From 9d02c5de5c2c5bb38d9a178631d324a6c3a1e0f4 Mon Sep 17 00:00:00 2001 From: pkgagent Date: Thu, 12 Mar 2026 14:21:50 +0800 Subject: [PATCH 1/4] fix CVE-2026-3203 --- wireshark-4.6.3-CVE-2026-3203.patch | 36 +++++++++++++++++++++++++++++ wireshark.spec | 1 + 2 files changed, 37 insertions(+) create mode 100644 wireshark-4.6.3-CVE-2026-3203.patch diff --git a/wireshark-4.6.3-CVE-2026-3203.patch b/wireshark-4.6.3-CVE-2026-3203.patch new file mode 100644 index 0000000..f06d01e --- /dev/null +++ b/wireshark-4.6.3-CVE-2026-3203.patch @@ -0,0 +1,36 @@ +From 0c4c5a531f5f8c7b8c7fcffe2178e2b3d00c6d43 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 7 Feb 2026 02:31:46 +0000 +Subject: [PATCH] RF4CE: Check that the input data is long enough + +Prevent illegal memory access. + +Fix: #21009 + +AI-Assisted: no + + +(cherry picked from commit 17215397c1a5fbb2ef8764b3ec29ec45cde9c153) + +Co-authored-by: John Thacker + + +--- + epan/dissectors/packet-rf4ce-secur.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/epan/dissectors/packet-rf4ce-secur.c b/epan/dissectors/packet-rf4ce-secur.c +index 3cf4099..09a0ae5 100644 +--- a/epan/dissectors/packet-rf4ce-secur.c ++++ b/epan/dissectors/packet-rf4ce-secur.c +@@ -627,6 +627,10 @@ bool decrypt_data( + return false; + } + ++ if (*len < payload_offset + RF4CE_CCM_M) { ++ return false; ++ } ++ + while (idx < RF4CE_NWK_KEY_STORAGE_SIZE) + { + if (nwk_key_storage[idx].is_used) diff --git a/wireshark.spec b/wireshark.spec index f26b1ad..9b7ed3e 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -19,6 +19,7 @@ Patch3003: wireshark-0006-Move-tmp-to-var-tmp.patch Patch3004: wireshark-0007-cmakelists.patch Patch3005: wireshark-0008-pkgconfig.patch Patch3006: wireshark-0009-remove-strato-manpages.patch +Patch0001: wireshark-4.6.3-CVE-2026-3203.patch BuildRequires: qt5-qtbase-devel qt5-qtmultimedia-devel qt5-qtsvg-devel BuildRequires: systemd-devel libnghttp2-devel systemd-rpm-macros qt5-qttools-devel qt5-linguist -- Gitee From 70c5eb6a40f0f03e4ca7139567bc5ead68fc29a9 Mon Sep 17 00:00:00 2001 From: pkgagent Date: Thu, 12 Mar 2026 14:35:49 +0800 Subject: [PATCH 2/4] fix CVE-2026-3202 --- wireshark-4.6.3-CVE-2026-3202.patch | 41 +++++++++++++++++++++++++++++ wireshark.spec | 1 + 2 files changed, 42 insertions(+) create mode 100644 wireshark-4.6.3-CVE-2026-3202.patch diff --git a/wireshark-4.6.3-CVE-2026-3202.patch b/wireshark-4.6.3-CVE-2026-3202.patch new file mode 100644 index 0000000..5e86241 --- /dev/null +++ b/wireshark-4.6.3-CVE-2026-3202.patch @@ -0,0 +1,41 @@ +From 73d4e7eaff4b3b4323cf7e273c691ad4e19e9a40 Mon Sep 17 00:00:00 2001 +From: Pascal Quantin +Date: Thu, 5 Feb 2026 19:55:45 +0100 +Subject: [PATCH] NTS-KE: check alpn string presence before calling strcmp() + +Fixed #21000 + +AI-Assisted: no + + +(cherry picked from commit 5fdfc5780454f9d41e7f462578126e1149f0a04d) + +Co-authored-by: Pascal Quantin + + +--- + epan/dissectors/packet-nts-ke.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-nts-ke.c b/epan/dissectors/packet-nts-ke.c +index 8c766a0..0668cb9 100644 +--- a/epan/dissectors/packet-nts-ke.c ++++ b/epan/dissectors/packet-nts-ke.c +@@ -461,6 +461,7 @@ dissect_nts_ke(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _ + nts_cookie_t *cookie; + struct tcp_analysis *tcp_conv; + nts_used_frames_lookup_t lookup_data = {.tvb = tvb, .hfindex = hf_nts_ke_cookie_used_frame}; ++ const char *alpn; + + offset = 0; + +@@ -471,7 +472,8 @@ dissect_nts_ke(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _ + nts_ke_tree = proto_item_add_subtree(ti, ett_nts_ke); + + /* Error on ALPN mismatch */ +- if(strcmp(tls_get_alpn(pinfo), NTS_KE_ALPN) != 0) ++ alpn = tls_get_alpn(pinfo); ++ if(!alpn || strcmp(alpn, NTS_KE_ALPN) != 0) + expert_add_info(pinfo, nts_ke_tree, &ei_nts_ke_alpn_mismatch); + + /* Conversation init */ diff --git a/wireshark.spec b/wireshark.spec index 9b7ed3e..deed6e3 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -20,6 +20,7 @@ Patch3004: wireshark-0007-cmakelists.patch Patch3005: wireshark-0008-pkgconfig.patch Patch3006: wireshark-0009-remove-strato-manpages.patch Patch0001: wireshark-4.6.3-CVE-2026-3203.patch +Patch0002: wireshark-4.6.3-CVE-2026-3202.patch BuildRequires: qt5-qtbase-devel qt5-qtmultimedia-devel qt5-qtsvg-devel BuildRequires: systemd-devel libnghttp2-devel systemd-rpm-macros qt5-qttools-devel qt5-linguist -- Gitee From a7131caf28052dd16151dd7bf0e8b0e6ed968c37 Mon Sep 17 00:00:00 2001 From: pkgagent Date: Thu, 12 Mar 2026 14:50:01 +0800 Subject: [PATCH 3/4] fix CVE-2026-3201 --- wireshark-4.6.3-CVE-2026-3201.patch | 53 +++++++++++++++++++++++++++++ wireshark.spec | 1 + 2 files changed, 54 insertions(+) create mode 100644 wireshark-4.6.3-CVE-2026-3201.patch diff --git a/wireshark-4.6.3-CVE-2026-3201.patch b/wireshark-4.6.3-CVE-2026-3201.patch new file mode 100644 index 0000000..5f401f2 --- /dev/null +++ b/wireshark-4.6.3-CVE-2026-3201.patch @@ -0,0 +1,53 @@ +From 168bf057756391ce517e5b02fee63f0361a3e430 Mon Sep 17 00:00:00 2001 +From: Michael Mann +Date: Mon, 26 Jan 2026 16:44:37 +0000 +Subject: [PATCH] USB-HID: Bugfix resource exhaustion in + parse_report_descriptor() + +Sanity range check was removed in 739666a7f5acc270204980e01b4069caf5060f30, restore it + +AI-Assisted: no +Fixes #20972 + + +(cherry picked from commit 6f753c79b7c8ac382e6383dfabd7d5be6e2b722c) + +Co-authored-by: Michael Mann + + +--- + epan/dissectors/packet-usb-hid.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-usb-hid.c b/epan/dissectors/packet-usb-hid.c +index a8247ae..0c48617 100644 +--- a/epan/dissectors/packet-usb-hid.c ++++ b/epan/dissectors/packet-usb-hid.c +@@ -3729,6 +3729,7 @@ hid_unpack_signed(uint8_t *data, unsigned int idx, unsigned int size, int32_t *v + return false; + } + ++#define MAX_REPORT_DESCRIPTOR_COUNT 100000 // Arbitrary + static bool + parse_report_descriptor(report_descriptor_t *rdesc) + { +@@ -3910,7 +3911,7 @@ parse_report_descriptor(report_descriptor_t *rdesc) + } + + /* Usage min and max must be on the same page */ +- if (USAGE_PAGE(usage_min) != USAGE_PAGE(usage_max)) { ++ if (USAGE_PAGE(usage_min) != USAGE_PAGE(usage_max)) { + goto err; + } + +@@ -3918,6 +3919,10 @@ parse_report_descriptor(report_descriptor_t *rdesc) + goto err; + } + ++ if (wmem_array_get_count(field.usages) + usage_max - usage_min >= MAX_REPORT_DESCRIPTOR_COUNT) { ++ goto err; ++ } ++ + /* min and max are inclusive */ + wmem_array_grow(field.usages, usage_max - usage_min + 1); + for (uint32_t j = usage_min; j <= usage_max; j++) { diff --git a/wireshark.spec b/wireshark.spec index deed6e3..e5a205c 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -21,6 +21,7 @@ Patch3005: wireshark-0008-pkgconfig.patch Patch3006: wireshark-0009-remove-strato-manpages.patch Patch0001: wireshark-4.6.3-CVE-2026-3203.patch Patch0002: wireshark-4.6.3-CVE-2026-3202.patch +Patch0003: wireshark-4.6.3-CVE-2026-3201.patch BuildRequires: qt5-qtbase-devel qt5-qtmultimedia-devel qt5-qtsvg-devel BuildRequires: systemd-devel libnghttp2-devel systemd-rpm-macros qt5-qttools-devel qt5-linguist -- Gitee From 33294062ac15598d4977597755de5e9ddd874411 Mon Sep 17 00:00:00 2001 From: pkgagent Date: Thu, 12 Mar 2026 14:50:05 +0800 Subject: [PATCH 4/4] fix CVE-2026-3203, CVE-2026-3202, CVE-2026-3201 --- wireshark.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/wireshark.spec b/wireshark.spec index e5a205c..c39e8e9 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -4,7 +4,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 4.6.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL+ Url: http://www.wireshark.org/ @@ -213,6 +213,10 @@ fi %{_libdir}/cmake/%{name}/*.cmake %changelog +* Thu Mar 12 2026 PkgAgent Robot - 4.6.3-2 +- [Type] security +- [DESC] Fix CVE-2026-3203, CVE-2026-3202, CVE-2026-3201 + * Thu Jan 29 2026 Miaojun Dong - 4.6.3-1 - Upgrade to version 4.6.3 - Fix CVE-2026-0959, CVE-2026-0960, CVE-2026-0961 and CVE-2026-0962 -- Gitee