c35444a17acf543f82c73d2d29e8e files/digest-tcpdump-3.9.6 241 SHA256 145158cc8bac01f84806a47217b1b318750977d71387d055a6a7a6e4b03b6fdd files/digest-tcpdump-3.9.6 241 +MD5 32d5d11bfd7605409e0c5c40d704f64c files/digest-tcpdump-3.9.6-r1 241 +RMD160 c0864c48cd0c35444a17acf543f82c73d2d29e8e files/digest-tcpdump-3.9.6-r1 241 +SHA256 145158cc8bac01f84806a47217b1b318750977d71387d055a6a7a6e4b03b6fdd files/digest-tcpdump-3.9.6-r1 241 diff --git a/net-analyzer/tcpdump/files/digest-tcpdump-3.9.5-r3 b/net-analyzer/tcpdump/files/digest-tcpdump-3.9.5-r3 new file mode 100644 index 000000000000..c7b2ab6bf4ef --- /dev/null +++ b/net-analyzer/tcpdump/files/digest-tcpdump-3.9.5-r3 @@ -0,0 +1,3 @@ +MD5 2135e7b1f09af0eaf66d2af822bed44a tcpdump-3.9.5.tar.gz 712411 +RMD160 e0409ad55deda1b2a74950522720610c6c94d771 tcpdump-3.9.5.tar.gz 712411 +SHA256 6a1617253f12bf2ac440eeb8709baeb907c6b801442bf2229a6bb84489cf38f4 tcpdump-3.9.5.tar.gz 712411 diff --git a/net-analyzer/tcpdump/files/digest-tcpdump-3.9.6-r1 b/net-analyzer/tcpdump/files/digest-tcpdump-3.9.6-r1 new file mode 100644 index 000000000000..ce08b07ecc8b --- /dev/null +++ b/net-analyzer/tcpdump/files/digest-tcpdump-3.9.6-r1 @@ -0,0 +1,3 @@ +MD5 f564e46e595603ce908b54074e3709d3 tcpdump-3.9.6.tar.gz 712992 +RMD160 9b098d50ab381ab8cc7d59a96a9acc41b570d929 tcpdump-3.9.6.tar.gz 712992 +SHA256 242b27388ada00d0c40097cef0d56ac5bdbb0a5d81dffb480cdd91b109e10d8d tcpdump-3.9.6.tar.gz 712992 diff --git a/net-analyzer/tcpdump/files/tcpdump-3.9.6-bgp-integer-overflow.patch b/net-analyzer/tcpdump/files/tcpdump-3.9.6-bgp-integer-overflow.patch new file mode 100644 index 000000000000..76cd330c0aa3 --- /dev/null +++ b/net-analyzer/tcpdump/files/tcpdump-3.9.6-bgp-integer-overflow.patch @@ -0,0 +1,21 @@ +diff -Nuar tcpdump-3.9.5.orig/print-bgp.c tcpdump-3.9.5/print-bgp.c +--- tcpdump-3.9.5.orig/print-bgp.c 2007-07-10 17:16:02.000000000 +0400 ++++ tcpdump-3.9.5/print-bgp.c 2007-07-10 17:16:45.000000000 +0400 +@@ -669,7 +669,7 @@ + tlen-=15; + + /* ok now the variable part - lets read out TLVs*/ +- while (tlen>0) { ++ while (tlen>0 && strlen <= buflen) { + if (tlen < 3) + return -1; + TCHECK2(pptr[0], 3); +@@ -684,7 +684,7 @@ + tlv_type, + tlv_len); + ttlv_len=ttlv_len/8+1; /* how many bytes do we need to read ? */ +- while (ttlv_len>0) { ++ while (ttlv_len>0 && strlen <= buflen) { + TCHECK(pptr[0]); + strlen+=snprintf(buf+strlen,buflen-strlen, "%02x",*pptr++); + ttlv_len--; diff --git a/net-analyzer/tcpdump/tcpdump-3.9.5-r3.ebuild b/net-analyzer/tcpdump/tcpdump-3.9.5-r3.ebuild new file mode 100644 index 000000000000..5c7e8f559f82 --- /dev/null +++ b/net-analyzer/tcpdump/tcpdump-3.9.5-r3.ebuild @@ -0,0 +1,86 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/tcpdump/tcpdump-3.9.5-r3.ebuild,v 1.1 2007/07/10 13:41:14 pva Exp $ + +inherit flag-o-matic toolchain-funcs eutils + +DESCRIPTION="A Tool for network monitoring and data acquisition" +HOMEPAGE="http://www.tcpdump.org/" +SRC_URI="http://www.tcpdump.org/release/${P}.tar.gz + http://www.jp.tcpdump.org/release/${P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd" +IUSE="ssl ipv6 samba" + +DEPEND="net-libs/libpcap + ssl? ( >=dev-libs/openssl-0.9.6m )" + +pkg_setup() { + if use samba ; then + ewarn + ewarn "CAUTION !!! CAUTION !!! CAUTION" + ewarn + ewarn "You're about to compile tcpdump with samba printing support" + ewarn "Upstream tags it as 'possibly-buggy SMB printer'" + ewarn "So think twice whether this is fine with you" + ewarn + ewarn "CAUTION !!! CAUTION !!! CAUTION" + ewarn + ewarn "(Giving you 10 secs to think about it)" + ewarn + ebeep 5 + epause 5 + fi +} + +src_unpack() { + unpack ${A} + cd "${S}" + # bug 168916 - off-by-one heap overflow in 802.11 printer + epatch "${FILESDIR}"/${P}-print-802_11.c.diff + + # bug #184815 - <= 3.9.6 BGP dissector integer overflow + epatch "${FILESDIR}"/tcpdump-3.9.6-bgp-integer-overflow.patch +} + +src_compile() { + # tcpdump needs some optymalization. see bug #108391 + ( ! is-flag -O? || is-flag -O0 ) && append-flags -O + + replace-flags -O[3-9] -O2 + filter-flags -finline-functions + + # Fix wrt bug #48747 + if [[ $(gcc-major-version) -gt 3 ]] || \ + [[ $(gcc-major-version) -eq 3 && $(gcc-minor-version) -ge 4 ]] + then + filter-flags -funit-at-a-time + append-flags -fno-unit-at-a-time + fi + + local myconf + if ! use ssl ; then + myconf="--without-crypto" + fi + + econf --with-user=tcpdump \ + $(use_enable ipv6) \ + $(use_enable samba smb) \ + ${myconf} || die "configure failed" + + make CCOPT="$CFLAGS" || die "make failed" +} + +pkg_preinst() { + enewgroup tcpdump || die "Failed to add group tcpdump" + enewuser tcpdump -1 -1 -1 tcpdump || die "Failed to add user tcpdump" +} + +src_install() { + dosbin tcpdump || die + doman tcpdump.1 + dodoc *.awk + dodoc README FILES VERSION CHANGES +} diff --git a/net-analyzer/tcpdump/tcpdump-3.9.6-r1.ebuild b/net-analyzer/tcpdump/tcpdump-3.9.6-r1.ebuild new file mode 100644 index 000000000000..2cb415a40883 --- /dev/null +++ b/net-analyzer/tcpdump/tcpdump-3.9.6-r1.ebuild @@ -0,0 +1,86 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/tcpdump/tcpdump-3.9.6-r1.ebuild,v 1.1 2007/07/10 13:41:14 pva Exp $ + +inherit flag-o-matic toolchain-funcs eutils + +DESCRIPTION="A Tool for network monitoring and data acquisition" +HOMEPAGE="http://www.tcpdump.org/" +SRC_URI="http://www.tcpdump.org/release/${P}.tar.gz + http://www.jp.tcpdump.org/release/${P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd" +IUSE="ssl ipv6 samba" + +DEPEND="net-libs/libpcap + ssl? ( >=dev-libs/openssl-0.9.6m )" + +pkg_setup() { + if use samba ; then + ewarn + ewarn "CAUTION !!! CAUTION !!! CAUTION" + ewarn + ewarn "You're about to compile tcpdump with samba printing support" + ewarn "Upstream tags it as 'possibly-buggy SMB printer'" + ewarn "So think twice whether this is fine with you" + ewarn + ewarn "CAUTION !!! CAUTION !!! CAUTION" + ewarn + ewarn "(Giving you 10 secs to think about it)" + ewarn + ebeep 5 + epause 5 + fi +} + +src_unpack() { + unpack ${A} + cd "${S}" + # bug 168916 - off-by-one heap overflow in 802.11 printer + epatch "${FILESDIR}"/${PN}-3.9.5-print-802_11.c.diff + + # bug #184815 - <= 3.9.6 BGP dissector integer overflow + epatch "${FILESDIR}"/${P}-bgp-integer-overflow.patch +} + +src_compile() { + # tcpdump needs some optymalization. see bug #108391 + ( ! is-flag -O? || is-flag -O0 ) && append-flags -O + + replace-flags -O[3-9] -O2 + filter-flags -finline-functions + + # Fix wrt bug #48747 + if [[ $(gcc-major-version) -gt 3 ]] || \ + [[ $(gcc-major-version) -eq 3 && $(gcc-minor-version) -ge 4 ]] + then + filter-flags -funit-at-a-time + append-flags -fno-unit-at-a-time + fi + + local myconf + if ! use ssl ; then + myconf="--without-crypto" + fi + + econf --with-user=tcpdump \ + $(use_enable ipv6) \ + $(use_enable samba smb) \ + ${myconf} || die "configure failed" + + make CCOPT="$CFLAGS" || die "make failed" +} + +pkg_preinst() { + enewgroup tcpdump || die "Failed to add group tcpdump" + enewuser tcpdump -1 -1 -1 tcpdump || die "Failed to add user tcpdump" +} + +src_install() { + dosbin tcpdump + doman tcpdump.1 + dodoc *.awk + dodoc README FILES VERSION CHANGES CREDITS TODO +} |