Document Nmap modifications to libpcap 1.9.1.

CHANGELOG

@@ -1,5 +1,7 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.
+
 o Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.
 
 o [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working

libpcap/Makefile.in

@@ -729,8 +729,6 @@ uninstall-rpcapd:
 
 clean:
 	rm -f $(CLEANFILES)
-	cd rpcapd; $(MAKE) clean
-	cd testprogs; $(MAKE) clean
 
 distclean: clean
 	rm -f Makefile config.cache config.log config.status \
@@ -738,8 +736,6 @@ distclean: clean
 	    pcap-config stamp-h stamp-h.in
 	rm -f $(MAN3PCAP_EXPAND:.in=) $(MANFILE:.in=) $(MANMISC:.in=)
 	rm -rf autom4te.cache
-	cd rpcapd; $(MAKE) distclean
-	cd testprogs; $(MAKE) distclean
 
 extags: $(TAGFILES)
 	ctags $(TAGFILES)
@@ -758,5 +754,3 @@ releasetar:
 
 depend:	$(GENSRC) $(GENHDR)
 	$(MKDEP) -c "$(CC)" -m "$(DEPENDENCY_CFLAG)" $(CFLAGS) $(DEFS) $(INCLS) $(SRC)
-	cd rpcapd; $(MAKE) depend
-	cd testprogs; $(MAKE) depend

libpcap/NMAP_MODIFICATIONS/0001-Don-t-autogenerate-Lex-Yacc-files.patch

@@ -0,0 +1,137 @@
+diff --git a/libpcap/Makefile.in b/libpcap/Makefile.in
+index 5a6b165..e7f4167 100644
+--- a/libpcap/Makefile.in
++++ b/libpcap/Makefile.in
+@@ -76,9 +76,6 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
+ INSTALL_DATA = @INSTALL_DATA@
+ RANLIB = @RANLIB@
+ 
+-LEX = @LEX@
+-YACC = @YACC@
+-
+ # Explicitly define compilation rule since SunOS 4's make doesn't like gcc.
+ # Also, gcc does not remove the .o before forking 'as', which can be a
+ # problem if you don't own the file but can write to the directory.
+@@ -154,7 +151,7 @@ TAGFILES = \
+ 	$(SRC) $(HDR)
+ 
+ CLEANFILES = $(OBJ) libpcap.a libpcap.so.`cat $(srcdir)/VERSION` \
+-	$(PROG)-`cat $(srcdir)/VERSION`.tar.gz $(GENSRC) $(GENHDR) \
++	$(PROG)-`cat $(srcdir)/VERSION`.tar.gz \
+ 	lex.yy.c pcap-config libpcap.pc
+ 
+ MAN1 = pcap-config.1
+@@ -387,6 +384,15 @@ EXTRA_DIST = \
+ 
+ all: libpcap.a shared $(BUILD_RPCAPD) libpcap.pc pcap-config
+ 
++# Inhibit implicit rule Make seems to have for using yacc/lex to
++# recompile new scanner.c/grammar.c -- we ship ones which we want to
++# use instead.
++grammar.c:
++	echo "Not rebuilding grammar.c"
++
++scanner.c:
++	echo "Not rebuilding scanner.c"
++
+ libpcap.a: $(OBJ)
+ 	@rm -f $@
+ 	$(AR) rc $@ $(OBJ) $(ADDLARCHIVEOBJS)
+@@ -468,27 +474,9 @@ libpcap.shareda: $(OBJ)
+ #
+ libpcap.none:
+ 
+-scanner.c: $(srcdir)/scanner.l
+-	$(LEX) -P pcap_ --header-file=scanner.h --nounput -o scanner.c $<
+-scanner.h: scanner.c
+-## Recover from the removal of $@
+-	@if test -f $@; then :; else \
+-		rm -f scanner.c; \
+-		$(MAKE) $(MAKEFLAGS) scanner.c; \
+-	fi
+-
+ scanner.o: scanner.c grammar.h
+ 	$(CC) $(FULL_CFLAGS) -c scanner.c
+ 
+-grammar.c: $(srcdir)/grammar.y
+-	$(YACC) -p pcap_ -o grammar.c -d $<
+-grammar.h: grammar.c
+-## Recover from the removal of $@
+-	@if test -f $@; then :; else \
+-		rm -f grammar.c; \
+-		$(MAKE) $(MAKEFLAGS) grammar.c; \
+-	fi
+-
+ grammar.o: grammar.c scanner.h
+ 	$(CC) $(FULL_CFLAGS) -c grammar.c
+ 
+diff --git a/libpcap/configure.ac b/libpcap/configure.ac
+index 6255f07..5e741cb 100644
+--- a/libpcap/configure.ac
++++ b/libpcap/configure.ac
+@@ -1594,50 +1594,6 @@ fi
+ AC_MSG_RESULT(${enable_yydebug-no})
+ 
+ #
+-# Look for {f}lex.
+-#
+-AC_PROG_LEX
+-if test "$LEX" = ":"; then
+-	AC_MSG_ERROR([Neither flex nor lex was found.])
+-fi
+-
+-#
+-# Make sure {f}lex supports the -P, --header-file, and --nounput flags
+-# and supports processing our scanner.l.
+-#
+-AC_CACHE_CHECK([for capable lex], tcpdump_cv_capable_lex,
+-	if $LEX -P pcap_ --header-file=/dev/null --nounput -t $srcdir/scanner.l > /dev/null 2>&1; then
+-	    tcpdump_cv_capable_lex=yes
+-	else
+-	    tcpdump_cv_capable_lex=insufficient
+-	fi)
+-if test $tcpdump_cv_capable_lex = insufficient ; then
+-	AC_MSG_ERROR([$LEX is insufficient to compile libpcap.
+- libpcap requires Flex 2.5.31 or later, or a compatible version of lex.])
+-fi
+-
+-#
+-# Look for yacc/bison/byacc.
+-#
+-AC_PROG_YACC
+-
+-#
+-# Make sure it supports the -p flag and supports processing our
+-# grammar.y.
+-#
+-AC_CACHE_CHECK([for capable yacc/bison], tcpdump_cv_capable_yacc,
+-	if $YACC -p pcap_ -o /dev/null $srcdir/grammar.y >/dev/null 2>&1; then
+-	    tcpdump_cv_capable_yacc=yes
+-	else
+-	    tcpdump_cv_capable_yacc=insufficient
+-	fi)
+-if test $tcpdump_cv_capable_yacc = insufficient ; then
+-	AC_MSG_ERROR([$YACC is insufficient to compile libpcap.
+- libpcap requires Bison, a newer version of Berkeley YACC with support
+- for reentrant parsers, or another YACC compatible with them.])
+-fi
+-
+-#
+ # Do various checks for various OSes and versions of those OSes.
+ #
+ # Assume, by default, no support for shared libraries and V7/BSD
+@@ -2050,14 +2006,12 @@ AC_SUBST(V_PROG_LDFLAGS_FAT)
+ AC_SUBST(V_DEFS)
+ AC_SUBST(V_FINDALLDEVS)
+ AC_SUBST(V_INCLS)
+-AC_SUBST(V_LEX)
+ AC_SUBST(V_PCAP)
+ AC_SUBST(V_SHLIB_CCOPT)
+ AC_SUBST(V_SHLIB_CMD)
+ AC_SUBST(V_SHLIB_OPT)
+ AC_SUBST(V_SONAME_OPT)
+ AC_SUBST(V_RPATH_OPT)
+-AC_SUBST(V_YACC)
+ AC_SUBST(ADDLOBJS)
+ AC_SUBST(ADDLARCHIVEOBJS)
+ AC_SUBST(SSRC)

libpcap/NMAP_MODIFICATIONS/0002-Disable-unnecessary-features.patch

@@ -0,0 +1,200 @@
+diff --git a/libpcap/configure b/libpcap/configure
+index fa15fc7..e40a4c4 100755
+--- a/libpcap/configure
++++ b/libpcap/configure
+@@ -1416,16 +1416,12 @@ Optional Features:
+   --enable-optimizer-dbg  build optimizer debugging code
+   --enable-yydebug        build parser debugging code
+   --disable-universal     don't build universal on macOS
+-  --enable-shared         build shared libraries [default=yes, if support
+-                          available]
+-  --enable-usb            enable USB capture support [default=yes, if support
+-                          available]
++  --enable-shared         build shared libraries [default=no]
++  --enable-usb            enable USB capture support [default=no]
+   --enable-netmap         enable netmap support [default=yes, if support
+                           available]
+-  --enable-bluetooth      enable Bluetooth support [default=yes, if support
+-                          available]
+-  --enable-dbus           enable D-Bus capture support [default=yes, if
+-                          support available]
++  --enable-bluetooth      enable Bluetooth support [default=no]
++  --enable-dbus           enable D-Bus capture support [default=no]
+   --enable-rdma           enable RDMA capture support [default=yes, if support
+                           available]
+ 
+@@ -1435,8 +1431,7 @@ Optional Packages:
+   --without-gcc           don't use gcc
+   --with-sita             include SITA support
+   --with-pcap=TYPE        use packet capture TYPE
+-  --without-libnl         disable libnl support [default=yes, on Linux, if
+-                          present]
++  --without-libnl         disable libnl support [default=disabled]
+   --with-dag[=DIR]        include Endace DAG support (located in directory
+                           DIR, if supplied). [default=yes, if present]
+   --with-dag-includes=IDIR
+@@ -6516,7 +6511,7 @@ else
+ fi
+ 
+ 
+-	if test x$with_libnl != xno ; then
++	if test x$with_libnl = xyes ; then
+ 		have_any_nl="no"
+ 
+                 incdir=-I/usr/include/libnl3
+@@ -8572,7 +8567,7 @@ if test "${enable_shared+set}" = set; then :
+   enableval=$enable_shared;
+ fi
+ 
+-test "x$enable_shared" = "xno" && DYEXT="none"
++test "x$enable_shared" != "xyes" && DYEXT="none"
+ 
+ if test -n "$ac_tool_prefix"; then
+   # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+@@ -10397,7 +10392,7 @@ $as_echo "#define LBL_ALIGN 1" >>confdefs.h
+ if test "${enable_usb+set}" = set; then :
+   enableval=$enable_usb;
+ else
+-  enable_usb=yes
++  enable_usb=no
+ fi
+ 
+ 
+@@ -10646,7 +10641,7 @@ fi
+ if test "${enable_bluetooth+set}" = set; then :
+   enableval=$enable_bluetooth;
+ else
+-  enable_bluetooth=ifsupportavailable
++  enable_bluetooth=no
+ fi
+ 
+ 
+@@ -10771,7 +10766,7 @@ fi
+ if test "${enable_dbus+set}" = set; then :
+   enableval=$enable_dbus;
+ else
+-  enable_dbus=ifavailable
++  enable_dbus=no
+ fi
+ 
+ 
+@@ -11131,7 +11126,7 @@ ac_config_headers="$ac_config_headers config.h"
+ 
+ ac_config_commands="$ac_config_commands default-1"
+ 
+-ac_config_files="$ac_config_files Makefile pcap-filter.manmisc pcap-linktype.manmisc pcap-tstamp.manmisc pcap-savefile.manfile pcap.3pcap pcap_compile.3pcap pcap_datalink.3pcap pcap_dump_open.3pcap pcap_get_tstamp_precision.3pcap pcap_list_datalinks.3pcap pcap_list_tstamp_types.3pcap pcap_open_dead.3pcap pcap_open_offline.3pcap pcap_set_immediate_mode.3pcap pcap_set_tstamp_precision.3pcap pcap_set_tstamp_type.3pcap rpcapd/Makefile rpcapd/rpcapd.manadmin rpcapd/rpcapd-config.manfile testprogs/Makefile"
++ac_config_files="$ac_config_files Makefile pcap-filter.manmisc pcap-linktype.manmisc pcap-tstamp.manmisc pcap-savefile.manfile pcap.3pcap pcap_compile.3pcap pcap_datalink.3pcap pcap_dump_open.3pcap pcap_get_tstamp_precision.3pcap pcap_list_datalinks.3pcap pcap_list_tstamp_types.3pcap pcap_open_dead.3pcap pcap_open_offline.3pcap pcap_set_immediate_mode.3pcap pcap_set_tstamp_precision.3pcap pcap_set_tstamp_type.3pcap"
+ 
+ cat >confcache <<\_ACEOF
+ # This file is a shell script that caches the results of configure
+@@ -11851,10 +11846,6 @@ do
+     "pcap_set_immediate_mode.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_set_immediate_mode.3pcap" ;;
+     "pcap_set_tstamp_precision.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_set_tstamp_precision.3pcap" ;;
+     "pcap_set_tstamp_type.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_set_tstamp_type.3pcap" ;;
+-    "rpcapd/Makefile") CONFIG_FILES="$CONFIG_FILES rpcapd/Makefile" ;;
+-    "rpcapd/rpcapd.manadmin") CONFIG_FILES="$CONFIG_FILES rpcapd/rpcapd.manadmin" ;;
+-    "rpcapd/rpcapd-config.manfile") CONFIG_FILES="$CONFIG_FILES rpcapd/rpcapd-config.manfile" ;;
+-    "testprogs/Makefile") CONFIG_FILES="$CONFIG_FILES testprogs/Makefile" ;;
+ 
+   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
+   esac
+diff --git a/libpcap/configure.ac b/libpcap/configure.ac
+index eba2723..6255f07 100644
+--- a/libpcap/configure.ac
++++ b/libpcap/configure.ac
+@@ -847,10 +847,10 @@ linux)
+ 	# Do we have libnl?
+ 	#
+ 	AC_ARG_WITH(libnl,
+-	AC_HELP_STRING([--without-libnl],[disable libnl support @<:@default=yes, on Linux, if present@:>@]),
++	AC_HELP_STRING([--without-libnl],[disable libnl support @<:@default=disabled@:>@]),
+ 		with_libnl=$withval,with_libnl=if_available)
+ 
+-	if test x$with_libnl != xno ; then
++	if test x$with_libnl = xyes ; then
+ 		have_any_nl="no"
+ 
+                 incdir=-I/usr/include/libnl3
+@@ -1993,8 +1993,8 @@ solaris*)
+ esac
+ 
+ AC_ARG_ENABLE(shared,
+-AC_HELP_STRING([--enable-shared],[build shared libraries @<:@default=yes, if support available@:>@]))
+-test "x$enable_shared" = "xno" && DYEXT="none"
++AC_HELP_STRING([--enable-shared],[build shared libraries @<:@default=no@:>@]))
++test "x$enable_shared" != "xyes" && DYEXT="none"
+ 
+ AC_PROG_RANLIB
+ AC_CHECK_TOOL([AR], [ar])
+@@ -2073,9 +2073,9 @@ AC_SUBST(RPCAPD_LIBS)
+ AC_SUBST(EXTRA_NETWORK_LIBS)
+ 
+ AC_ARG_ENABLE([usb],
+-[AC_HELP_STRING([--enable-usb],[enable USB capture support @<:@default=yes, if support available@:>@])],
++[AC_HELP_STRING([--enable-usb],[enable USB capture support @<:@default=no@:>@])],
+     [],
+-    [enable_usb=yes])
++    [enable_usb=no])
+ 
+ if test "xxx_only" = yes; then
+ 	# User requested something-else-only pcap, so they don't
+@@ -2221,9 +2221,9 @@ fi
+ 
+ 
+ AC_ARG_ENABLE([bluetooth],
+-[AC_HELP_STRING([--enable-bluetooth],[enable Bluetooth support @<:@default=yes, if support available@:>@])],
++[AC_HELP_STRING([--enable-bluetooth],[enable Bluetooth support @<:@default=no@:>@])],
+     [],
+-    [enable_bluetooth=ifsupportavailable])
++    [enable_bluetooth=no])
+ 
+ if test "xxx_only" = yes; then
+ 	# User requested something-else-only pcap, so they don't
+@@ -2306,9 +2306,9 @@ if test "x$enable_bluetooth" != "xno" ; then
+ fi
+ 
+ AC_ARG_ENABLE([dbus],
+-[AC_HELP_STRING([--enable-dbus],[enable D-Bus capture support @<:@default=yes, if support available@:>@])],
++[AC_HELP_STRING([--enable-dbus],[enable D-Bus capture support @<:@default=no@:>@])],
+     [],
+-    [enable_dbus=ifavailable])
++    [enable_dbus=no])
+ 
+ if test "xxx_only" = yes; then
+ 	# User requested something-else-only pcap, so they don't
+@@ -2460,6 +2460,5 @@ AC_OUTPUT(Makefile pcap-filter.manmisc pcap-linktype.manmisc
+ 	pcap_list_tstamp_types.3pcap pcap_open_dead.3pcap
+ 	pcap_open_offline.3pcap pcap_set_immediate_mode.3pcap
+ 	pcap_set_tstamp_precision.3pcap pcap_set_tstamp_type.3pcap
+-	rpcapd/Makefile rpcapd/rpcapd.manadmin rpcapd/rpcapd-config.manfile
+-	testprogs/Makefile)
++	)
+ exit 0
+diff --git a/libpcap/Makefile.in b/libpcap/Makefile.in
+index e7f4167..8eed20d 100644
+--- a/libpcap/Makefile.in
++++ b/libpcap/Makefile.in
+@@ -729,8 +729,6 @@ uninstall-rpcapd:
+ 
+ clean:
+ 	rm -f $(CLEANFILES)
+-	cd rpcapd; $(MAKE) clean
+-	cd testprogs; $(MAKE) clean
+ 
+ distclean: clean
+ 	rm -f Makefile config.cache config.log config.status \
+@@ -738,8 +736,6 @@ distclean: clean
+ 	    pcap-config stamp-h stamp-h.in
+ 	rm -f $(MAN3PCAP_EXPAND:.in=) $(MANFILE:.in=) $(MANMISC:.in=)
+ 	rm -rf autom4te.cache
+-	cd rpcapd; $(MAKE) distclean
+-	cd testprogs; $(MAKE) distclean
+ 
+ extags: $(TAGFILES)
+ 	ctags $(TAGFILES)
+@@ -758,5 +754,3 @@ releasetar:
+ 
+ depend:	$(GENSRC) $(GENHDR)
+ 	$(MKDEP) -c "$(CC)" -m "$(DEPENDENCY_CFLAG)" $(CFLAGS) $(DEFS) $(INCLS) $(SRC)
+-	cd rpcapd; $(MAKE) depend
+-	cd testprogs; $(MAKE) depend

libpcap/NMAP_MODIFICATIONS/HOWTO-UPGRADE

@@ -0,0 +1,30 @@
+Download libpcap-X.Y.tar.gz from http://www.tcpdump.org/#latest-release
+and verify the signature.
+
+cd
+# Make a copy of this directory.
+cp -r ~/nmap/libpcap/NMAP_MODIFICATIONS .
+tar xzvf libpcap-X.Y.tar.gz
+cd nmap
+rsync -rv --delete ~/libpcap-X.Y/ ~/nmap/libpcap/
+# Remove some things we don't want to ship
+rm -rf ~/nmap/libpcap/{rpcapd,testprogs,doc}
+# Apply patch to avoid those dirs
+git apply ~/NMAP_MODIFICATIONS/0002-Disable-unnecessary-features.patch
+git add -A libpcap
+cd libpcap
+autoconf
+./configure
+make
+git add grammar.[ch] scanner.[ch]
+cd ..
+# Apply remaining patches.
+git apply ~/NMAP_MODIFICATIONS/0001-Don-t-autogenerate-Lex-Yacc-files.patch
+# Make changes as necessary and update the patch files
+cd libpcap
+autoconf
+cd ..
+git add -u libpcap
+mv ~/NMAP_MODIFICATIONS libpcap/
+git add libpcap/NMAP_MODIFICATIONS
+git commit -m "Upgrade libpcap to X.Y."