-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:29 Security Advisory The FreeBSD Project Topic: Buffer overflow in tcpdump when handling NFS packets Category: contrib Module: tcpdump Announced: 2002-07-12 Credits: dwmw2@redhat.com Affects: All releases prior to and including 4.6-RELEASE FreeBSD 4.6-STABLE prior to the correction date Corrected: 2002-07-05 13:24:57 UTC (RELENG_4) 2002-07-12 13:29:47 UTC (RELENG_4_6) 2002-07-12 13:31:10 UTC (RELENG_4_5) 2002-07-12 13:31:44 UTC (RELENG_4_4) FreeBSD only: NO I. Background The tcpdump utility is used to capture and examining network traffic. II. Problem Description Versions of tcpdump up to and including 3.7.1 contain a buffer overflow that may be triggered by badly formed NFS packets, and possibly other types of packets. III. Impact It is not currently known whether this buffer overflow is exploitable. If it were, an attacker could inject specially crafted packets into the network which, when processed by tcpdump, could lead to arbitrary code execution with the privileges of the user running tcpdump (typically `root'). IV. Workaround There is no workaround, other than not using tcpdump. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date (4.6-RELEASE-p2, 4.5-RELEASE-p8, or 4.4-RELEASE-p15). 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:29/tcpdump.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:29/tcpdump.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/contrib/tcpdump/interface.h RELENG_4 1.4.2.3 RELENG_4_6 1.4.2.1.6.1 RELENG_4_5 1.4.2.1.4.1 RELENG_4_4 1.4.2.1.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPS8+yFUuHi5z0oilAQGEaAQApQpuobpvrYILjiJh9Zvfnupop9aDuQ/G 9RvnGVv0ZXrKtD8aRiP3JrjouGvZm9WLqXsXlnf0wmTXdWWg5ibjuJK/gDtdiqjA iuZvq5Rx+IKD33pZpAocg74zIv3nDYv1S+3ndJXtYcSFw7EnC4QHu3mFrZK81RcQ 6LpcUuxVTl8= =hQ/2 -----END PGP SIGNATURE-----