From 1e0bda300f04b88b4162402e9a66904566fc1bf2 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 30 May 2023 16:45:45 +0800 Subject: [PATCH] Fix CVE-2023-0668,CVE-2023-2855,CVE-2023-2856,CVE-2023-2857,CVE-2023-2858 and CVE-2023-2879 (cherry picked from commit 7d1420650b4a1aaece1531b13ecee97e758135df) --- CVE-2023-0668.patch | 32 +++++++ CVE-2023-2855.patch | 105 +++++++++++++++++++++ CVE-2023-2856.patch | 66 +++++++++++++ CVE-2023-2857.patch | 219 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2023-2858.patch | 93 +++++++++++++++++++ CVE-2023-2879.patch | 36 ++++++++ wireshark.spec | 11 ++- 7 files changed, 561 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-0668.patch create mode 100644 CVE-2023-2855.patch create mode 100644 CVE-2023-2856.patch create mode 100644 CVE-2023-2857.patch create mode 100644 CVE-2023-2858.patch create mode 100644 CVE-2023-2879.patch diff --git a/CVE-2023-0668.patch b/CVE-2023-0668.patch new file mode 100644 index 0000000..768cf53 --- /dev/null +++ b/CVE-2023-0668.patch @@ -0,0 +1,32 @@ +From c23343d2213c04b26a4810c0894ea2bb2cefec82 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 20 May 2023 23:08:08 -0400 +Subject: [PATCH] synphasor: Use val_to_str_const + +Don't use a value from packet data to directly index a value_string, +particularly when the value string doesn't cover all possible values. + +Fix #19087 + + +(cherry picked from commit c4f37d77b29ec6a9754795d0efb6f68d633728d9) +--- + epan/dissectors/packet-synphasor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c +index 12b388b3667..fbde8756ef3 100644 +--- a/epan/dissectors/packet-synphasor.c ++++ b/epan/dissectors/packet-synphasor.c +@@ -1212,7 +1212,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c + + data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, + ett_conf_phflags, NULL, "Phasor Data flags: %s", +- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); ++ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); + + /* first and second bytes - phasor modification flags*/ + phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, +-- +GitLab + diff --git a/CVE-2023-2855.patch b/CVE-2023-2855.patch new file mode 100644 index 0000000..8e7476e --- /dev/null +++ b/CVE-2023-2855.patch @@ -0,0 +1,105 @@ +From 9ce7445be0b38c4df824671ffe196177c2bd107e Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). + +(backported from commit 0181fafb2134a177328443a60b5e29c4ee1041cb) +--- + wiretap/candump.c | 39 +++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 28fda911072..f548cb0b6e6 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -34,8 +34,9 @@ void register_candump(void); + * This is written by the candump utility on Linux. + */ + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -67,6 +68,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + canfd_frame_t canfd_frame = {0}; + ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -78,6 +91,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + can_frame_t can_frame = {0}; + ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); +@@ -93,6 +118,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -199,9 +226,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + candump_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -225,9 +250,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static const struct supported_block_type candump_blocks_supported[] = { +-- +GitLab + diff --git a/CVE-2023-2856.patch b/CVE-2023-2856.patch new file mode 100644 index 0000000..ec082d7 --- /dev/null +++ b/CVE-2023-2856.patch @@ -0,0 +1,66 @@ +From 1c264ced5701dd7ec22f425ee82c9e7abc45fe94 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + +(backported from commit db5135826de3a5fdb3618225c2ff02f4207012ca) +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 600282e506c..7f82461570c 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +GitLab + diff --git a/CVE-2023-2857.patch b/CVE-2023-2857.patch new file mode 100644 index 0000000..eee6643 --- /dev/null +++ b/CVE-2023-2857.patch @@ -0,0 +1,219 @@ +From 6c7199da0c84a966ac9b06cd7fbb6aa0ccff9acb Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 16 May 2023 18:09:41 -0700 +Subject: [PATCH] blf: add some sanity checks. + +Have blf_pull_logcontainer_into_memory() return a libwiretap error code +and additional information string, including various values being +inconsistent. + +(If any of those correspond to identifiable file problems, they should +be reported with WTAP_ERR_BAD_FILE and with a description more relevant +to somebody writing code to write those files.) + +Fixes #19063. + +(backported from commit c899be35a94440b6c46cf5715c5f24eda597f4c1) +--- + wiretap/blf.c | 134 +++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 115 insertions(+), 19 deletions(-) + +diff --git a/wiretap/blf.c b/wiretap/blf.c +index 92b7f55ed56..ed2ee5f7135 100644 +--- a/wiretap/blf.c ++++ b/wiretap/blf.c +@@ -433,12 +433,18 @@ blf_find_logcontainer_for_address(blf_t *blf_data, gint64 pos, blf_log_container + } + + static gboolean +-blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_container) { ++blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_container, int *err, gchar **err_info) { + blf_t *blf_data = params->blf_data; + blf_log_container_t tmp; + + if (index_log_container >= blf_data->log_containers->len) { +- ws_debug("cannot pull an unknown log container into memory"); ++ /* ++ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a ++ * malformed file (WTAP_ERR_BAD_FILE)? ++ */ ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: index_log_container (%u) >= blf_data->log_containers->len (%u)", ++ index_log_container, blf_data->log_containers->len); + return FALSE; + } + +@@ -450,20 +456,56 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe + + if (tmp.compression_method == BLF_COMPRESSION_ZLIB) { + #ifdef HAVE_ZLIB +- int err = 0; +- gchar *err_info; +- +- file_seek(params->fh, tmp.infile_data_start, SEEK_SET, &err); +- if (err < 0) { +- ws_debug("cannot seek to start of log_container"); ++ if (file_seek(params->fh, tmp.infile_data_start, SEEK_SET, err) == -1) { + return FALSE; + } + + /* pull compressed data into buffer */ + unsigned char *compressed_data = g_try_malloc0((gsize)tmp.infile_length); +- guint64 data_length = (unsigned int)tmp.infile_length - (tmp.infile_data_start - tmp.infile_start_pos); +- if (!wtap_read_bytes_or_eof(params->fh, compressed_data, (unsigned int)data_length, &err, &err_info)) { +- ws_debug("cannot read compressed data"); ++ if (tmp.infile_start_pos < 0) { ++ /* ++ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a ++ * malformed file (WTAP_ERR_BAD_FILE)? ++ */ ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_start_pos (%" G_GINT64_FORMAT ") < 0", ++ tmp.infile_start_pos); ++ return FALSE; ++ } ++ if (tmp.infile_data_start < (guint64)tmp.infile_start_pos) { ++ /* ++ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a ++ * malformed file (WTAP_ERR_BAD_FILE)? ++ */ ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_data_start (%" G_GUINT64_FORMAT ") < tmp.infile_start_pos (%" G_GINT64_FORMAT ")", ++ tmp.infile_data_start, tmp.infile_start_pos); ++ return FALSE; ++ } ++ if (tmp.infile_length < tmp.infile_data_start - (guint64)tmp.infile_start_pos) { ++ /* ++ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a ++ * malformed file (WTAP_ERR_BAD_FILE)? ++ */ ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_length (%" G_GUINT64_FORMAT ") < (tmp.infile_data_start (%" G_GUINT64_FORMAT ") - tmp.infile_start_pos (%" G_GINT64_FORMAT ")) = %" G_GUINT64_FORMAT, ++ tmp.infile_length, ++ tmp.infile_data_start, tmp.infile_start_pos, ++ tmp.infile_data_start - (guint64)tmp.infile_start_pos); ++ return FALSE; ++ } ++ guint64 data_length = tmp.infile_length - (tmp.infile_data_start - (guint64)tmp.infile_start_pos); ++ if (data_length > UINT_MAX) { ++ /* ++ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a ++ * malformed file (WTAP_ERR_BAD_FILE)? ++ */ ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: data_length (%" G_GUINT64_FORMAT ") > UINT_MAX", ++ data_length); ++ return FALSE; ++ } ++ if (!wtap_read_bytes_or_eof(params->fh, compressed_data, (unsigned int)data_length, err, err_info)) { + return FALSE; + } + +@@ -477,6 +519,18 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe + + /* the actual DE-compression work. */ + if (Z_OK != inflateInit(&infstream)) { ++ /* ++ * XXX - check the error code and handle this appropriately. ++ */ ++ *err = WTAP_ERR_INTERNAL; ++ if (infstream.msg != NULL) { ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: inflateInit failed for LogContainer %d, message\"%s\"", ++ index_log_container, ++ infstream.msg); ++ } else { ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: inflateInit failed for LogContainer %d", ++ index_log_container); ++ } + ws_debug("inflateInit failed for LogContainer %d", index_log_container); + if (infstream.msg != NULL) { + ws_debug("inflateInit returned: \"%s\"", infstream.msg); +@@ -487,6 +541,50 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe + int ret = inflate(&infstream, Z_NO_FLUSH); + /* Z_OK should not happen here since we know how big the buffer should be */ + if (Z_STREAM_END != ret) { ++ switch (ret) { ++ ++ case Z_NEED_DICT: ++ *err = WTAP_ERR_DECOMPRESS; ++ *err_info = g_strdup("preset dictionary needed"); ++ break; ++ ++ case Z_STREAM_ERROR: ++ *err = WTAP_ERR_DECOMPRESS; ++ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL; ++ break; ++ ++ case Z_MEM_ERROR: ++ /* This means "not enough memory". */ ++ *err = ENOMEM; ++ *err_info = NULL; ++ break; ++ ++ case Z_DATA_ERROR: ++ /* This means "deflate stream invalid" */ ++ *err = WTAP_ERR_DECOMPRESS; ++ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL; ++ break; ++ ++ case Z_BUF_ERROR: ++ /* XXX - this is recoverable; what should we do here? */ ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: Z_BUF_ERROR from inflate(), message \"%s\"", ++ (infstream.msg != NULL) ? infstream.msg : "(none)"); ++ break; ++ ++ case Z_VERSION_ERROR: ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: Z_VERSION_ERROR from inflate(), message \"%s\"", ++ (infstream.msg != NULL) ? infstream.msg : "(none)"); ++ break; ++ ++ default: ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: unexpected error %d from inflate(), message \"%s\"", ++ ret, ++ (infstream.msg != NULL) ? infstream.msg : "(none)"); ++ break; ++ } + ws_debug("inflate failed (return code %d) for LogContainer %d", ret, index_log_container); + if (infstream.msg != NULL) { + ws_debug("inflate returned: \"%s\"", infstream.msg); +@@ -495,6 +593,9 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe + } + + if (Z_OK != inflateEnd(&infstream)) { ++ /* Returns either Z_OK or Z_STREAM_ERROR. */ ++ *err = WTAP_ERR_DECOMPRESS; ++ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL; + ws_debug("inflateEnd failed for LogContainer %d", index_log_container); + if (infstream.msg != NULL) { + ws_debug("inflateEnd returned: \"%s\"", infstream.msg); +@@ -506,6 +607,8 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe + g_array_index(blf_data->log_containers, blf_log_container_t, index_log_container) = tmp; + return TRUE; + #else ++ *err = WTAP_ERR_DECOMPRESSION_NOT_SUPPORTED; ++ *err_info = NULL; + return FALSE; + #endif + } +@@ -593,14 +696,7 @@ blf_read_bytes_or_eof(blf_params_t *params, guint64 real_pos, void *target_buffe + + case BLF_COMPRESSION_ZLIB: + while (current_container_index <= end_container_index) { +- if (!blf_pull_logcontainer_into_memory(params, current_container_index)) { +- /* +- * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a +- * malformed file (WTAP_ERR_BAD_FILE)? +- */ +- *err = WTAP_ERR_INTERNAL; +- *err_info = g_strdup_printf("blf_read_bytes_or_eof: cannot pull in container"); +- ws_debug("cannot pull in container"); ++ if (!blf_pull_logcontainer_into_memory(params, current_container_index, err, err_info)) { + return FALSE; + } + +-- +GitLab + diff --git a/CVE-2023-2858.patch b/CVE-2023-2858.patch new file mode 100644 index 0000000..fac5147 --- /dev/null +++ b/CVE-2023-2858.patch @@ -0,0 +1,93 @@ +From a0403c4b396adacd666d8ebd3b97506e355e646c Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + + +(cherry picked from commit cb190d6839ddcd4596b0205844f45553f1e77105) +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 8dcbd42a089..b94caca0869 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -1114,13 +1114,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int file_version, int *err, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1186,6 +1186,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1199,6 +1201,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1216,6 +1220,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1500,14 +1506,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + (rec)->block = wtap_block_create(WTAP_BLOCK_PACKET);\ + TIMEDEFV##ver((rec),fp,type);\ +@@ -1615,7 +1621,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, + g_free(nstrace_tmpbuff); + return FALSE; + } +- + hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize(hdp) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +GitLab + diff --git a/CVE-2023-2879.patch b/CVE-2023-2879.patch new file mode 100644 index 0000000..b47d631 --- /dev/null +++ b/CVE-2023-2879.patch @@ -0,0 +1,36 @@ +From 3412780abd6f44ff1613cd1472c867b8372de24c Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 13 May 2023 21:45:16 -0400 +Subject: [PATCH] GDSDB: Make sure our offset advances. + +add_uint_string() returns the next offset to use, not the number +of bytes consumed. So to consume all the bytes and make sure the +offset advances, return the entire reported tvb length, not the +number of bytes remaining. + +Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f + +Fixes #19068 + + +(cherry picked from commit 118815ca7c9f82c1f83f8f64d9e0e54673f31677) +--- + epan/dissectors/packet-gdsdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c +index 13ba8b37628..e2dd332ca85 100644 +--- a/epan/dissectors/packet-gdsdb.c ++++ b/epan/dissectors/packet-gdsdb.c +@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o + int ret_offset = offset + length; + if (length < 4 || ret_offset < offset) { + expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length); +- return tvb_reported_length_remaining(tvb, offset); ++ return tvb_reported_length(tvb); + } + return ret_offset; + } +-- +GitLab + diff --git a/wireshark.spec b/wireshark.spec index 24153dd..896a170 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.11 -Release: 3 +Release: 4 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -25,6 +25,12 @@ Patch8: CVE-2023-1161.patch Patch9: CVE-2023-1992.patch Patch10: CVE-2023-1993.patch Patch11: CVE-2023-1994.patch +Patch12: CVE-2023-0668.patch +Patch13: CVE-2023-2855.patch +Patch14: CVE-2023-2856.patch +Patch15: CVE-2023-2857.patch +Patch16: CVE-2023-2858.patch +Patch17: CVE-2023-2879.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -199,6 +205,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Tue May 30 2023 yaoxin - 1:3.6.11-4 +- Fix CVE-2023-0668,CVE-2023-2855,CVE-2023-2856,CVE-2023-2857,CVE-2023-2858 and CVE-2023-2879 + * Mon Apr 24 2023 yaoxin - 1:3.6.11-3 - Fix CVE-2023-1992,CVE-2023-1993 and CVE-2023-1994 -- Gitee