Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » SuSE-SA:2002:020-tcpdump/libpcap

SuSE-SA:2002:020-tcpdump/libpcap

by Nikola Strahija on May 29th, 2002 Content of this advisory: 1) security vulnerability resolved: Buffer overflow in tcpdump. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)


1) problem description, brief discussion, solution, upgrade information

The tcpdump program may be used to capture and decode network traffic.
Tcpdump decodes certain packets such as AFS requests in a wrong way
resulting in a buffer overflow. Since running tcpdump requires root
privileges this may lead to a root compromise of the system running
tcpdump. We strongly recommend an update for administrators using
tcpdump to monitor their networks since the only safe workaround is to
not use it at all.
Additionally to the fixed tcpdump packages we provide new libpcap
packages. Libpcap on which most network monitoring programs rely also
contained overflows which however are only exploitable by local attackers
if you installed programs using libpcap setuid. This is not found in a
default install.
More information about tcpdump and libpcap may be found at
http://www.tcpdump.org

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.

i386 Intel Platform:

SuSE-8.0
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/tcpdump-3.6.2-300.i386.rpm
f6b5499e4857575fa162ae24cde181c8
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/tcpdump-3.6.2-300.src.rpm
2dd114976f858d0a66c83f409dbf25a0

SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/tcpdump-3.6.2-300.i386.rpm
dc7fba8709f74476ee463e3b7d3d9042
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/tcpdump-3.6.2-300.src.rpm
d2d6a940df5c40e54a6b30e3698458ef

SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/tcpdump-3.4a6-376.i386.rpm
601bc08d351e8100767bbfd502efd44b
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/tcpdump-3.4a6-376.src.rpm
af87a4ad56fc853800c6af5982899f18

SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/tcpdump-3.4a6-375.i386.rpm
a3251d65bfa05948ce3796ac9e5fdf5b
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/tcpdump-3.4a6-375.src.rpm
84ba69db15e1ff569cf674f7d61428f1

SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/tcpdump-3.4a6-374.i386.rpm
63d57b2062a91d5fabeb43a5543d245e
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/tcpdump-3.4a6-374.src.rpm
204195b01bc25f84209029bed0eb00cd

SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/tcpdump-3.4a6-372.i386.rpm
ebb48c115355dc4ba1f45b1f8c36f9aa
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/tcpdump-3.4a6-372.src.rpm
d2087aea083c4f6b93a518eee00c979e


Sparc Platform:

SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/tcpdump-3.6.2-58.sparc.rpm
bb422a4c2d025d3b8a805345a200576a
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/tcpdump-3.6.2-58.src.rpm
e0f85bd701865ca1f3d0923d1b9eb24c

SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n1/tcpdump-3.4a6-318.sparc.rpm
eaf6237823690fe4cb72df39b2b75a5f
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/tcpdump-3.4a6-318.src.rpm
458f7aaa2ed33606007d345d371bf8c4

SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/tcpdump-3.4a6-318.sparc.rpm
6137a3ecadd2bfd95b51039fef52187b
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/tcpdump-3.4a6-318.src.rpm
0227535bdc5f7bd6980e77737cc6182c


AXP Alpha Platform:

SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n1/tcpdump-3.4a6-329.alpha.rpm
614dfa16b71456692bc1d92b9db0998b
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/tcpdump-3.4a6-329.src.rpm
e5a05bdbe3d5a29f0840c488e703268b

SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/tcpdump-3.4a6-330.alpha.rpm
0f1fbdfdcf8f4e1a90424df1b3ad05bc
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/tcpdump-3.4a6-330.src.rpm
d48289b8926c3fa7602b6ad026ae4130

SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/tcpdump-3.4a6-330.alpha.rpm
bf9ef22920ff73802e3b02005476527b
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/tcpdump-3.4a6-330.src.rpm
1fa595c3febfc97f45642faffdd1dfb1


PPC Power PC Platform:

SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/tcpdump-3.6.2-189.ppc.rpm
303f6a00defddc3b8a3be1ab386021cf
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/tcpdump-3.6.2-189.src.rpm
552355e0f15582d47d64fd3a97542cf3

SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n1/tcpdump-3.4a6-317.ppc.rpm
4dd468ba517be7c7f52a8b2ac7c2beb0
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/tcpdump-3.4a6-317.src.rpm
69be109e360246794c66ed55e199ee95

SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/tcpdump-3.4a6-316.ppc.rpm
1b51e5529fa559d8453588f09d9b8585
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/tcpdump-3.4a6-316.src.rpm
20d1da2b898a483df771809747851967

SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/tcpdump-3.4a6-315.ppc.rpm
97cd7574108f3fcb9f52a7213d626481
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/tcpdump-3.4a6-315.src.rpm
67c63c89e26c2a17df6fef3585f41481


______________________________________________________________________________

2) Pending vulnerabilities in SuSE Distributions and Workarounds:

- Perl-Digest-MD5
The Perl Digest-MD5 module fails to handle utf8 characters properly
and thus calculates wrong hash sums for certain input. New packages
are already available on our ftp servers.

______________________________________________________________________________

3) standard appendix: authenticity verification, additional information

- Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.

1) execute the command
md5sum
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key [email protected]),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig
to verify the signature of the package, where is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg .

[email protected]
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
.

For general information or the frequently asked questions (faq)
send mail to:
or
respectively.

=====================================================================
SuSE's security contact is or .
The public key is listed below.
=====================================================================
______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »