______________________________________________________________________________

                        SuSE Security Announcement

        Package:                tcpdump
        Announcement-ID:        SuSE-SA:2000:46
        Date:                   Friday, November 17th, 2000 16:00 MEST
        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
        Vulnerability Type:     remote denial of service
        Severity (1-10):        6
        SuSE default package:   yes
        Other affected systems: systems using the same versions of tcpdump
                                and the necessary libraries

    Content of this advisory:
        1) security vulnerability resolved: tcpdump
           problem description, discussion, solution and upgrade information
        2) clarification, pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

    tcpdump is a widespread network/packet analysis tool, also known as a
    packet sniffer, used in unix/unix-like environment. 
    Several overflowable buffers have been found in SuSE's version of tcpdump
    that could allow a remote attacker to crash the local tcpdump process.
    Since tcpdump may be used in combination with intrusion detection
    systems, a crashed tcpdump process may disable the network monitoring
    system as a whole.
    The FreeBSD team who found these vulnerabilities also reported that
    tcpdump's portion of code that can decode AFS ACL (AFS=Andrew File
    System, a network filesystem, ACL=Access Control List) packets is 
    vulnerable to a (remotely exploitable) buffer overrun attack that 
    could allow a remote attacker to execute arbitrary commands as root
    since the tcpdump program usually requires root privileges to gain 
    access to the raw network socket. 
    The versions of tcpdump as shipped with SuSE distributions do not 
    contain the AFS packet decoding capability and are therefore not
    vulnerable to this second form of attack.

    A temporary workaround for the tcpdump problems other than not using
    tcpdump in the first place does not exist. However, we provide update
    packages for the affected SuSE distributions. We recommend an upgrade
    using the packages that can be found using the URLs below.

    Note: Please note that there is only one source rpm package but two 
    binary rpm packages. tcpdump*.rpm is the rpm for the tcpdump program,
    and libpcapn*.rpm is the packet capture library that is required by 
    tcpdump at compile time. In order to remove the security vulnerability
    in tcpdump, it is necessary to update the tcpdump rpm package only. 
    The libpcapn package with the static library is provided for 
    consistency and compatibility because it will be generated if the 
    binary packages are rebuilt from the source rpm.

    To check if your system has the vulnerable package installed, use the
    command `rpm -q ´. If applicable, please choose the update
    package(s) for your distribution from the URLs listed below and download
    the necessary rpm files. Then, install the package using the command 
    `rpm -Uhv file.rpm´. rpm packages have an internal md5 checksum that 
    protects against file corruption. You can verify this checksum using 
    the command (independently from the md5 signatures below)
        `rpm --checksig --nogpg file.rpm',
    The md5 sums under each package are to prove the package authenticity,
    independently from the md5 checksums in the rpm package format.

    i386 Intel Platform:

    SuSE-7.0
      
      f4e4a9231b695e1cf5eef0ad09871c34
      
      ba711cf2fab14218752603fa5a941721
    source rpm:
      
      d4c5902c50d6a321e2c4ed665fcd1962

    SuSE-6.4
      
      a1030d64ca4ca86a08b6bee5dc9cff78
      
      12335bf0055c6a9b915044a95a544aaa
    source rpm:
      
      dca26c3e5ef81f449cd43ab4d1f91b63

    SuSE-6.3
      
      13c90044ed57792090163a33ffb69ecf
      
      646de6c14a2d4988d0c684a42b4eef58
    source rpm:
      
      46980acd95607d4a9c61ca0f75c33fc2

    SuSE-6.2
      
      d058e563ad10daf078f5909a6b8ff288
      
      f5209f1f1433b0a55676f29451a2ef1b
    source rpm:
      
      cd34cd3feedbe0568d76dd9a406cec79

    SuSE-6.1
      
      ef454e2d23e410be82aa9f0634bcc9dc
      
      9f6ebff316039421ee00121a0e8720fa
    source rpm:
      
      d1148813da9610f940ecdbd462ab2541

    SuSE-6.0
    Please use the package for the SuSE-6.1 distribution.


    Sparc Platform:

    SuSE-7.0
    
 
      412a7db34985555705d8d43f2853ae4e
      
      a177326150a65d78212cebba90b88201
    source rpm:
      
      49f1f0420dd84070dcd9a67452770e75


    AXP Alpha Platform:

    SuSE-6.4
      
      096522f46ab70d92dda17b4ca33b4181
      
      84ca9a93a2201f7046446ed07107cbbc
    source rpm:
      
      07ed654ad1693dca5fd433572b3689c9

    SuSE-6.3
      
      747c22bb722da5df7fe3cfc252bdc545
      
      dbe10ebc95a2371d01df729af265bdf6
    source rpm:
      
      8f6e48e693fc465c1f60b6cee944c27c


    PPC Power PC Platform:

    SuSE-7.0
      
      140b95ffb3be2c2915327d4798b16dd0
      
      7f71b4ac17e3ad2c071e712c137a7c28
    source rpm:
      
      d9db0e99e91d8981efebafd6a539566f

    SuSE-6.4
      
      ed8697842867cbb5457c03015c117131
      
      782dc3faba33cf1b2d9e6ef95caf4107
    source rpm:
      
      318bf758753d9728f101de2101ad3227



______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    Clarification:
    In my message (Subject: "SuSE: miscellaneous"), dated Wed, 15 Nov 2000,
    concerning the paragraph about runtime linking problems in gs 
    (GhostScript) , I have stated that the problem will be fixed in future
    versions of the SuSE distribution. This does not touch the fact that we
    will of course provide fixes for the older distributions.


    - pine

      We're still working on the packages for the version 4.30 (stability
      problems).

    - ppp

      The ppp "deny_incoming" problem as announced by FreeBSD Security
      Advisory FreeBSD-SA-00:70.ppp-nat is FreeBSD specific and does not
      affect the SuSE distribution.

    - vixie cron

      Michal Zalewski <lcamtuf@TPI.PL> reported security problems in
      Paul Vixie's cron implementation that is commonly used in Linux
      distributions. Due to correct permissions on the directory 
      /var/spool/cron, the SuSE cron package is not affected by the problem.

______________________________________________________________________________

3)  standard appendix:

    SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SuSE security discussion. 
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to 
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        -   SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq) 
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    ==============================================    SuSE's security contact is <security@suse.com>.
    ==============================================