net-analyzer/tcpdump: patch CVE-2020-8037

Note that CVE-2020-8036 is already fixed in the version
of 4.10.x packaged in Gentoo and 4.9.x is unaffected
(the relevant functionality simply did not exist).

Bug: https://bugs.gentoo.org/753146
Package-Manager: Portage-3.0.8, Repoman-3.0.2
Signed-off-by: Sam James <sam@gentoo.org>

3 files changed, 157 insertions, 14 deletions

diff --git a/net-analyzer/tcpdump/files/tcpdump-4.9.3-CVE-2020-8037.patch b/net-analyzer/tcpdump/files/tcpdump-4.9.3-CVE-2020-8037.patch
new file mode 100644
index 000000000000..2852845eb748
--- /dev/null
+++ b/net-analyzer/tcpdump/files/tcpdump-4.9.3-CVE-2020-8037.patch
@@ -0,0 +1,63 @@
+From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Sat, 18 Apr 2020 14:04:59 -0700
+Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer.
+
+The buffer should be big enough to hold the captured data, but it
+doesn't need to be big enough to hold the entire on-the-network packet,
+if we haven't captured all of it.
+
+(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+---
+ print-ppp.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 891761728..33fb03412 100644
+--- a/print-ppp.c
++++ b/print-ppp.c
+@@ -1367,19 +1367,29 @@ print_bacp_config_options(netdissect_options *ndo,
+ 	return 0;
+ }
+ 
++/*
++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
++ * The length argument is the on-the-wire length, not the captured
++ * length; we can only un-escape the captured part.
++ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+          const u_char *p, int length)
+ {
++	u_int caplen = ndo->ndo_snapend - p;
+ 	u_char *b, *t, c;
+ 	const u_char *s;
+-	int i, proto;
++	u_int i;
++	int proto;
+ 	const void *se;
+ 
++	if (caplen == 0)
++		return;
++
+         if (length <= 0)
+                 return;
+ 
+-	b = (u_char *)malloc(length);
++	b = (u_char *)malloc(caplen);
+ 	if (b == NULL)
+ 		return;
+ 
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+ 	 * Do this so that we dont overwrite the original packet
+ 	 * contents.
+ 	 */
+-	for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
++	for (s = p, t = b, i = caplen; i != 0; i--) {
+ 		c = *s++;
+ 		if (c == 0x7d) {
+-			if (i <= 1 || !ND_TTEST(*s))
++			if (i <= 1)
+ 				break;
+ 			i--;
+ 			c = *s++ ^ 0x20;
diff --git a/net-analyzer/tcpdump/tcpdump-4.10.0_rc1-r1.ebuild b/net-analyzer/tcpdump/tcpdump-4.10.0_rc1-r1.ebuild
index aa6aa458165d..3133cb51eca1 100644
--- a/net-analyzer/tcpdump/tcpdump-4.10.0_rc1-r1.ebuild
+++ b/net-analyzer/tcpdump/tcpdump-4.10.0_rc1-r1.ebuild
@@ -5,21 +5,20 @@ EAPI=7
 inherit autotools
 
 DESCRIPTION="A Tool for network monitoring and data acquisition"
-HOMEPAGE="
-	https://www.tcpdump.org/
-	https://github.com/the-tcpdump-group/tcpdump
-"
-LICENSE="BSD"
-SRC_URI="
-	https://github.com/the-tcpdump-group/${PN}/archive/${P/_}.tar.gz
-"
+HOMEPAGE="https://www.tcpdump.org/ https://github.com/the-tcpdump-group/tcpdump"
+SRC_URI="https://github.com/the-tcpdump-group/${PN}/archive/${P/_}.tar.gz"
+S="${WORKDIR}/${PN}-${P/_}"
 
+LICENSE="BSD"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
 IUSE="+drop-root libressl +smi +ssl +samba suid test"
 RESTRICT="!test? ( test )"
 REQUIRED_USE="test? ( samba )"
 
+BDEPEND="
+	drop-root? ( virtual/pkgconfig )
+"
 RDEPEND="
 	net-libs/libpcap
 	drop-root? (
@@ -37,9 +36,6 @@ RDEPEND="
 		acct-user/pcap
 	)
 "
-BDEPEND="
-	drop-root? ( virtual/pkgconfig )
-"
 DEPEND="
 	${RDEPEND}
 	test? (
@@ -50,11 +46,9 @@ DEPEND="
 PATCHES=(
 	"${FILESDIR}"/${PN}-9999-libdir.patch
 )
-S=${WORKDIR}/${PN}-${P/_}
 
 src_prepare() {
 	default
-
 	eautoreconf
 }
 
@@ -90,5 +84,5 @@ src_install() {
 }
 
 pkg_postinst() {
-	use suid && elog "To let normal users run tcpdump add them to the pcap group."
+	use suid && elog "To let normal users run tcpdump, add them to the pcap group."
 }
diff --git a/net-analyzer/tcpdump/tcpdump-4.9.3-r4.ebuild b/net-analyzer/tcpdump/tcpdump-4.9.3-r4.ebuild
new file mode 100644
index 000000000000..bfd5bf492128
--- /dev/null
+++ b/net-analyzer/tcpdump/tcpdump-4.9.3-r4.ebuild
@@ -0,0 +1,86 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools
+
+DESCRIPTION="A Tool for network monitoring and data acquisition"
+HOMEPAGE="https://www.tcpdump.org/ https://github.com/the-tcpdump-group/tcpdump"
+SRC_URI="https://www.tcpdump.org/release/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
+IUSE="+drop-root libressl smi ssl samba suid test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	net-libs/libpcap
+	drop-root? (
+		acct-group/pcap
+		acct-user/pcap
+		sys-libs/libcap-ng
+	)
+	smi? ( net-libs/libsmi )
+	ssl? (
+		!libressl? ( >=dev-libs/openssl-0.9.6m:0= )
+		libressl? ( dev-libs/libressl:= )
+	)
+	suid? (
+		acct-group/pcap
+		acct-user/pcap
+	)
+"
+DEPEND="
+	${RDEPEND}
+	test? (
+		>=net-libs/libpcap-1.9.1
+		dev-lang/perl
+	)
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-9999-libdir.patch
+	"${FILESDIR}"/${PN}-4.9.3-CVE-2020-8037.patch
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		$(use_enable samba smb) \
+		$(use_with drop-root cap-ng) \
+		$(use_with drop-root chroot '') \
+		$(use_with smi) \
+		$(use_with ssl crypto "${ESYSROOT}/usr") \
+		$(usex drop-root "--with-user=pcap" "")
+}
+
+src_test() {
+	if [[ ${EUID} -ne 0 ]] || ! use drop-root; then
+		emake check
+	else
+		ewarn "If you want to run the test suite, make sure you either"
+		ewarn "set FEATURES=userpriv or set USE=-drop-root"
+	fi
+}
+
+src_install() {
+	dosbin tcpdump
+	doman tcpdump.1
+	dodoc *.awk
+	dodoc CHANGES CREDITS README.md
+
+	if use suid; then
+		fowners root:pcap /usr/sbin/tcpdump
+		fperms 4110 /usr/sbin/tcpdump
+	fi
+}
+
+pkg_postinst() {
+	use suid && elog "To let normal users run tcpdump, add them to the pcap group."
+}