openSUSE Security Update : tcpdump / libpcap (openSUSE-2017-557)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for tcpdump to version 4.9.0 and libpcap to version 1.8.1
fixes the several issues.

These security issues were fixed in tcpdump :

- CVE-2016-7922: The AH parser in tcpdump had a buffer
overflow in print-ah.c:ah_print() (bsc#1020940).

- CVE-2016-7923: The ARP parser in tcpdump had a buffer
overflow in print-arp.c:arp_print() (bsc#1020940).

- CVE-2016-7924: The ATM parser in tcpdump had a buffer
overflow in print-atm.c:oam_print() (bsc#1020940).

- CVE-2016-7925: The compressed SLIP parser in tcpdump had
a buffer overflow in print-sl.c:sl_if_print()
(bsc#1020940).

- CVE-2016-7926: The Ethernet parser in tcpdump had a
buffer overflow in print-ether.c:ethertype_print()
(bsc#1020940).

- CVE-2016-7927: The IEEE 802.11 parser in tcpdump had a
buffer overflow in
print-802_11.c:ieee802_11_radio_print() (bsc#1020940).

- CVE-2016-7928: The IPComp parser in tcpdump had a buffer
overflow in print-ipcomp.c:ipcomp_print() (bsc#1020940).

- CVE-2016-7929: The Juniper PPPoE ATM parser in tcpdump
had a buffer overflow in
print-juniper.c:juniper_parse_header() (bsc#1020940).

- CVE-2016-7930: The LLC/SNAP parser in tcpdump had a
buffer overflow in print-llc.c:llc_print()
(bsc#1020940).

- CVE-2016-7931: The MPLS parser in tcpdump had a buffer
overflow in print-mpls.c:mpls_print() (bsc#1020940).

- CVE-2016-7932: The PIM parser in tcpdump had a buffer
overflow in print-pim.c:pimv2_check_checksum()
(bsc#1020940).

- CVE-2016-7933: The PPP parser in tcpdump had a buffer
overflow in print-ppp.c:ppp_hdlc_if_print()
(bsc#1020940).

- CVE-2016-7934: The RTCP parser in tcpdump had a buffer
overflow in print-udp.c:rtcp_print() (bsc#1020940).

- CVE-2016-7935: The RTP parser in tcpdump had a buffer
overflow in print-udp.c:rtp_print() (bsc#1020940).

- CVE-2016-7936: The UDP parser in tcpdump had a buffer
overflow in print-udp.c:udp_print() (bsc#1020940).

- CVE-2016-7937: The VAT parser in tcpdump had a buffer
overflow in print-udp.c:vat_print() (bsc#1020940).

- CVE-2016-7938: The ZeroMQ parser in tcpdump had an
integer overflow in print-zeromq.c:zmtp1_print_frame()
(bsc#1020940).

- CVE-2016-7939: The GRE parser in tcpdump had a buffer
overflow in print-gre.c, multiple functions
(bsc#1020940).

- CVE-2016-7940: The STP parser in tcpdump had a buffer
overflow in print-stp.c, multiple functions
(bsc#1020940).

- CVE-2016-7973: The AppleTalk parser in tcpdump had a
buffer overflow in print-atalk.c, multiple functions
(bsc#1020940).

- CVE-2016-7974: The IP parser in tcpdump had a buffer
overflow in print-ip.c, multiple functions
(bsc#1020940).

- CVE-2016-7975: The TCP parser in tcpdump had a buffer
overflow in print-tcp.c:tcp_print() (bsc#1020940).

- CVE-2016-7983: The BOOTP parser in tcpdump had a buffer
overflow in print-bootp.c:bootp_print() (bsc#1020940).

- CVE-2016-7984: The TFTP parser in tcpdump had a buffer
overflow in print-tftp.c:tftp_print() (bsc#1020940).

- CVE-2016-7985: The CALM FAST parser in tcpdump had a
buffer overflow in print-calm-fast.c:calm_fast_print()
(bsc#1020940).

- CVE-2016-7986: The GeoNetworking parser in tcpdump had a
buffer overflow in print-geonet.c, multiple functions
(bsc#1020940).

- CVE-2016-7992: The Classical IP over ATM parser in
tcpdump had a buffer overflow in
print-cip.c:cip_if_print() (bsc#1020940).

- CVE-2016-7993: A bug in util-print.c:relts_print() in
tcpdump could cause a buffer overflow in multiple
protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight
resolver protocol, PIM) (bsc#1020940).

- CVE-2016-8574: The FRF.15 parser in tcpdump had a buffer
overflow in print-fr.c:frf15_print() (bsc#1020940).

- CVE-2016-8575: The Q.933 parser in tcpdump had a buffer
overflow in print-fr.c:q933_print(), a different
vulnerability than CVE-2017-5482 (bsc#1020940).

- CVE-2017-5202: The ISO CLNS parser in tcpdump had a
buffer overflow in print-isoclns.c:clnp_print()
(bsc#1020940).

- CVE-2017-5203: The BOOTP parser in tcpdump had a buffer
overflow in print-bootp.c:bootp_print() (bsc#1020940).

- CVE-2017-5204: The IPv6 parser in tcpdump had a buffer
overflow in print-ip6.c:ip6_print() (bsc#1020940).

- CVE-2017-5205: The ISAKMP parser in tcpdump had a buffer
overflow in print-isakmp.c:ikev2_e_print()
(bsc#1020940).

- CVE-2017-5341: The OTV parser in tcpdump had a buffer
overflow in print-otv.c:otv_print() (bsc#1020940).

- CVE-2017-5342: In tcpdump a bug in multiple protocol
parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE)
could cause a buffer overflow in
print-ether.c:ether_print() (bsc#1020940).

- CVE-2017-5482: The Q.933 parser in tcpdump had a buffer
overflow in print-fr.c:q933_print(), a different
vulnerability than CVE-2016-8575 (bsc#1020940).

- CVE-2017-5483: The SNMP parser in tcpdump had a buffer
overflow in print-snmp.c:asn1_parse() (bsc#1020940).

- CVE-2017-5484: The ATM parser in tcpdump had a buffer
overflow in print-atm.c:sig_print() (bsc#1020940).

- CVE-2017-5485: The ISO CLNS parser in tcpdump had a
buffer overflow in addrtoname.c:lookup_nsap()
(bsc#1020940).

- CVE-2017-5486: The ISO CLNS parser in tcpdump had a
buffer overflow in print-isoclns.c:clnp_print()
(bsc#1020940).

- CVE-2015-3138: Fixed potential denial of service in
print-wb.c (bsc#927637).

- CVE-2015-0261: Integer signedness error in the
mobility_opt_print function in the IPv6 mobility printer
in tcpdump allowed remote attackers to cause a denial of
service (out-of-bounds read and crash) or possibly
execute arbitrary code via a negative length value
(bsc#922220).

- CVE-2015-2153: The rpki_rtr_pdu_print function in
print-rpki-rtr.c in the TCP printer in tcpdump allowed
remote attackers to cause a denial of service
(out-of-bounds read or write and crash) via a crafted
header length in an RPKI-RTR Protocol Data Unit (PDU)
(bsc#922221).

- CVE-2015-2154: The osi_print_cksum function in
print-isoclns.c in the ethernet printer in tcpdump
allowed remote attackers to cause a denial of service
(out-of-bounds read and crash) via a crafted (1) length,
(2) offset, or (3) base pointer checksum value
(bsc#922222).

- CVE-2015-2155: The force printer in tcpdump allowed
remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code via unspecified
vectors (bsc#922223).

- CVE-2014-8767: Integer underflow in the olsr_print
function in tcpdump 3.9.6 when in verbose mode, allowed
remote attackers to cause a denial of service (crash)
via a crafted length value in an OLSR frame
(bsc#905870).

- CVE-2014-8768: Multiple Integer underflows in the
geonet_print function in tcpdump when run in verbose
mode, allowed remote attackers to cause a denial of
service (segmentation fault and crash) via a crafted
length value in a Geonet frame (bsc#905871).

- CVE-2014-8769: tcpdump might have allowed remote
attackers to obtain sensitive information from memory or
cause a denial of service (packet loss or segmentation
fault) via a crafted Ad hoc On-Demand Distance Vector
(AODV) packet, which triggers an out-of-bounds memory
access (bsc#905872).

These non-security issues were fixed in tcpdump :

- PPKI to Router Protocol: Fix Segmentation Faults and
other problems

- RPKI to Router Protocol: print strings with fn_printn()

- Added a short option '#', same as long option '--number'

- nflog, mobile, forces, pptp, AODV, AHCP, IPv6, OSPFv4,
RPL, DHCPv6 enhancements/fixes

- M3UA decode added.

- Added bittok2str().

- A number of unaligned access faults fixed

- The -A flag does not consider CR to be printable anymore

- fx.lebail took over coverity baby sitting

- Default snapshot size increased to 256K for accomodate
USB captures

These non-security issues were fixed in libpcap :

- Provide a -devel-static subpackage that contains the
static libraries and all the extra dependencies which
are not needed for dynamic linking.

- Fix handling of packet count in the TPACKET_V3 inner
loop

- Filter out duplicate looped back CAN frames.

- Fix the handling of loopback filters for IPv6 packets.

- Add a link-layer header type for RDS (IEC 62106) groups.

- Handle all CAN captures with pcap-linux.c, in cooked
mode.

- Removes the need for the 'host-endian' link-layer header
type.

- Have separate DLTs for big-endian and host-endian
SocketCAN headers.

- Properly check for sock_recv() errors.

- Re-impose some of Winsock's limitations on sock_recv().

- Replace sprintf() with pcap_snprintf().

- Fix signature of pcap_stats_ex_remote().

- Have rpcap_remoteact_getsock() return a SOCKET and
supply an 'is active' flag.

- Clean up {DAG, Septel, Myricom SNF}-only builds.

- pcap_create_interface() needs the interface name on
Linux.

- Clean up hardware time stamp support: the 'any' device
does not support any time stamp types.

- Recognize 802.1ad nested VLAN tag in vlan filter.

- Support for filtering Geneve encapsulated packets.

- Fix handling of zones for BPF on Solaris

- Added bpf_filter1() with extensions

- EBUSY can now be returned by SNFv3 code.

- Don't crash on filters testing a non-existent link-layer
type field.

- Fix sending in non-blocking mode on Linux with
memory-mapped capture.

- Fix timestamps when reading pcap-ng files on big-endian
machines.

- Fixes for byte order issues with NFLOG captures

- Handle using cooked mode for DLT_NETLINK in
activate_new().

This update was imported from the SUSE:SLE-12:Update update project.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1020940
https://bugzilla.opensuse.org/show_bug.cgi?id=1035686
https://bugzilla.opensuse.org/show_bug.cgi?id=905870
https://bugzilla.opensuse.org/show_bug.cgi?id=905871
https://bugzilla.opensuse.org/show_bug.cgi?id=905872
https://bugzilla.opensuse.org/show_bug.cgi?id=922220
https://bugzilla.opensuse.org/show_bug.cgi?id=922221
https://bugzilla.opensuse.org/show_bug.cgi?id=922222
https://bugzilla.opensuse.org/show_bug.cgi?id=922223
https://bugzilla.opensuse.org/show_bug.cgi?id=927637
https://features.opensuse.org/322955

Solution :

Update the affected tcpdump / libpcap packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)