Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello release team,
there is a way to trigger a segfault in the tcprewrite program,
part of the tcpreplay package. This has been assigned
CVE-2016-6160, BTS#829350.
Security team has suggested to fix this in a point release, the
debdiff for 3.4.4-2+deb8u1 is attached.
For the records, I'm not the package maintainer but the maintainer has
acknowledged this procedure.
Regards,
Christoph
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.13 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru tcpreplay-3.4.4/debian/changelog tcpreplay-3.4.4/debian/changelog --- tcpreplay-3.4.4/debian/changelog 2012-07-07 16:20:40.000000000 +0200 +++ tcpreplay-3.4.4/debian/changelog 2016-07-07 10:54:50.000000000 +0200 @@ -1,3 +1,10 @@ +tcpreplay (3.4.4-2+deb8u1) stable; urgency=low + + * tcprewrite: Handle frames of 65535 octets size, add a + size check [CVE-2016-6160]. Closes: #829350 + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Thu, 07 Jul 2016 10:53:56 +0200 + tcpreplay (3.4.4-2) unstable; urgency=low * debian/control fixed lintian error diff -Nru tcpreplay-3.4.4/debian/patches/enforce-maxpacket.patch tcpreplay-3.4.4/debian/patches/enforce-maxpacket.patch --- tcpreplay-3.4.4/debian/patches/enforce-maxpacket.patch 1970-01-01 01:00:00.000000000 +0100 +++ tcpreplay-3.4.4/debian/patches/enforce-maxpacket.patch 2016-07-07 10:54:41.000000000 +0200 @@ -0,0 +1,33 @@ +Subject: tcprewrite: Handle frames of 65535 octets size +ID: CVE-2016-6160 +Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de> +Date: Mon Jun 29 17:08:24 2015 +0200 +Bug-Debian: https://bugs.debian.org/829350 +Last-Update: 2016-07-06 + +diff --git a/src/defines.h.in b/src/defines.h.in +index 3a1bf1e..5468d14 100644 +--- a/src/defines.h.in ++++ b/src/defines.h.in +@@ -104,7 +104,7 @@ typedef struct tcpr_speed_s tcpr_speed_t; + #define DEFAULT_MTU 1500 /* Max Transmission Unit of standard ethernet + * don't forget *frames* are MTU + L2 header! */ + +-#define MAXPACKET 65535 /* was 16436 linux loopback, but maybe something is bigger then ++#define MAXPACKET 65549 /* was 16436 linux loopback, but maybe something is bigger then + linux loopback */ + + #define MAX_SNAPLEN 65535 /* tell libpcap to capture the entire packet */ +diff --git a/src/tcprewrite.c b/src/tcprewrite.c +index 90a6f2e..9c32a5e 100644 +--- a/src/tcprewrite.c ++++ b/src/tcprewrite.c +@@ -253,6 +253,8 @@ rewrite_packets(tcpedit_t *tcpedit, pcap_t *pin, pcap_dumper_t *pout) + packetnum++; + dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, pkthdr.caplen); + ++ if (pkthdr.caplen > MAXPACKET) ++ errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAXPACKET); + /* + * copy over the packet so we can pad it out if necessary and + * because pcap_next() returns a const ptr diff -Nru tcpreplay-3.4.4/debian/patches/series tcpreplay-3.4.4/debian/patches/series --- tcpreplay-3.4.4/debian/patches/series 2012-07-06 23:32:50.000000000 +0200 +++ tcpreplay-3.4.4/debian/patches/series 2015-07-08 00:46:22.000000000 +0200 @@ -1 +1,2 @@ configure-pcap.patch +enforce-maxpacket.patch
Attachment:
signature.asc
Description: Digital signature