COMMAND

    tcpdump

SYSTEMS AFFECTED

    Those running tcpdump

PROBLEM

    Following  is  based  on  a  FreeBSD-SA-00:61  Security  Advisory.
    Several overflowable  buffers were  discovered in  the version  of
    tcpdump included in FreeBSD, during internal source code auditing.
    Some simply allow the remote  attacker to crash the local  tcpdump
    process,  but  there  is  a  more  serious  vulnerability  in  the
    decoding of AFS ACL packets in the more recent version of  tcpdump
    (tcpdump  3.5)  included  in  FreeBSD 4.0-RELEASE, 4.1-RELEASE and
    4.1.1-RELEASE,  which  may  allow  a  remote  attacker  to execute
    arbitrary  code  on  the  local  system  (usually root, since root
    privileges are required to run tcpdump).

    The former issue may be a  problem for systems using tcpdump as  a
    form of  intrusion detection  system, i.e.  to monitor  suspicious
    network  activity:  after  the  attacker  crashes  any   listening
    tcpdump  processes  their  subsequent   activities  will  not   be
    observed.

    All  released  versions  of  FreeBSD  prior to the correction date
    including    3.5.1-RELEASE,    4.0-RELEASE,    4.1-RELEASE     and
    4.1.1-RELEASE are vulnerable to  the "remote crash" problems,  and
    FreeBSD  4.0-RELEASE,  4.1-RELEASE  and  4.1.1-RELEASE  are   also
    vulnerable to the "remote execution" vulnerability.  Both problems
    were corrected  in 4.1.1-STABLE  prior to  the release  of FreeBSD
    4.2-RELEASE.

    Remote users  can cause  the local  tcpdump process  to crash, and
    (under  FreeBSD   4.0-RELEASE,  4.1-RELEASE,   4.1.1-RELEASE   and
    4.1.1-STABLE prior to  the correction date)  may be able  to cause
    arbitrary  code  to  be  executed  as  the  user  running tcpdump,
    usually root.

SOLUTION

    For FreeBSD:

        1) Upgrade your vulnerable  FreeBSD system to 4.1.1-STABLE  or
           3.5.1-STABLE after the respective correction dates.
       2a) FreeBSD 3.x systems prior to the correction date
           Download the patch and the detached PGP signature from  the
           following locations,  and verify  the signature  using your
           PGP utility.
           ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch
           ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch.asc

           # cd /usr/src/contrib/tcpdump
           # patch -p < /path/to/patch
           # cd /usr/src/usr.sbin/tcpdump
           # make depend && make all install

       2b) FreeBSD 4.x systems prior to the correction date
           Download the patch and the detached PGP signature from  the
           following locations,  and verify  the signature  using your
           PGP utility.
           ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1
           ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1.asc

           # cd /usr/src/contrib/tcpdump
           # patch -p < /path/to/patch
           # cd /usr/src/usr.sbin/tcpdump
           # make depend && make all install

    For SuSE Linux:

        ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libpcapn-0.4a6-279.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/tcpdump-3.4a6-280.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libpcapn-0.4a6-279.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/tcpdump-3.4a6-280.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libpcapn-0.4a6-279.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/tcpdump-3.4a6-280.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/tcpdump-3.4a6-280.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libpcapn-0.4a6-279.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/tcpdump-3.4a6-280.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/tcpdump-3.4a6-280.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libpcapn-0.4a6-279.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/tcpdump-3.4a6-280.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/tcpdump-3.4a6-280.src.rpm
        ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libpcapn-0.4a6-279.sparc.rpm
        ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/tcpdump-3.4a6-280.sparc.rpm
        ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libpcapn-0.4a6-279.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/tcpdump-3.4a6-280.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libpcapn-0.4a6-280.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/tcpdump-3.4a6-281.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/tcpdump-3.4a6-281.src.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/7.0/d1/libpcapn-0.4a6-279.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/tcpdump-3.4a6-280.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libpcapn-0.4a6-279.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/tcpdump-3.4a6-280.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm

    For Debian Linux:

        http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6-4.2.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6-4.2.dsc
        http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-alpha/tcpdump_3.4a6-4.2_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/tcpdump_3.4a6-4.2_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/tcpdump_3.4a6-4.2_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/tcpdump_3.4a6-4.2_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/tcpdump_3.4a6-4.2_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/tcpdump_3.4a6-4.2_sparc.deb