Tcpdump security update

Tcpdump security update

[Leo Famulari]

[-- Attachment #1.1: Type: text/plain, Size: 343 bytes --]

I communicated with the tcpdump team and verified that the Debian
tarball provides the same data (same SHA256 hash) as what's provided
directly by upstream. But the upstream link is still considered private
so I'm using the Debian source URL as a courtesy.

The Debian security advisory is here:

https://www.debian.org/security/2017/dsa-3775

[-- Attachment #1.2: 0001-gnu-tcpdump-Update-to-4.9.0-security-fixes.patch --]
[-- Type: text/plain, Size: 1887 bytes --]

From 06b23b7747dedf6fc2386b3fc86bc459999ffa88 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 30 Jan 2017 14:50:23 -0500
Subject: [PATCH] gnu: tcpdump: Update to 4.9.0 [security fixes].

Fixes CVE-2016-{7922,7923,7924,7925,7926,7927,7928,7929,7930,7931,7932,7933
7934,7935,7936,7937,7938,7939,7940,7973,7974,7975,7983,7984,7985,7986,7992,7993,
8574,8575} and CVE-2017-{5202,5203,5204,5205,5341,5342,5482,5483,5484,5485,
5486}.

* gnu/packages/admin.scm (tcpdump): Update to 4.9.0.
[source]: Add alternate URL.
---
 gnu/packages/admin.scm | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 12aa9e70a..cf229f1d3 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -633,14 +633,18 @@ network statistics collection, security monitoring, network debugging, etc.")
 (define-public tcpdump
   (package
     (name "tcpdump")
-    (version "4.7.4")
+    (version "4.9.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.tcpdump.org/release/tcpdump-"
-                                  version ".tar.gz"))
+                (uri
+                  (list
+                    (string-append "http://http.debian.net/debian/pool/main/t/"
+                                    name "/" name "_" version ".orig.tar.gz")
+                    (string-append "http://www.tcpdump.org/release/tcpdump-"
+                                   version ".tar.gz")))
               (sha256
                (base32
-                "1byr8w6grk08fsq0444jmcz9ar89lq9nf4mjq2cny0w9k8k21rbb"))))
+                "0pjsxsy8l71i813sa934cwf1ryp9xbr7nxwsvnzavjdirchq3sga"))))
     (build-system gnu-build-system)
     (inputs `(("libpcap" ,libpcap)
               ("openssl" ,openssl)))
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Tcpdump security update

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1004 bytes --]

Leo Famulari <leo@famulari.name> writes:

> I communicated with the tcpdump team and verified that the Debian
> tarball provides the same data (same SHA256 hash) as what's provided
> directly by upstream. But the upstream link is still considered private
> so I'm using the Debian source URL as a courtesy.

Thanks for doing that! Please add a comment with the Debian URL
specifying that it's temporary due to this fix. Otherwise LGTM.

> The Debian security advisory is here:
>
> https://www.debian.org/security/2017/dsa-3775
> From 06b23b7747dedf6fc2386b3fc86bc459999ffa88 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 30 Jan 2017 14:50:23 -0500
> Subject: [PATCH] gnu: tcpdump: Update to 4.9.0 [security fixes].
>
> Fixes CVE-2016-{7922,7923,7924,7925,7926,7927,7928,7929,7930,7931,7932,7933
> 7934,7935,7936,7937,7938,7939,7940,7973,7974,7975,7983,7984,7985,7986,7992,7993,
> 8574,8575} and CVE-2017-{5202,5203,5204,5205,5341,5342,5482,5483,5484,5485,
> 5486}.

Wow!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Tcpdump security update

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 722 bytes --]


Oops, missed a little detail:

Leo Famulari <leo@famulari.name> writes:
>      (source (origin
>                (method url-fetch)
> -              (uri (string-append "http://www.tcpdump.org/release/tcpdump-"
> -                                  version ".tar.gz"))
> +                (uri
> +                  (list
> +                    (string-append "http://http.debian.net/debian/pool/main/t/"
> +                                    name "/" name "_" version ".orig.tar.gz")
> +                    (string-append "http://www.tcpdump.org/release/tcpdump-"
> +                                   version ".tar.gz")))

Perhaps a (file-name) field should be added here, since the two URLs
provide different file names?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Tcpdump security update

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 950 bytes --]

On Mon, Jan 30, 2017 at 09:16:08PM +0100, Marius Bakke wrote:
> 
> Oops, missed a little detail:
> 
> Leo Famulari <leo@famulari.name> writes:
> >      (source (origin
> >                (method url-fetch)
> > -              (uri (string-append "http://www.tcpdump.org/release/tcpdump-"
> > -                                  version ".tar.gz"))
> > +                (uri
> > +                  (list
> > +                    (string-append "http://http.debian.net/debian/pool/main/t/"
> > +                                    name "/" name "_" version ".orig.tar.gz")
> > +                    (string-append "http://www.tcpdump.org/release/tcpdump-"
> > +                                   version ".tar.gz")))
> 
> Perhaps a (file-name) field should be added here, since the two URLs
> provide different file names?

Thank you for the good suggestions and the quick review!

Pushed as af7d72b16c7652e9ddc3c441017de5c9bb9205f2

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]