From nobody@FreeBSD.org  Wed May  5 22:22:29 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 26C3316A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 May 2004 22:22:29 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EE78643D31
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 May 2004 22:22:28 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i465MRhb090114
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 5 May 2004 22:22:27 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i465MR3f090113;
	Wed, 5 May 2004 22:22:27 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200405060522.i465MR3f090113@www.freebsd.org>
Date: Wed, 5 May 2004 22:22:27 -0700 (PDT)
From: John R Smith <advisory@servangle.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: TCPDUMP ISAKMP payload handling denial-of-service Vulnerability
X-Send-Pr-Version: www-2.3

>Number:         66311
>Category:       bin
>Synopsis:       TCPDUMP ISAKMP payload handling denial-of-service Vulnerability
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    fenner
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 05 22:30:21 PDT 2004
>Closed-Date:    Sun Jun 10 06:22:36 GMT 2007
>Last-Modified:  Sun Jun 10 06:22:36 GMT 2007
>Originator:     John R Smith
>Release:        4.9-STABLE
>Organization:
servAngle, LLC.
>Environment:
FreeBSD nads 4.9-STABLE FreeBSD 4.9-STABLE #2: Fri Apr 20 20:58:14 HST 2004     root@nads:/usr/obj/usr/src/sys/NADS01  i386

>Description:
	TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol.  Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash.

http://www.rapid7.com/advisories/R7-0017.html

We've had to disable the tcpdump binaries on our FreeBSD systems at work (U.S. Army) to be compliant.

>How-To-Repeat:
	An ISAKMP packet with a malformed Identification payload with a self-reported payload length that becomes less than 8 when its byte order is reversed will cause TCPDUMP to crash as it tries to read from beyond the end of the snap buffer. 
>Fix:
	Upgrade to version 3.8.3 of TCPDUMP.  You should also consider upgrading to version 0.8.3 of libpcap.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->security 
Responsible-Changed-By: simon 
Responsible-Changed-When: Thu May 6 02:30:15 PDT 2004 
Responsible-Changed-Why:  
Reassign to the Security Team for evaluation of the severity of this 
problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66311 
Responsible-Changed-From-To: security->fenner 
Responsible-Changed-By: simon 
Responsible-Changed-When: Thu May 6 14:21:29 PDT 2004 
Responsible-Changed-Why:  
Reassign to tcpdump maintainer for consideration of a tcpdump MFC to 
deal with this issue. 

I changed the category of the PR to be a bit more correct. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66311 

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/66311: TCPDUMP ISAKMP payload handling denial-of-service Vulnerability
Date: Thu, 6 May 2004 23:25:31 +0200

 Adding to auidit trail.
 
 ----- Forwarded message from "Jacques A. Vidrine" <nectar@FreeBSD.org> -----
 
 From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
 Date: Thu, 6 May 2004 07:05:46 -0500
 To: "Simon L. Nielsen" <simon@FreeBSD.org>
 Cc: freebsd-i386@FreeBSD.org, security@FreeBSD.org
 User-Agent: Mutt/1.5.4i
 Subject: Re: i386/66311: TCPDUMP ISAKMP payload handling denial-of-service Vulnerability
 Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
 	"Simon L. Nielsen" <simon@FreeBSD.org>, freebsd-i386@FreeBSD.org,
 	security@FreeBSD.org
 
 On Thu, May 06, 2004 at 02:32:03AM -0700, Simon L. Nielsen wrote:
 > Synopsis: TCPDUMP ISAKMP payload handling denial-of-service Vulnerability
 > 
 > Responsible-Changed-From-To: freebsd-i386->security
 > Responsible-Changed-By: simon
 > Responsible-Changed-When: Thu May 6 02:30:15 PDT 2004
 > Responsible-Changed-Why: 
 > Reassign to the Security Team for evaluation of the severity of this
 > problem.
 > 
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=66311
 
 [This PR seems to be misfiled as `i386' ?]
 
 This is the issue documented here:
 http://vuxml.freebsd.org/f8551668-de09-4d7b-9720-f1360929df07.html
 
 It is already repaired in -CURRENT.  The security team does not have any
 special action planned due to the extremely limited impact of the issue.
 The tcpdump maintainer (fenner@) should probably be contacted about an
 MFC.
 
 Cheers,
 -- 
 Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
 
 
 ----- End forwarded message -----
 
 -- 
 Simon L. Nielsen
 FreeBSD Documentation Team
State-Changed-From-To: open->patched 
State-Changed-By: bms 
State-Changed-When: Mon Jun 14 15:02:27 GMT 2004 
State-Changed-Why:  
Patched in -CURRENT. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66311 
State-Changed-From-To: patched->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Jun 10 06:22:24 UTC 2007 
State-Changed-Why:  
RELENG_4 is now out of support, so this PR is obsolete. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66311 
>Unformatted:
