From security-advisories@freebsd.org Thu Jun 9 15:48:29 2005 From: FreeBSD Security Advisories To: Bugtraq Date: Thu, 9 Jun 2005 10:30:12 GMT Subject: FreeBSD Security Advisory FreeBSD-SA-05:10.tcpdump -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:10.tcpdump Security Advisory The FreeBSD Project Topic: Infinite loops in tcpdump protocol decoding Category: contrib Module: tcpdump Announced: 2005-06-09 Credits: "Vade 79", Simon L. Nielsen Affects: FreeBSD 5.3-RELEASE and FreeBSD 5.4-RELEASE Corrected: 2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE) 2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2) 2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16) CVE Name: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The tcpdump utility is used to capture and examine network traffic. II. Problem Description Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops. III. Impact An attacker can inject specially crafted packets into the network which, when processed by tcpdump, could lead to a denial-of-service. After the attack, tcpdump would no longer capture traffic, and would potentially use all available processor time. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.3 and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:10/tcpdump.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:10/tcpdump.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/tcpdump/tcpdump # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/contrib/tcpdump/print-bgp.c 1.1.1.5.2.1 src/contrib/tcpdump/print-isoclns.c 1.12.2.1 src/contrib/tcpdump/print-ldp.c 1.1.1.1.2.1 src/contrib/tcpdump/print-rsvp.c 1.1.1.1.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.11 src/sys/conf/newvers.sh 1.62.2.18.2.7 src/contrib/tcpdump/print-bgp.c 1.1.1.5.6.1 src/contrib/tcpdump/print-isoclns.c 1.12.6.1 src/contrib/tcpdump/print-ldp.c 1.1.1.1.6.1 src/contrib/tcpdump/print-rsvp.c 1.1.1.1.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.19 src/sys/conf/newvers.sh 1.62.2.15.2.21 src/contrib/tcpdump/print-bgp.c 1.1.1.5.4.1 src/contrib/tcpdump/print-isoclns.c 1.12.4.1 src/contrib/tcpdump/print-ldp.c 1.1.1.1.4.1 src/contrib/tcpdump/print-rsvp.c 1.1.1.1.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1278 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1279 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1280 http://marc.theaimsgroup.com/?l=bugtraq&m=111454406222040 http://marc.theaimsgroup.com/?l=bugtraq&m=111454461300644 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:10.tcpdump.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCqBbUFdaIBMps37IRAlxdAJ9AsT7o5k1woMpE3DlC+HBebZlLKACfYFjD 0VOBWDzUFdR8IErJEYU2+9w= =1cKJ -----END PGP SIGNATURE-----