aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2019-11-20 15:04:05 +0100
committerLeo <thinkabit.ukim@gmail.com>2019-11-20 15:04:10 +0100
commit34eaff89c07f1ff54a178e533eea071a315e1af8 (patch)
treeea4ec8119171a5f57f2ed43ab3894ffff45f1698
parent1c4658e647d8946733688266ebe9784f71859fb6 (diff)
main/nfdump: fix a few CVEs
ref #10815
-rw-r--r--main/nfdump/APKBUILD25
-rw-r--r--main/nfdump/CVE-2019-1010057.patch64
-rw-r--r--main/nfdump/CVE-2019-14459.patch27
3 files changed, 102 insertions, 14 deletions
diff --git a/main/nfdump/APKBUILD b/main/nfdump/APKBUILD
index cf588cf6445..d33510b1291 100644
--- a/main/nfdump/APKBUILD
+++ b/main/nfdump/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=nfdump
pkgver=1.6.15
-pkgrel=0
+pkgrel=1
pkgdesc="The nfdump tools collect and process netflow data on the command line."
url="http://nfdump.sourceforge.net/"
arch="all"
@@ -18,8 +18,15 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/phaag/nfdump/archive/v$pkgve
nfcapd.initd
sfcapd.confd
sfcapd.initd
+ CVE-2019-1010057.patch
+ CVE-2019-14459.patch
"
+# secfixes
+# 1.6.15-r1:
+# - CVE-2019-1010057
+# - CVE-2019-14459
+
_builddir="$srcdir"/$pkgname-$pkgver
prepare() {
local i
@@ -73,21 +80,11 @@ sfcapd() {
"$subpkgdir"/etc/init.d/sfcapd
}
-md5sums="6f52c01099a2a74e451ebfb17bf92da8 nfdump-1.6.15.tar.gz
-e7f9467142159da5ebbb4aa858aae142 fix-64bit-fts-compat.patch
-541c45b9ac0e85ac955dd58919972b18 nfcapd.confd
-a82001153dbdfa6c4125064fcc7cd090 nfcapd.initd
-443ef11c9b458c12d0efea627742732c sfcapd.confd
-1ac7c20be80b87fc725310747125e081 sfcapd.initd"
-sha256sums="9505c0511d273b9aa3f87a5e664425689a3c7370c6ae3bbc05ff4bdb41bfd457 nfdump-1.6.15.tar.gz
-8ffd9160bb5cb639cec08ac68be5cbd33ef918e41630d02c18a75e03881cb5a9 fix-64bit-fts-compat.patch
-7cb26698b26f5cd6c9c6cb2b49bb7be3cc0faffe851c5ac5c78e0a41984a276f nfcapd.confd
-33c3b5c42655410661f1019e3b8bccb8b875400861a945a7dd784f80520f8a97 nfcapd.initd
-4559669b23534a7bec9cc9d342e7abd55316393ccb4dc57e9b335ac27bdf920c sfcapd.confd
-4fd63dee5323ce4116fffffa7573bb6a0f781d36867204e7d3670c182a078c56 sfcapd.initd"
sha512sums="a6bb4f2293ad85d8f16025e7272b889d3814cea2e9255dbd315ee92754675e4ee925c3ebe4e1350f2d5452d69d1d3c13ddeb656324a409c4744da1d4927fe1f2 nfdump-1.6.15.tar.gz
71a838d493658a3a8479bc9eca70a857fd8629937d4954d21c1d5453d6cc122c089f72e3e109425c902439ee8cfaa273b4089ac347d1fe926473ce6062b7c49a fix-64bit-fts-compat.patch
fcb467f819f2b73ac0e13de6de4d6c94cafd3866a7a56685d5d4a048fa975135299655e896ff8370c8c5061d03ab38644623f8be455c08dfe5f630f152820148 nfcapd.confd
97e432e884dd1cc8f27c2d7398bb0320164d46dea06c64ad72fa385d190998b3d62356634962f42652daf6e31f237baa2f3f3efad47c3fc38cc6bea799db61cc nfcapd.initd
abe594a95a9320bec1d6ee6af6b75cd4d176526d4b10d07aa7ed79fc292b51c341339ba8e1e468df9ec2aae138b1dd66e3a291921938217835ac33819da9d153 sfcapd.confd
-7a65c80186a8708a27e90a7239d1b44ee919c3bbf8cd1ca07ef5d35a623d0dce5eac516b65ba7a98c5fcfab5bad6c15e1f03af38a06eb6280afd1c1f0f52cee4 sfcapd.initd"
+7a65c80186a8708a27e90a7239d1b44ee919c3bbf8cd1ca07ef5d35a623d0dce5eac516b65ba7a98c5fcfab5bad6c15e1f03af38a06eb6280afd1c1f0f52cee4 sfcapd.initd
+c57441c5ec04c9b57ae65816731f0960459ab317ca579f2fcc85d5f0f76009e9f01462191e2ca6d3c79adbdf0c6e57633ae67c9f9eb65ef3063385e992ccfba6 CVE-2019-1010057.patch
+6964077020f2273cdb80a6ed72f001c3f5e7241c412681f59e0dd0a2d629d5d549e52e474401e7c7906cff3176440c5d5c419b87c36fa87107f70f45944dc105 CVE-2019-14459.patch"
diff --git a/main/nfdump/CVE-2019-1010057.patch b/main/nfdump/CVE-2019-1010057.patch
new file mode 100644
index 00000000000..3a7ae479108
--- /dev/null
+++ b/main/nfdump/CVE-2019-1010057.patch
@@ -0,0 +1,64 @@
+diff --git a/bin/nfdump.c b/bin/nfdump.c
+index ba8d92f..9f653f8 100644
+--- a/bin/nfdump.c
++++ b/bin/nfdump.c
+@@ -559,7 +559,10 @@ int v1_map_done = 0;
+ exit(255);
+ }
+ }
+- ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer);
++ if ( !ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer) ) {
++ LogError("Corrupt data file. Unable to decode at %s line %d\n", __FILE__, __LINE__);
++ exit(255);
++ }
+ flow_record = (common_record_t *)ConvertBuffer;
+ dbg_printf("Converted type %u to %u record\n", CommonRecordV0Type, CommonRecordType);
+ case CommonRecordType: {
+diff --git a/bin/nffile_inline.c b/bin/nffile_inline.c
+index 58225aa..4a9ca25 100755
+--- a/bin/nffile_inline.c
++++ b/bin/nffile_inline.c
+@@ -49,7 +49,7 @@ static inline void AppendToBuffer(nffile_t *nffile, void *record, size_t require
+
+ static inline void CopyV6IP(uint32_t *dst, uint32_t *src);
+
+-static inline void ConvertCommonV0(void *record, common_record_t *flow_record);
++static inline int ConvertCommonV0(void *record, common_record_t *flow_record);
+
+ static inline void ExpandRecord_v2(common_record_t *input_record, extension_info_t *extension_info, exporter_info_record_t *exporter_info, master_record_t *output_record );
+
+@@ -88,11 +88,13 @@ static inline void CopyV6IP(uint32_t *dst, uint32_t *src) {
+ dst[3] = src[3];
+ } // End of CopyV6IP
+
+-static inline void ConvertCommonV0(void *record, common_record_t *flow_record) {
++static inline int ConvertCommonV0(void *record, common_record_t *flow_record) {
+ common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record;
+
+ // copy v0 common record
+ memcpy((void *)flow_record, record, COMMON_RECORDV0_DATA_SIZE);
++ if ( flow_record_v0->size <= COMMON_RECORDV0_DATA_SIZE )
++ return 0;
+ memcpy((void *)flow_record->data, (void *)flow_record_v0->data, flow_record_v0->size - COMMON_RECORDV0_DATA_SIZE);
+
+ // fix record differences
+@@ -102,6 +104,7 @@ common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record;
+ flow_record->exporter_sysid = flow_record_v0->exporter_sysid;
+ flow_record->reserved = 0;
+
++ return 1;
+ } // End of ConvertCommonV0
+
+ /*
+diff --git a/bin/nfx.c b/bin/nfx.c
+index fa84afe..ceea74e 100755
+--- a/bin/nfx.c
++++ b/bin/nfx.c
+@@ -542,6 +542,7 @@ int i, extension_size, max_elements;
+ int id = map->ex_id[i];
+ if ( id > Max_num_extensions ) {
+ printf("PANIC! - Verify map id %i: ERROR: element id %i out of range [%i]!\n", map->map_id, id, Max_num_extensions);
++ exit(255);
+ }
+ extension_size += extension_descriptor[id].size;
+ i++;
diff --git a/main/nfdump/CVE-2019-14459.patch b/main/nfdump/CVE-2019-14459.patch
new file mode 100644
index 00000000000..6e10f0dcbe1
--- /dev/null
+++ b/main/nfdump/CVE-2019-14459.patch
@@ -0,0 +1,27 @@
+diff --git a/bin/ipfix.c b/bin/ipfix.c
+index f998b72..604fe25 100644
+--- a/bin/ipfix.c
++++ b/bin/ipfix.c
+@@ -1067,6 +1067,13 @@ ipfix_template_record_t *ipfix_template_record;
+ while ( size_left ) {
+ uint32_t id, count;
+
++ if ( size_left < 4 ) {
++ LogError("Process_ipfix [%u] Template withdraw size error at %s line %u" ,
++ exporter->info.id, __FILE__, __LINE__, strerror (errno));
++ size_left = 0;
++ continue;
++ }
++
+ // map next record.
+ ipfix_template_record = (ipfix_template_record_t *)DataPtr;
+ size_left -= 4;
+@@ -1146,7 +1153,7 @@ uint16_t offset_std_sampler_interval, offset_std_sampler_algorithm, found_std_sa
+ uint16_t id, length;
+ int Enterprise;
+
+- if ( size_left && size_left < 4 ) {
++ if ( size_left < 4 ) {
+ LogError("Process_ipfix [%u] Template size error at %s line %u" ,
+ exporter->info.id, __FILE__, __LINE__, strerror (errno));
+ return;