From 1a510d0940bfcb9fa0523ac0c8117f1f89ab1048 Mon Sep 17 00:00:00 2001 From: dmiller Date: Tue, 19 Nov 2019 17:53:41 +0000 Subject: [PATCH] Document Nmap modifications to libpcap 1.9.1. --- CHANGELOG | 2 + libpcap/Makefile.in | 6 - ...01-Don-t-autogenerate-Lex-Yacc-files.patch | 137 ++++++++++++ .../0002-Disable-unnecessary-features.patch | 200 ++++++++++++++++++ libpcap/NMAP_MODIFICATIONS/HOWTO-UPGRADE | 30 +++ 5 files changed, 369 insertions(+), 6 deletions(-) create mode 100644 libpcap/NMAP_MODIFICATIONS/0001-Don-t-autogenerate-Lex-Yacc-files.patch create mode 100644 libpcap/NMAP_MODIFICATIONS/0002-Disable-unnecessary-features.patch create mode 100644 libpcap/NMAP_MODIFICATIONS/HOWTO-UPGRADE diff --git a/CHANGELOG b/CHANGELOG index 2964337c4..2b4ba58e7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,7 @@ #Nmap Changelog ($Id$); -*-text-*- +o Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities. + o Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API. o [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working diff --git a/libpcap/Makefile.in b/libpcap/Makefile.in index e7f4167d8..8eed20dc2 100644 --- a/libpcap/Makefile.in +++ b/libpcap/Makefile.in @@ -729,8 +729,6 @@ uninstall-rpcapd: clean: rm -f $(CLEANFILES) - cd rpcapd; $(MAKE) clean - cd testprogs; $(MAKE) clean distclean: clean rm -f Makefile config.cache config.log config.status \ @@ -738,8 +736,6 @@ distclean: clean pcap-config stamp-h stamp-h.in rm -f $(MAN3PCAP_EXPAND:.in=) $(MANFILE:.in=) $(MANMISC:.in=) rm -rf autom4te.cache - cd rpcapd; $(MAKE) distclean - cd testprogs; $(MAKE) distclean extags: $(TAGFILES) ctags $(TAGFILES) @@ -758,5 +754,3 @@ releasetar: depend: $(GENSRC) $(GENHDR) $(MKDEP) -c "$(CC)" -m "$(DEPENDENCY_CFLAG)" $(CFLAGS) $(DEFS) $(INCLS) $(SRC) - cd rpcapd; $(MAKE) depend - cd testprogs; $(MAKE) depend diff --git a/libpcap/NMAP_MODIFICATIONS/0001-Don-t-autogenerate-Lex-Yacc-files.patch b/libpcap/NMAP_MODIFICATIONS/0001-Don-t-autogenerate-Lex-Yacc-files.patch new file mode 100644 index 000000000..6dc3691e6 --- /dev/null +++ b/libpcap/NMAP_MODIFICATIONS/0001-Don-t-autogenerate-Lex-Yacc-files.patch @@ -0,0 +1,137 @@ +diff --git a/libpcap/Makefile.in b/libpcap/Makefile.in +index 5a6b165..e7f4167 100644 +--- a/libpcap/Makefile.in ++++ b/libpcap/Makefile.in +@@ -76,9 +76,6 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ + INSTALL_DATA = @INSTALL_DATA@ + RANLIB = @RANLIB@ + +-LEX = @LEX@ +-YACC = @YACC@ +- + # Explicitly define compilation rule since SunOS 4's make doesn't like gcc. + # Also, gcc does not remove the .o before forking 'as', which can be a + # problem if you don't own the file but can write to the directory. +@@ -154,7 +151,7 @@ TAGFILES = \ + $(SRC) $(HDR) + + CLEANFILES = $(OBJ) libpcap.a libpcap.so.`cat $(srcdir)/VERSION` \ +- $(PROG)-`cat $(srcdir)/VERSION`.tar.gz $(GENSRC) $(GENHDR) \ ++ $(PROG)-`cat $(srcdir)/VERSION`.tar.gz \ + lex.yy.c pcap-config libpcap.pc + + MAN1 = pcap-config.1 +@@ -387,6 +384,15 @@ EXTRA_DIST = \ + + all: libpcap.a shared $(BUILD_RPCAPD) libpcap.pc pcap-config + ++# Inhibit implicit rule Make seems to have for using yacc/lex to ++# recompile new scanner.c/grammar.c -- we ship ones which we want to ++# use instead. ++grammar.c: ++ echo "Not rebuilding grammar.c" ++ ++scanner.c: ++ echo "Not rebuilding scanner.c" ++ + libpcap.a: $(OBJ) + @rm -f $@ + $(AR) rc $@ $(OBJ) $(ADDLARCHIVEOBJS) +@@ -468,27 +474,9 @@ libpcap.shareda: $(OBJ) + # + libpcap.none: + +-scanner.c: $(srcdir)/scanner.l +- $(LEX) -P pcap_ --header-file=scanner.h --nounput -o scanner.c $< +-scanner.h: scanner.c +-## Recover from the removal of $@ +- @if test -f $@; then :; else \ +- rm -f scanner.c; \ +- $(MAKE) $(MAKEFLAGS) scanner.c; \ +- fi +- + scanner.o: scanner.c grammar.h + $(CC) $(FULL_CFLAGS) -c scanner.c + +-grammar.c: $(srcdir)/grammar.y +- $(YACC) -p pcap_ -o grammar.c -d $< +-grammar.h: grammar.c +-## Recover from the removal of $@ +- @if test -f $@; then :; else \ +- rm -f grammar.c; \ +- $(MAKE) $(MAKEFLAGS) grammar.c; \ +- fi +- + grammar.o: grammar.c scanner.h + $(CC) $(FULL_CFLAGS) -c grammar.c + +diff --git a/libpcap/configure.ac b/libpcap/configure.ac +index 6255f07..5e741cb 100644 +--- a/libpcap/configure.ac ++++ b/libpcap/configure.ac +@@ -1594,50 +1594,6 @@ fi + AC_MSG_RESULT(${enable_yydebug-no}) + + # +-# Look for {f}lex. +-# +-AC_PROG_LEX +-if test "$LEX" = ":"; then +- AC_MSG_ERROR([Neither flex nor lex was found.]) +-fi +- +-# +-# Make sure {f}lex supports the -P, --header-file, and --nounput flags +-# and supports processing our scanner.l. +-# +-AC_CACHE_CHECK([for capable lex], tcpdump_cv_capable_lex, +- if $LEX -P pcap_ --header-file=/dev/null --nounput -t $srcdir/scanner.l > /dev/null 2>&1; then +- tcpdump_cv_capable_lex=yes +- else +- tcpdump_cv_capable_lex=insufficient +- fi) +-if test $tcpdump_cv_capable_lex = insufficient ; then +- AC_MSG_ERROR([$LEX is insufficient to compile libpcap. +- libpcap requires Flex 2.5.31 or later, or a compatible version of lex.]) +-fi +- +-# +-# Look for yacc/bison/byacc. +-# +-AC_PROG_YACC +- +-# +-# Make sure it supports the -p flag and supports processing our +-# grammar.y. +-# +-AC_CACHE_CHECK([for capable yacc/bison], tcpdump_cv_capable_yacc, +- if $YACC -p pcap_ -o /dev/null $srcdir/grammar.y >/dev/null 2>&1; then +- tcpdump_cv_capable_yacc=yes +- else +- tcpdump_cv_capable_yacc=insufficient +- fi) +-if test $tcpdump_cv_capable_yacc = insufficient ; then +- AC_MSG_ERROR([$YACC is insufficient to compile libpcap. +- libpcap requires Bison, a newer version of Berkeley YACC with support +- for reentrant parsers, or another YACC compatible with them.]) +-fi +- +-# + # Do various checks for various OSes and versions of those OSes. + # + # Assume, by default, no support for shared libraries and V7/BSD +@@ -2050,14 +2006,12 @@ AC_SUBST(V_PROG_LDFLAGS_FAT) + AC_SUBST(V_DEFS) + AC_SUBST(V_FINDALLDEVS) + AC_SUBST(V_INCLS) +-AC_SUBST(V_LEX) + AC_SUBST(V_PCAP) + AC_SUBST(V_SHLIB_CCOPT) + AC_SUBST(V_SHLIB_CMD) + AC_SUBST(V_SHLIB_OPT) + AC_SUBST(V_SONAME_OPT) + AC_SUBST(V_RPATH_OPT) +-AC_SUBST(V_YACC) + AC_SUBST(ADDLOBJS) + AC_SUBST(ADDLARCHIVEOBJS) + AC_SUBST(SSRC) diff --git a/libpcap/NMAP_MODIFICATIONS/0002-Disable-unnecessary-features.patch b/libpcap/NMAP_MODIFICATIONS/0002-Disable-unnecessary-features.patch new file mode 100644 index 000000000..462a2711c --- /dev/null +++ b/libpcap/NMAP_MODIFICATIONS/0002-Disable-unnecessary-features.patch @@ -0,0 +1,200 @@ +diff --git a/libpcap/configure b/libpcap/configure +index fa15fc7..e40a4c4 100755 +--- a/libpcap/configure ++++ b/libpcap/configure +@@ -1416,16 +1416,12 @@ Optional Features: + --enable-optimizer-dbg build optimizer debugging code + --enable-yydebug build parser debugging code + --disable-universal don't build universal on macOS +- --enable-shared build shared libraries [default=yes, if support +- available] +- --enable-usb enable USB capture support [default=yes, if support +- available] ++ --enable-shared build shared libraries [default=no] ++ --enable-usb enable USB capture support [default=no] + --enable-netmap enable netmap support [default=yes, if support + available] +- --enable-bluetooth enable Bluetooth support [default=yes, if support +- available] +- --enable-dbus enable D-Bus capture support [default=yes, if +- support available] ++ --enable-bluetooth enable Bluetooth support [default=no] ++ --enable-dbus enable D-Bus capture support [default=no] + --enable-rdma enable RDMA capture support [default=yes, if support + available] + +@@ -1435,8 +1431,7 @@ Optional Packages: + --without-gcc don't use gcc + --with-sita include SITA support + --with-pcap=TYPE use packet capture TYPE +- --without-libnl disable libnl support [default=yes, on Linux, if +- present] ++ --without-libnl disable libnl support [default=disabled] + --with-dag[=DIR] include Endace DAG support (located in directory + DIR, if supplied). [default=yes, if present] + --with-dag-includes=IDIR +@@ -6516,7 +6511,7 @@ else + fi + + +- if test x$with_libnl != xno ; then ++ if test x$with_libnl = xyes ; then + have_any_nl="no" + + incdir=-I/usr/include/libnl3 +@@ -8572,7 +8567,7 @@ if test "${enable_shared+set}" = set; then : + enableval=$enable_shared; + fi + +-test "x$enable_shared" = "xno" && DYEXT="none" ++test "x$enable_shared" != "xyes" && DYEXT="none" + + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. +@@ -10397,7 +10392,7 @@ $as_echo "#define LBL_ALIGN 1" >>confdefs.h + if test "${enable_usb+set}" = set; then : + enableval=$enable_usb; + else +- enable_usb=yes ++ enable_usb=no + fi + + +@@ -10646,7 +10641,7 @@ fi + if test "${enable_bluetooth+set}" = set; then : + enableval=$enable_bluetooth; + else +- enable_bluetooth=ifsupportavailable ++ enable_bluetooth=no + fi + + +@@ -10771,7 +10766,7 @@ fi + if test "${enable_dbus+set}" = set; then : + enableval=$enable_dbus; + else +- enable_dbus=ifavailable ++ enable_dbus=no + fi + + +@@ -11131,7 +11126,7 @@ ac_config_headers="$ac_config_headers config.h" + + ac_config_commands="$ac_config_commands default-1" + +-ac_config_files="$ac_config_files Makefile pcap-filter.manmisc pcap-linktype.manmisc pcap-tstamp.manmisc pcap-savefile.manfile pcap.3pcap pcap_compile.3pcap pcap_datalink.3pcap pcap_dump_open.3pcap pcap_get_tstamp_precision.3pcap pcap_list_datalinks.3pcap pcap_list_tstamp_types.3pcap pcap_open_dead.3pcap pcap_open_offline.3pcap pcap_set_immediate_mode.3pcap pcap_set_tstamp_precision.3pcap pcap_set_tstamp_type.3pcap rpcapd/Makefile rpcapd/rpcapd.manadmin rpcapd/rpcapd-config.manfile testprogs/Makefile" ++ac_config_files="$ac_config_files Makefile pcap-filter.manmisc pcap-linktype.manmisc pcap-tstamp.manmisc pcap-savefile.manfile pcap.3pcap pcap_compile.3pcap pcap_datalink.3pcap pcap_dump_open.3pcap pcap_get_tstamp_precision.3pcap pcap_list_datalinks.3pcap pcap_list_tstamp_types.3pcap pcap_open_dead.3pcap pcap_open_offline.3pcap pcap_set_immediate_mode.3pcap pcap_set_tstamp_precision.3pcap pcap_set_tstamp_type.3pcap" + + cat >confcache <<\_ACEOF + # This file is a shell script that caches the results of configure +@@ -11851,10 +11846,6 @@ do + "pcap_set_immediate_mode.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_set_immediate_mode.3pcap" ;; + "pcap_set_tstamp_precision.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_set_tstamp_precision.3pcap" ;; + "pcap_set_tstamp_type.3pcap") CONFIG_FILES="$CONFIG_FILES pcap_set_tstamp_type.3pcap" ;; +- "rpcapd/Makefile") CONFIG_FILES="$CONFIG_FILES rpcapd/Makefile" ;; +- "rpcapd/rpcapd.manadmin") CONFIG_FILES="$CONFIG_FILES rpcapd/rpcapd.manadmin" ;; +- "rpcapd/rpcapd-config.manfile") CONFIG_FILES="$CONFIG_FILES rpcapd/rpcapd-config.manfile" ;; +- "testprogs/Makefile") CONFIG_FILES="$CONFIG_FILES testprogs/Makefile" ;; + + *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; + esac +diff --git a/libpcap/configure.ac b/libpcap/configure.ac +index eba2723..6255f07 100644 +--- a/libpcap/configure.ac ++++ b/libpcap/configure.ac +@@ -847,10 +847,10 @@ linux) + # Do we have libnl? + # + AC_ARG_WITH(libnl, +- AC_HELP_STRING([--without-libnl],[disable libnl support @<:@default=yes, on Linux, if present@:>@]), ++ AC_HELP_STRING([--without-libnl],[disable libnl support @<:@default=disabled@:>@]), + with_libnl=$withval,with_libnl=if_available) + +- if test x$with_libnl != xno ; then ++ if test x$with_libnl = xyes ; then + have_any_nl="no" + + incdir=-I/usr/include/libnl3 +@@ -1993,8 +1993,8 @@ solaris*) + esac + + AC_ARG_ENABLE(shared, +-AC_HELP_STRING([--enable-shared],[build shared libraries @<:@default=yes, if support available@:>@])) +-test "x$enable_shared" = "xno" && DYEXT="none" ++AC_HELP_STRING([--enable-shared],[build shared libraries @<:@default=no@:>@])) ++test "x$enable_shared" != "xyes" && DYEXT="none" + + AC_PROG_RANLIB + AC_CHECK_TOOL([AR], [ar]) +@@ -2073,9 +2073,9 @@ AC_SUBST(RPCAPD_LIBS) + AC_SUBST(EXTRA_NETWORK_LIBS) + + AC_ARG_ENABLE([usb], +-[AC_HELP_STRING([--enable-usb],[enable USB capture support @<:@default=yes, if support available@:>@])], ++[AC_HELP_STRING([--enable-usb],[enable USB capture support @<:@default=no@:>@])], + [], +- [enable_usb=yes]) ++ [enable_usb=no]) + + if test "xxx_only" = yes; then + # User requested something-else-only pcap, so they don't +@@ -2221,9 +2221,9 @@ fi + + + AC_ARG_ENABLE([bluetooth], +-[AC_HELP_STRING([--enable-bluetooth],[enable Bluetooth support @<:@default=yes, if support available@:>@])], ++[AC_HELP_STRING([--enable-bluetooth],[enable Bluetooth support @<:@default=no@:>@])], + [], +- [enable_bluetooth=ifsupportavailable]) ++ [enable_bluetooth=no]) + + if test "xxx_only" = yes; then + # User requested something-else-only pcap, so they don't +@@ -2306,9 +2306,9 @@ if test "x$enable_bluetooth" != "xno" ; then + fi + + AC_ARG_ENABLE([dbus], +-[AC_HELP_STRING([--enable-dbus],[enable D-Bus capture support @<:@default=yes, if support available@:>@])], ++[AC_HELP_STRING([--enable-dbus],[enable D-Bus capture support @<:@default=no@:>@])], + [], +- [enable_dbus=ifavailable]) ++ [enable_dbus=no]) + + if test "xxx_only" = yes; then + # User requested something-else-only pcap, so they don't +@@ -2460,6 +2460,5 @@ AC_OUTPUT(Makefile pcap-filter.manmisc pcap-linktype.manmisc + pcap_list_tstamp_types.3pcap pcap_open_dead.3pcap + pcap_open_offline.3pcap pcap_set_immediate_mode.3pcap + pcap_set_tstamp_precision.3pcap pcap_set_tstamp_type.3pcap +- rpcapd/Makefile rpcapd/rpcapd.manadmin rpcapd/rpcapd-config.manfile +- testprogs/Makefile) ++ ) + exit 0 +diff --git a/libpcap/Makefile.in b/libpcap/Makefile.in +index e7f4167..8eed20d 100644 +--- a/libpcap/Makefile.in ++++ b/libpcap/Makefile.in +@@ -729,8 +729,6 @@ uninstall-rpcapd: + + clean: + rm -f $(CLEANFILES) +- cd rpcapd; $(MAKE) clean +- cd testprogs; $(MAKE) clean + + distclean: clean + rm -f Makefile config.cache config.log config.status \ +@@ -738,8 +736,6 @@ distclean: clean + pcap-config stamp-h stamp-h.in + rm -f $(MAN3PCAP_EXPAND:.in=) $(MANFILE:.in=) $(MANMISC:.in=) + rm -rf autom4te.cache +- cd rpcapd; $(MAKE) distclean +- cd testprogs; $(MAKE) distclean + + extags: $(TAGFILES) + ctags $(TAGFILES) +@@ -758,5 +754,3 @@ releasetar: + + depend: $(GENSRC) $(GENHDR) + $(MKDEP) -c "$(CC)" -m "$(DEPENDENCY_CFLAG)" $(CFLAGS) $(DEFS) $(INCLS) $(SRC) +- cd rpcapd; $(MAKE) depend +- cd testprogs; $(MAKE) depend diff --git a/libpcap/NMAP_MODIFICATIONS/HOWTO-UPGRADE b/libpcap/NMAP_MODIFICATIONS/HOWTO-UPGRADE new file mode 100644 index 000000000..7f01ff865 --- /dev/null +++ b/libpcap/NMAP_MODIFICATIONS/HOWTO-UPGRADE @@ -0,0 +1,30 @@ +Download libpcap-X.Y.tar.gz from http://www.tcpdump.org/#latest-release +and verify the signature. + +cd +# Make a copy of this directory. +cp -r ~/nmap/libpcap/NMAP_MODIFICATIONS . +tar xzvf libpcap-X.Y.tar.gz +cd nmap +rsync -rv --delete ~/libpcap-X.Y/ ~/nmap/libpcap/ +# Remove some things we don't want to ship +rm -rf ~/nmap/libpcap/{rpcapd,testprogs,doc} +# Apply patch to avoid those dirs +git apply ~/NMAP_MODIFICATIONS/0002-Disable-unnecessary-features.patch +git add -A libpcap +cd libpcap +autoconf +./configure +make +git add grammar.[ch] scanner.[ch] +cd .. +# Apply remaining patches. +git apply ~/NMAP_MODIFICATIONS/0001-Don-t-autogenerate-Lex-Yacc-files.patch +# Make changes as necessary and update the patch files +cd libpcap +autoconf +cd .. +git add -u libpcap +mv ~/NMAP_MODIFICATIONS libpcap/ +git add libpcap/NMAP_MODIFICATIONS +git commit -m "Upgrade libpcap to X.Y."