diff --git a/CVE-2023-1992.patch b/CVE-2023-1992.patch new file mode 100644 index 0000000000000000000000000000000000000000..871744b7886d0bfb645cd9a2f4e37747ef287139 --- /dev/null +++ b/CVE-2023-1992.patch @@ -0,0 +1,61 @@ +From c224405c31688d351ed79a304fa491517f541191 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sun, 19 Mar 2023 15:16:39 -0400 +Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets + +Add a frame end routine for a global which is assigned to packet +scoped memory. It really should be made proto data, but is used +in a function in the header (that doesn't take the packet info +struct as an argument) and this fix needs to be made in stable +branches. + +Fix #18852 + + +(cherry picked from commit 3c8be14c827f1587da3c2b3bb0d9c04faff57413) +--- + epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c +index 177e772c44b..815f6a3fc76 100644 +--- a/epan/dissectors/packet-rpcrdma.c ++++ b/epan/dissectors/packet-rpcrdma.c +@@ -24,6 +24,7 @@ + #include + + #include "packet-rpcrdma.h" ++#include "packet-frame.h" + #include "packet-infiniband.h" + #include "packet-iwarp-ddp-rdmap.h" + +@@ -271,6 +272,18 @@ void rpcrdma_insert_offset(gint offset) + wmem_array_append_one(gp_rdma_write_offsets, offset); + } + ++/* ++ * Reset the array of write offsets at the end of the frame. These ++ * are packet scoped, so they don't need to be freed, but we want ++ * to ensure that the global doesn't point to no longer allocated ++ * memory in a later packet. ++ */ ++static void ++reset_write_offsets(void) ++{ ++ gp_rdma_write_offsets = NULL; ++} ++ + /* Get conversation state, it is created if it does not exist */ + static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo) + { +@@ -1409,6 +1422,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data + if (write_size > 0 && !pinfo->fd->visited) { + /* Initialize array of write chunk offsets */ + gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint)); ++ register_frame_end_routine(pinfo, reset_write_offsets); + TRY { + /* + * Call the upper layer dissector to get a list of offsets +-- +GitLab + diff --git a/CVE-2023-1993.patch b/CVE-2023-1993.patch new file mode 100644 index 0000000000000000000000000000000000000000..9fedd941df98a7149c6f478bfc4d12443fd1cfd5 --- /dev/null +++ b/CVE-2023-1993.patch @@ -0,0 +1,96 @@ +From 646b1313038487f7c04bf0ada7960ad906a01408 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Fri, 10 Mar 2023 22:55:54 -0500 +Subject: [PATCH] LISP: Don't go past a LCAF payload length + +The LISP Canonical Address Format has a payload length indicator. +Use that to create a payload tvb and don't dissect outside the +payload length. With fuzzed and malformed packets, this was causing +the same bytes to be dissected many times, particularly in the +recursive address types. + +A LCAF would be dissected outside the payload region, but then +elsewhere the offset was only advanced by the payload length. + +Fix #18900 + +(cherry picked from commit b911cf286f495ba068c77b8b2b3445d1a325a819) +--- + epan/dissectors/packet-lisp.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/epan/dissectors/packet-lisp.c b/epan/dissectors/packet-lisp.c +index fe93d360c71..e8468c1d8bb 100644 +--- a/epan/dissectors/packet-lisp.c ++++ b/epan/dissectors/packet-lisp.c +@@ -1825,6 +1825,7 @@ dissect_lcaf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, p + guint16 len; + proto_item *tir, *ti_header, *ti_flags, *ti; + proto_tree *lcaf_tree, *lcaf_header_tree, *flags_tree; ++ tvbuff_t *payload_tvb; + + len = tvb_get_ntohs(tvb, offset + 4); + +@@ -1869,46 +1870,47 @@ dissect_lcaf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, p + proto_tree_add_item(lcaf_header_tree, hf_lisp_lcaf_length, tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + ++ payload_tvb = tvb_new_subset_length(tvb, 0, offset + len); + ti = (tip) ? tip : tir; + + switch (lcaf_type) { + case LCAF_NULL: + break; + case LCAF_AFI_LIST: +- offset = dissect_lcaf_afi_list(tvb, pinfo, lcaf_tree, offset, len); ++ offset = dissect_lcaf_afi_list(payload_tvb, pinfo, lcaf_tree, offset, len); + break; + case LCAF_IID: +- offset = dissect_lcaf_iid(tvb, pinfo, lcaf_tree, offset, ti); ++ offset = dissect_lcaf_iid(payload_tvb, pinfo, lcaf_tree, offset, ti); + break; + case LCAF_ASN: +- offset = dissect_lcaf_asn(tvb, pinfo, lcaf_tree, offset, ti); ++ offset = dissect_lcaf_asn(payload_tvb, pinfo, lcaf_tree, offset, ti); + break; + case LCAF_GEO: +- offset = dissect_lcaf_geo(tvb, pinfo, lcaf_tree, offset, ti); ++ offset = dissect_lcaf_geo(payload_tvb, pinfo, lcaf_tree, offset, ti); + break; + case LCAF_NATT: +- offset = dissect_lcaf_natt(tvb, pinfo, lcaf_tree, offset, len); ++ offset = dissect_lcaf_natt(payload_tvb, pinfo, lcaf_tree, offset, len); + break; + case LCAF_NONCE_LOC: +- offset = dissect_lcaf_nonce_loc(tvb, pinfo, lcaf_tree, offset, ti); ++ offset = dissect_lcaf_nonce_loc(payload_tvb, pinfo, lcaf_tree, offset, ti); + break; + case LCAF_MCAST_INFO: +- offset = dissect_lcaf_mcast_info(tvb, pinfo, lcaf_tree, offset, ti); ++ offset = dissect_lcaf_mcast_info(payload_tvb, pinfo, lcaf_tree, offset, ti); + break; + case LCAF_ELP: +- offset = dissect_lcaf_elp(tvb, pinfo, lcaf_tree, offset, len, ti); ++ offset = dissect_lcaf_elp(payload_tvb, pinfo, lcaf_tree, offset, len, ti); + break; + case LCAF_SRC_DST_KEY: +- offset = dissect_lcaf_src_dst_key(tvb, pinfo, lcaf_tree, offset, ti); ++ offset = dissect_lcaf_src_dst_key(payload_tvb, pinfo, lcaf_tree, offset, ti); + break; + case LCAF_RLE: +- offset = dissect_lcaf_rle(tvb, pinfo, lcaf_tree, offset, len, ti); ++ offset = dissect_lcaf_rle(payload_tvb, pinfo, lcaf_tree, offset, len, ti); + break; + case LCAF_KV_ADDR_PAIR: +- offset = dissect_lcaf_kv_addr_pair(tvb, pinfo, lcaf_tree, offset); ++ offset = dissect_lcaf_kv_addr_pair(payload_tvb, pinfo, lcaf_tree, offset); + break; + case LCAF_VENDOR: +- offset = dissect_lcaf_vendor(tvb, pinfo, lcaf_tree, offset, len); ++ offset = dissect_lcaf_vendor(payload_tvb, pinfo, lcaf_tree, offset, len); + break; + default: + proto_tree_add_expert(tree, pinfo, &ei_lisp_undecoded, tvb, offset, len); +-- +GitLab + diff --git a/CVE-2023-1994.patch b/CVE-2023-1994.patch new file mode 100644 index 0000000000000000000000000000000000000000..8ab3a61ec05246cf80fed3111ffc10839861aed1 --- /dev/null +++ b/CVE-2023-1994.patch @@ -0,0 +1,51 @@ +From 8970fc17e8a9d48bc746855a7f2a7a3b1bd6a00e Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Sun, 2 Apr 2023 15:29:12 -0700 +Subject: [PATCH] GQUIC: Fix a null pointer exception + +Ensure that dissect_gquic_frame_type has a valid info pointer. + +Fixes #18947. + +(cherry picked from commit ee314ace8ae2d2fa8c6f7280231010252054fd7b) +--- + epan/dissectors/packet-gquic.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-gquic.c b/epan/dissectors/packet-gquic.c +index c9e1be63069..66115ce14e0 100644 +--- a/epan/dissectors/packet-gquic.c ++++ b/epan/dissectors/packet-gquic.c +@@ -204,6 +204,7 @@ static expert_field ei_gquic_tag_unknown = EI_INIT; + static expert_field ei_gquic_version_invalid = EI_INIT; + static expert_field ei_gquic_invalid_parameter = EI_INIT; + static expert_field ei_gquic_length_invalid = EI_INIT; ++static expert_field ei_gquic_data_invalid = EI_INIT; + + static const value_string gquic_short_long_header_vals[] = { + { 0, "Short Header" }, +@@ -1743,6 +1744,11 @@ dissect_gquic_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ft_tree, guint + + int + dissect_gquic_frame_type(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, guint offset, guint8 len_pkn, gquic_info_data_t *gquic_info){ ++ if (!gquic_info) { ++ expert_add_info(pinfo, gquic_tree, &ei_gquic_data_invalid); ++ return offset + tvb_reported_length_remaining(tvb, offset); ++ } ++ + proto_item *ti, *ti_ft, *ti_ftflags /*, *expert_ti*/; + proto_tree *ft_tree, *ftflags_tree; + guint8 frame_type; +@@ -3244,7 +3250,8 @@ proto_register_gquic(void) + { &ei_gquic_tag_unknown, { "gquic.tag.unknown.data", PI_UNDECODED, PI_NOTE, "Unknown Data", EXPFILL }}, + { &ei_gquic_version_invalid, { "gquic.version.invalid", PI_MALFORMED, PI_ERROR, "Invalid Version", EXPFILL }}, + { &ei_gquic_invalid_parameter, { "gquic.invalid.parameter", PI_MALFORMED, PI_ERROR, "Invalid Parameter", EXPFILL }}, +- { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }} ++ { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }}, ++ { &ei_gquic_data_invalid, { "gquic.data.invalid", PI_PROTOCOL, PI_WARN, "Invalid Data", EXPFILL }}, + }; + + expert_module_t *expert_gquic; +-- +GitLab + diff --git a/wireshark.spec b/wireshark.spec index f14afe4c1faeeb227c0cee2826ee7b59af11d5fe..a1a0028c96fe271167e0e877ba7dba254d3d7019 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.11 -Release: 2 +Release: 3 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -22,6 +22,9 @@ Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch Patch7: wireshark-0007-cmakelists.patch Patch8: CVE-2023-1161.patch +Patch9: CVE-2023-1992.patch +Patch10: CVE-2023-1993.patch +Patch11: CVE-2023-1994.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -196,6 +199,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Mon Apr 24 2023 yaoxin - 1:3.6.11-3 +- Fix CVE-2023-1992,CVE-2023-1993 and CVE-2023-1994 + * Mon Mar 27 2023 yaoxin - 1:3.6.11-2 - Fix CVE-2023-1161