diff --git a/CVE-2023-0668.patch b/CVE-2023-0668.patch deleted file mode 100644 index 768cf53d8c3008d55ecb8457c7a8d5bf8df2ecaf..0000000000000000000000000000000000000000 --- a/CVE-2023-0668.patch +++ /dev/null @@ -1,32 +0,0 @@ -From c23343d2213c04b26a4810c0894ea2bb2cefec82 Mon Sep 17 00:00:00 2001 -From: John Thacker -Date: Sat, 20 May 2023 23:08:08 -0400 -Subject: [PATCH] synphasor: Use val_to_str_const - -Don't use a value from packet data to directly index a value_string, -particularly when the value string doesn't cover all possible values. - -Fix #19087 - - -(cherry picked from commit c4f37d77b29ec6a9754795d0efb6f68d633728d9) ---- - epan/dissectors/packet-synphasor.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c -index 12b388b3667..fbde8756ef3 100644 ---- a/epan/dissectors/packet-synphasor.c -+++ b/epan/dissectors/packet-synphasor.c -@@ -1212,7 +1212,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c - - data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, - ett_conf_phflags, NULL, "Phasor Data flags: %s", -- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); -+ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); - - /* first and second bytes - phasor modification flags*/ - phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, --- -GitLab - diff --git a/CVE-2023-1161.patch b/CVE-2023-1161.patch deleted file mode 100644 index 94b2a90051498b7f5ce1f21e5f35a03c9bb9cfb0..0000000000000000000000000000000000000000 --- a/CVE-2023-1161.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 51e23ea7fd49cb04ba33db3bfbeba690a2f7c5b4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dr=2E=20Lars=20V=C3=B6lker?= - -Date: Fri, 3 Feb 2023 19:42:03 +0100 -Subject: [PATCH] ISO15765/ISO10681 memory corruption bugfix - -Fixes a situation in which the code wrote behind the frag_id_high array -and corrupted memory. - -Closes #18839 ---- - epan/dissectors/packet-iso10681.c | 7 ++++++- - epan/dissectors/packet-iso15765.c | 8 ++++++-- - 2 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/epan/dissectors/packet-iso10681.c b/epan/dissectors/packet-iso10681.c -index 9e749eea8cf..6772e936e06 100644 ---- a/epan/dissectors/packet-iso10681.c -+++ b/epan/dissectors/packet-iso10681.c -@@ -340,7 +340,12 @@ dissect_iso10681(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 fr - } - - if (!(pinfo->fd->visited)) { -- frag_id += ((iso10681_frame->frag_id_high[frag_id]++) * 16); -+ DISSECTOR_ASSERT(frag_id < 16); -+ guint16 tmp = iso10681_frame->frag_id_high[frag_id]++; -+ /* Make sure that we assert on using more than 4096 (16*255) segments.*/ -+ DISSECTOR_ASSERT(iso10681_frame->frag_id_high[frag_id] != 0); -+ frag_id += tmp * 16; -+ - /* Save the frag_id for subsequent dissection */ - iso10681_info->frag_id = frag_id; - } -diff --git a/epan/dissectors/packet-iso15765.c b/epan/dissectors/packet-iso15765.c -index 3157397bf21..4c73927c807 100644 ---- a/epan/dissectors/packet-iso15765.c -+++ b/epan/dissectors/packet-iso15765.c -@@ -573,14 +573,18 @@ dissect_iso15765(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 bu - tvbuff_t *new_tvb = NULL; - iso15765_frame_t *iso15765_frame; - guint16 frag_id = frag_id_low; -- - /* Get frame information */ - iso15765_frame = (iso15765_frame_t *)wmem_map_lookup(iso15765_frame_table, - GUINT_TO_POINTER(iso15765_info->seq)); - - if (iso15765_frame != NULL) { - if (!(pinfo->fd->visited)) { -- frag_id += ((iso15765_frame->frag_id_high[frag_id]++) * 16); -+ DISSECTOR_ASSERT(frag_id < 16); -+ guint16 tmp = iso15765_frame->frag_id_high[frag_id]++; -+ /* Make sure that we assert on using more than 4096 (16*255) segments.*/ -+ DISSECTOR_ASSERT(iso15765_frame->frag_id_high[frag_id] != 0); -+ frag_id += tmp * 16; -+ - /* Save the frag_id for subsequent dissection */ - iso15765_info->frag_id = frag_id; - --- -GitLab - diff --git a/CVE-2023-1992.patch b/CVE-2023-1992.patch deleted file mode 100644 index 871744b7886d0bfb645cd9a2f4e37747ef287139..0000000000000000000000000000000000000000 --- a/CVE-2023-1992.patch +++ /dev/null @@ -1,61 +0,0 @@ -From c224405c31688d351ed79a304fa491517f541191 Mon Sep 17 00:00:00 2001 -From: John Thacker -Date: Sun, 19 Mar 2023 15:16:39 -0400 -Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets - -Add a frame end routine for a global which is assigned to packet -scoped memory. It really should be made proto data, but is used -in a function in the header (that doesn't take the packet info -struct as an argument) and this fix needs to be made in stable -branches. - -Fix #18852 - - -(cherry picked from commit 3c8be14c827f1587da3c2b3bb0d9c04faff57413) ---- - epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c -index 177e772c44b..815f6a3fc76 100644 ---- a/epan/dissectors/packet-rpcrdma.c -+++ b/epan/dissectors/packet-rpcrdma.c -@@ -24,6 +24,7 @@ - #include - - #include "packet-rpcrdma.h" -+#include "packet-frame.h" - #include "packet-infiniband.h" - #include "packet-iwarp-ddp-rdmap.h" - -@@ -271,6 +272,18 @@ void rpcrdma_insert_offset(gint offset) - wmem_array_append_one(gp_rdma_write_offsets, offset); - } - -+/* -+ * Reset the array of write offsets at the end of the frame. These -+ * are packet scoped, so they don't need to be freed, but we want -+ * to ensure that the global doesn't point to no longer allocated -+ * memory in a later packet. -+ */ -+static void -+reset_write_offsets(void) -+{ -+ gp_rdma_write_offsets = NULL; -+} -+ - /* Get conversation state, it is created if it does not exist */ - static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo) - { -@@ -1409,6 +1422,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data - if (write_size > 0 && !pinfo->fd->visited) { - /* Initialize array of write chunk offsets */ - gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint)); -+ register_frame_end_routine(pinfo, reset_write_offsets); - TRY { - /* - * Call the upper layer dissector to get a list of offsets --- -GitLab - diff --git a/CVE-2023-1993.patch b/CVE-2023-1993.patch deleted file mode 100644 index 9fedd941df98a7149c6f478bfc4d12443fd1cfd5..0000000000000000000000000000000000000000 --- a/CVE-2023-1993.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 646b1313038487f7c04bf0ada7960ad906a01408 Mon Sep 17 00:00:00 2001 -From: John Thacker -Date: Fri, 10 Mar 2023 22:55:54 -0500 -Subject: [PATCH] LISP: Don't go past a LCAF payload length - -The LISP Canonical Address Format has a payload length indicator. -Use that to create a payload tvb and don't dissect outside the -payload length. With fuzzed and malformed packets, this was causing -the same bytes to be dissected many times, particularly in the -recursive address types. - -A LCAF would be dissected outside the payload region, but then -elsewhere the offset was only advanced by the payload length. - -Fix #18900 - -(cherry picked from commit b911cf286f495ba068c77b8b2b3445d1a325a819) ---- - epan/dissectors/packet-lisp.c | 26 ++++++++++++++------------ - 1 file changed, 14 insertions(+), 12 deletions(-) - -diff --git a/epan/dissectors/packet-lisp.c b/epan/dissectors/packet-lisp.c -index fe93d360c71..e8468c1d8bb 100644 ---- a/epan/dissectors/packet-lisp.c -+++ b/epan/dissectors/packet-lisp.c -@@ -1825,6 +1825,7 @@ dissect_lcaf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, p - guint16 len; - proto_item *tir, *ti_header, *ti_flags, *ti; - proto_tree *lcaf_tree, *lcaf_header_tree, *flags_tree; -+ tvbuff_t *payload_tvb; - - len = tvb_get_ntohs(tvb, offset + 4); - -@@ -1869,46 +1870,47 @@ dissect_lcaf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, p - proto_tree_add_item(lcaf_header_tree, hf_lisp_lcaf_length, tvb, offset, 2, ENC_BIG_ENDIAN); - offset += 2; - -+ payload_tvb = tvb_new_subset_length(tvb, 0, offset + len); - ti = (tip) ? tip : tir; - - switch (lcaf_type) { - case LCAF_NULL: - break; - case LCAF_AFI_LIST: -- offset = dissect_lcaf_afi_list(tvb, pinfo, lcaf_tree, offset, len); -+ offset = dissect_lcaf_afi_list(payload_tvb, pinfo, lcaf_tree, offset, len); - break; - case LCAF_IID: -- offset = dissect_lcaf_iid(tvb, pinfo, lcaf_tree, offset, ti); -+ offset = dissect_lcaf_iid(payload_tvb, pinfo, lcaf_tree, offset, ti); - break; - case LCAF_ASN: -- offset = dissect_lcaf_asn(tvb, pinfo, lcaf_tree, offset, ti); -+ offset = dissect_lcaf_asn(payload_tvb, pinfo, lcaf_tree, offset, ti); - break; - case LCAF_GEO: -- offset = dissect_lcaf_geo(tvb, pinfo, lcaf_tree, offset, ti); -+ offset = dissect_lcaf_geo(payload_tvb, pinfo, lcaf_tree, offset, ti); - break; - case LCAF_NATT: -- offset = dissect_lcaf_natt(tvb, pinfo, lcaf_tree, offset, len); -+ offset = dissect_lcaf_natt(payload_tvb, pinfo, lcaf_tree, offset, len); - break; - case LCAF_NONCE_LOC: -- offset = dissect_lcaf_nonce_loc(tvb, pinfo, lcaf_tree, offset, ti); -+ offset = dissect_lcaf_nonce_loc(payload_tvb, pinfo, lcaf_tree, offset, ti); - break; - case LCAF_MCAST_INFO: -- offset = dissect_lcaf_mcast_info(tvb, pinfo, lcaf_tree, offset, ti); -+ offset = dissect_lcaf_mcast_info(payload_tvb, pinfo, lcaf_tree, offset, ti); - break; - case LCAF_ELP: -- offset = dissect_lcaf_elp(tvb, pinfo, lcaf_tree, offset, len, ti); -+ offset = dissect_lcaf_elp(payload_tvb, pinfo, lcaf_tree, offset, len, ti); - break; - case LCAF_SRC_DST_KEY: -- offset = dissect_lcaf_src_dst_key(tvb, pinfo, lcaf_tree, offset, ti); -+ offset = dissect_lcaf_src_dst_key(payload_tvb, pinfo, lcaf_tree, offset, ti); - break; - case LCAF_RLE: -- offset = dissect_lcaf_rle(tvb, pinfo, lcaf_tree, offset, len, ti); -+ offset = dissect_lcaf_rle(payload_tvb, pinfo, lcaf_tree, offset, len, ti); - break; - case LCAF_KV_ADDR_PAIR: -- offset = dissect_lcaf_kv_addr_pair(tvb, pinfo, lcaf_tree, offset); -+ offset = dissect_lcaf_kv_addr_pair(payload_tvb, pinfo, lcaf_tree, offset); - break; - case LCAF_VENDOR: -- offset = dissect_lcaf_vendor(tvb, pinfo, lcaf_tree, offset, len); -+ offset = dissect_lcaf_vendor(payload_tvb, pinfo, lcaf_tree, offset, len); - break; - default: - proto_tree_add_expert(tree, pinfo, &ei_lisp_undecoded, tvb, offset, len); --- -GitLab - diff --git a/CVE-2023-1994.patch b/CVE-2023-1994.patch deleted file mode 100644 index 8ab3a61ec05246cf80fed3111ffc10839861aed1..0000000000000000000000000000000000000000 --- a/CVE-2023-1994.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8970fc17e8a9d48bc746855a7f2a7a3b1bd6a00e Mon Sep 17 00:00:00 2001 -From: Gerald Combs -Date: Sun, 2 Apr 2023 15:29:12 -0700 -Subject: [PATCH] GQUIC: Fix a null pointer exception - -Ensure that dissect_gquic_frame_type has a valid info pointer. - -Fixes #18947. - -(cherry picked from commit ee314ace8ae2d2fa8c6f7280231010252054fd7b) ---- - epan/dissectors/packet-gquic.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/epan/dissectors/packet-gquic.c b/epan/dissectors/packet-gquic.c -index c9e1be63069..66115ce14e0 100644 ---- a/epan/dissectors/packet-gquic.c -+++ b/epan/dissectors/packet-gquic.c -@@ -204,6 +204,7 @@ static expert_field ei_gquic_tag_unknown = EI_INIT; - static expert_field ei_gquic_version_invalid = EI_INIT; - static expert_field ei_gquic_invalid_parameter = EI_INIT; - static expert_field ei_gquic_length_invalid = EI_INIT; -+static expert_field ei_gquic_data_invalid = EI_INIT; - - static const value_string gquic_short_long_header_vals[] = { - { 0, "Short Header" }, -@@ -1743,6 +1744,11 @@ dissect_gquic_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ft_tree, guint - - int - dissect_gquic_frame_type(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, guint offset, guint8 len_pkn, gquic_info_data_t *gquic_info){ -+ if (!gquic_info) { -+ expert_add_info(pinfo, gquic_tree, &ei_gquic_data_invalid); -+ return offset + tvb_reported_length_remaining(tvb, offset); -+ } -+ - proto_item *ti, *ti_ft, *ti_ftflags /*, *expert_ti*/; - proto_tree *ft_tree, *ftflags_tree; - guint8 frame_type; -@@ -3244,7 +3250,8 @@ proto_register_gquic(void) - { &ei_gquic_tag_unknown, { "gquic.tag.unknown.data", PI_UNDECODED, PI_NOTE, "Unknown Data", EXPFILL }}, - { &ei_gquic_version_invalid, { "gquic.version.invalid", PI_MALFORMED, PI_ERROR, "Invalid Version", EXPFILL }}, - { &ei_gquic_invalid_parameter, { "gquic.invalid.parameter", PI_MALFORMED, PI_ERROR, "Invalid Parameter", EXPFILL }}, -- { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }} -+ { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }}, -+ { &ei_gquic_data_invalid, { "gquic.data.invalid", PI_PROTOCOL, PI_WARN, "Invalid Data", EXPFILL }}, - }; - - expert_module_t *expert_gquic; --- -GitLab - diff --git a/CVE-2023-2855.patch b/CVE-2023-2855.patch deleted file mode 100644 index 8e7476eda4f49b817f2c07a372408d8c618e94f7..0000000000000000000000000000000000000000 --- a/CVE-2023-2855.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 9ce7445be0b38c4df824671ffe196177c2bd107e Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 16 May 2023 12:05:07 -0700 -Subject: [PATCH] candump: check for a too-long frame length. - -If the frame length is longer than the maximum, report an error in the -file. - -Fixes #19062, preventing the overflow on a buffer on the stack (assuming -your compiler doesn't call a bounds-checknig version of memcpy() if the -size of the target space is known). - -(backported from commit 0181fafb2134a177328443a60b5e29c4ee1041cb) ---- - wiretap/candump.c | 39 +++++++++++++++++++++++++++++++-------- - 1 file changed, 31 insertions(+), 8 deletions(-) - -diff --git a/wiretap/candump.c b/wiretap/candump.c -index 28fda911072..f548cb0b6e6 100644 ---- a/wiretap/candump.c -+++ b/wiretap/candump.c -@@ -34,8 +34,9 @@ void register_candump(void); - * This is written by the candump utility on Linux. - */ - --static void --candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) -+static gboolean -+candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, -+ gchar **err_info) - { - static const char *can_proto_name = "can-hostendian"; - static const char *canfd_proto_name = "canfd"; -@@ -67,6 +68,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) - { - canfd_frame_t canfd_frame = {0}; - -+ /* -+ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. -+ */ -+ if (msg->data.length > CANFD_MAX_DLEN) { -+ *err = WTAP_ERR_BAD_FILE; -+ if (err_info != NULL) { -+ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", -+ msg->data.length, CANFD_MAX_DLEN); -+ } -+ return FALSE; -+ } -+ - canfd_frame.can_id = msg->id; - canfd_frame.flags = msg->flags; - canfd_frame.len = msg->data.length; -@@ -78,6 +91,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) - { - can_frame_t can_frame = {0}; - -+ /* -+ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. -+ */ -+ if (msg->data.length > CAN_MAX_DLEN) { -+ *err = WTAP_ERR_BAD_FILE; -+ if (err_info != NULL) { -+ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", -+ msg->data.length, CAN_MAX_DLEN); -+ } -+ return FALSE; -+ } -+ - can_frame.can_id = msg->id; - can_frame.can_dlc = msg->data.length; - memcpy(can_frame.data, msg->data.data, msg->data.length); -@@ -93,6 +118,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) - - rec->rec_header.packet_header.caplen = packet_length; - rec->rec_header.packet_header.len = packet_length; -+ -+ return TRUE; - } - - static gboolean -@@ -199,9 +226,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, - candump_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); - #endif - -- candump_write_packet(rec, buf, &msg); -- -- return TRUE; -+ return candump_write_packet(rec, buf, &msg, err, err_info); - } - - static gboolean -@@ -225,9 +250,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, - if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) - return FALSE; - -- candump_write_packet(rec, buf, &msg); -- -- return TRUE; -+ return candump_write_packet(rec, buf, &msg, err, err_info); - } - - static const struct supported_block_type candump_blocks_supported[] = { --- -GitLab - diff --git a/CVE-2023-2856.patch b/CVE-2023-2856.patch deleted file mode 100644 index ec082d721d8a28e3bdf76a0968096aa4e9a01203..0000000000000000000000000000000000000000 --- a/CVE-2023-2856.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 1c264ced5701dd7ec22f425ee82c9e7abc45fe94 Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Thu, 18 May 2023 15:03:23 -0700 -Subject: [PATCH] vms: fix the search for the packet length field. - -The packet length field is of the form - - Total Length = DDD = ^xXXX - -where "DDD" is the length in decimal and "XXX" is the length in -hexadecimal. - -Search for "length ". not just "Length", as we skip past "Length ", not -just "Length", so if we assume we found "Length " but only found -"Length", we'd skip past the end of the string. - -While we're at it, fail if we don't find a length field, rather than -just blithely acting as if the packet length were zero. - -Fixes #19083. - -(backported from commit db5135826de3a5fdb3618225c2ff02f4207012ca) ---- - wiretap/vms.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/wiretap/vms.c b/wiretap/vms.c -index 600282e506c..7f82461570c 100644 ---- a/wiretap/vms.c -+++ b/wiretap/vms.c -@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in - { - char line[VMS_LINE_LENGTH + 1]; - int num_items_scanned; -+ gboolean have_pkt_len = FALSE; - guint32 pkt_len = 0; - int pktnum; - int csec = 101; -@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in - return FALSE; - } - } -- if ( (! pkt_len) && (p = strstr(line, "Length"))) { -+ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { - p += sizeof("Length "); - while (*p && ! g_ascii_isdigit(*p)) - p++; -@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in - *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); - return FALSE; - } -+ have_pkt_len = TRUE; - break; - } - } while (! isdumpline(line)); -+ if (! have_pkt_len) { -+ *err = WTAP_ERR_BAD_FILE; -+ *err_info = g_strdup_printf("vms: Length field not found"); -+ return FALSE; -+ } - if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { - /* - * Probably a corrupt capture file; return an error, --- -GitLab - diff --git a/CVE-2023-2857.patch b/CVE-2023-2857.patch deleted file mode 100644 index eee6643ba9d6e122b62285f61b2b704a916af651..0000000000000000000000000000000000000000 --- a/CVE-2023-2857.patch +++ /dev/null @@ -1,219 +0,0 @@ -From 6c7199da0c84a966ac9b06cd7fbb6aa0ccff9acb Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Tue, 16 May 2023 18:09:41 -0700 -Subject: [PATCH] blf: add some sanity checks. - -Have blf_pull_logcontainer_into_memory() return a libwiretap error code -and additional information string, including various values being -inconsistent. - -(If any of those correspond to identifiable file problems, they should -be reported with WTAP_ERR_BAD_FILE and with a description more relevant -to somebody writing code to write those files.) - -Fixes #19063. - -(backported from commit c899be35a94440b6c46cf5715c5f24eda597f4c1) ---- - wiretap/blf.c | 134 +++++++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 115 insertions(+), 19 deletions(-) - -diff --git a/wiretap/blf.c b/wiretap/blf.c -index 92b7f55ed56..ed2ee5f7135 100644 ---- a/wiretap/blf.c -+++ b/wiretap/blf.c -@@ -433,12 +433,18 @@ blf_find_logcontainer_for_address(blf_t *blf_data, gint64 pos, blf_log_container - } - - static gboolean --blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_container) { -+blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_container, int *err, gchar **err_info) { - blf_t *blf_data = params->blf_data; - blf_log_container_t tmp; - - if (index_log_container >= blf_data->log_containers->len) { -- ws_debug("cannot pull an unknown log container into memory"); -+ /* -+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a -+ * malformed file (WTAP_ERR_BAD_FILE)? -+ */ -+ *err = WTAP_ERR_INTERNAL; -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: index_log_container (%u) >= blf_data->log_containers->len (%u)", -+ index_log_container, blf_data->log_containers->len); - return FALSE; - } - -@@ -450,20 +456,56 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe - - if (tmp.compression_method == BLF_COMPRESSION_ZLIB) { - #ifdef HAVE_ZLIB -- int err = 0; -- gchar *err_info; -- -- file_seek(params->fh, tmp.infile_data_start, SEEK_SET, &err); -- if (err < 0) { -- ws_debug("cannot seek to start of log_container"); -+ if (file_seek(params->fh, tmp.infile_data_start, SEEK_SET, err) == -1) { - return FALSE; - } - - /* pull compressed data into buffer */ - unsigned char *compressed_data = g_try_malloc0((gsize)tmp.infile_length); -- guint64 data_length = (unsigned int)tmp.infile_length - (tmp.infile_data_start - tmp.infile_start_pos); -- if (!wtap_read_bytes_or_eof(params->fh, compressed_data, (unsigned int)data_length, &err, &err_info)) { -- ws_debug("cannot read compressed data"); -+ if (tmp.infile_start_pos < 0) { -+ /* -+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a -+ * malformed file (WTAP_ERR_BAD_FILE)? -+ */ -+ *err = WTAP_ERR_INTERNAL; -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_start_pos (%" G_GINT64_FORMAT ") < 0", -+ tmp.infile_start_pos); -+ return FALSE; -+ } -+ if (tmp.infile_data_start < (guint64)tmp.infile_start_pos) { -+ /* -+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a -+ * malformed file (WTAP_ERR_BAD_FILE)? -+ */ -+ *err = WTAP_ERR_INTERNAL; -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_data_start (%" G_GUINT64_FORMAT ") < tmp.infile_start_pos (%" G_GINT64_FORMAT ")", -+ tmp.infile_data_start, tmp.infile_start_pos); -+ return FALSE; -+ } -+ if (tmp.infile_length < tmp.infile_data_start - (guint64)tmp.infile_start_pos) { -+ /* -+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a -+ * malformed file (WTAP_ERR_BAD_FILE)? -+ */ -+ *err = WTAP_ERR_INTERNAL; -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_length (%" G_GUINT64_FORMAT ") < (tmp.infile_data_start (%" G_GUINT64_FORMAT ") - tmp.infile_start_pos (%" G_GINT64_FORMAT ")) = %" G_GUINT64_FORMAT, -+ tmp.infile_length, -+ tmp.infile_data_start, tmp.infile_start_pos, -+ tmp.infile_data_start - (guint64)tmp.infile_start_pos); -+ return FALSE; -+ } -+ guint64 data_length = tmp.infile_length - (tmp.infile_data_start - (guint64)tmp.infile_start_pos); -+ if (data_length > UINT_MAX) { -+ /* -+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a -+ * malformed file (WTAP_ERR_BAD_FILE)? -+ */ -+ *err = WTAP_ERR_INTERNAL; -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: data_length (%" G_GUINT64_FORMAT ") > UINT_MAX", -+ data_length); -+ return FALSE; -+ } -+ if (!wtap_read_bytes_or_eof(params->fh, compressed_data, (unsigned int)data_length, err, err_info)) { - return FALSE; - } - -@@ -477,6 +519,18 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe - - /* the actual DE-compression work. */ - if (Z_OK != inflateInit(&infstream)) { -+ /* -+ * XXX - check the error code and handle this appropriately. -+ */ -+ *err = WTAP_ERR_INTERNAL; -+ if (infstream.msg != NULL) { -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: inflateInit failed for LogContainer %d, message\"%s\"", -+ index_log_container, -+ infstream.msg); -+ } else { -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: inflateInit failed for LogContainer %d", -+ index_log_container); -+ } - ws_debug("inflateInit failed for LogContainer %d", index_log_container); - if (infstream.msg != NULL) { - ws_debug("inflateInit returned: \"%s\"", infstream.msg); -@@ -487,6 +541,50 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe - int ret = inflate(&infstream, Z_NO_FLUSH); - /* Z_OK should not happen here since we know how big the buffer should be */ - if (Z_STREAM_END != ret) { -+ switch (ret) { -+ -+ case Z_NEED_DICT: -+ *err = WTAP_ERR_DECOMPRESS; -+ *err_info = g_strdup("preset dictionary needed"); -+ break; -+ -+ case Z_STREAM_ERROR: -+ *err = WTAP_ERR_DECOMPRESS; -+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL; -+ break; -+ -+ case Z_MEM_ERROR: -+ /* This means "not enough memory". */ -+ *err = ENOMEM; -+ *err_info = NULL; -+ break; -+ -+ case Z_DATA_ERROR: -+ /* This means "deflate stream invalid" */ -+ *err = WTAP_ERR_DECOMPRESS; -+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL; -+ break; -+ -+ case Z_BUF_ERROR: -+ /* XXX - this is recoverable; what should we do here? */ -+ *err = WTAP_ERR_INTERNAL; -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: Z_BUF_ERROR from inflate(), message \"%s\"", -+ (infstream.msg != NULL) ? infstream.msg : "(none)"); -+ break; -+ -+ case Z_VERSION_ERROR: -+ *err = WTAP_ERR_INTERNAL; -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: Z_VERSION_ERROR from inflate(), message \"%s\"", -+ (infstream.msg != NULL) ? infstream.msg : "(none)"); -+ break; -+ -+ default: -+ *err = WTAP_ERR_INTERNAL; -+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: unexpected error %d from inflate(), message \"%s\"", -+ ret, -+ (infstream.msg != NULL) ? infstream.msg : "(none)"); -+ break; -+ } - ws_debug("inflate failed (return code %d) for LogContainer %d", ret, index_log_container); - if (infstream.msg != NULL) { - ws_debug("inflate returned: \"%s\"", infstream.msg); -@@ -495,6 +593,9 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe - } - - if (Z_OK != inflateEnd(&infstream)) { -+ /* Returns either Z_OK or Z_STREAM_ERROR. */ -+ *err = WTAP_ERR_DECOMPRESS; -+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL; - ws_debug("inflateEnd failed for LogContainer %d", index_log_container); - if (infstream.msg != NULL) { - ws_debug("inflateEnd returned: \"%s\"", infstream.msg); -@@ -506,6 +607,8 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe - g_array_index(blf_data->log_containers, blf_log_container_t, index_log_container) = tmp; - return TRUE; - #else -+ *err = WTAP_ERR_DECOMPRESSION_NOT_SUPPORTED; -+ *err_info = NULL; - return FALSE; - #endif - } -@@ -593,14 +696,7 @@ blf_read_bytes_or_eof(blf_params_t *params, guint64 real_pos, void *target_buffe - - case BLF_COMPRESSION_ZLIB: - while (current_container_index <= end_container_index) { -- if (!blf_pull_logcontainer_into_memory(params, current_container_index)) { -- /* -- * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a -- * malformed file (WTAP_ERR_BAD_FILE)? -- */ -- *err = WTAP_ERR_INTERNAL; -- *err_info = g_strdup_printf("blf_read_bytes_or_eof: cannot pull in container"); -- ws_debug("cannot pull in container"); -+ if (!blf_pull_logcontainer_into_memory(params, current_container_index, err, err_info)) { - return FALSE; - } - --- -GitLab - diff --git a/CVE-2023-2858.patch b/CVE-2023-2858.patch deleted file mode 100644 index fac5147e1d9b7ff879412efeeba397935e981112..0000000000000000000000000000000000000000 --- a/CVE-2023-2858.patch +++ /dev/null @@ -1,93 +0,0 @@ -From a0403c4b396adacd666d8ebd3b97506e355e646c Mon Sep 17 00:00:00 2001 -From: Guy Harris -Date: Fri, 19 May 2023 16:29:45 -0700 -Subject: [PATCH] netscaler: add more checks to make sure the record is within - the page. - -Whie we're at it, restructure some other checks to test-before-casting - -it's OK to test afterwards, but testing before makes it follow the -pattern used elsewhere. - -Fixes #19081. - - -(cherry picked from commit cb190d6839ddcd4596b0205844f45553f1e77105) ---- - wiretap/netscaler.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c -index 8dcbd42a089..b94caca0869 100644 ---- a/wiretap/netscaler.c -+++ b/wiretap/netscaler.c -@@ -1114,13 +1114,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int file_version, int *err, - - #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ - do {\ -- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ - /* Make sure the record header is entirely contained in the page */\ -- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ -+ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ - *err = WTAP_ERR_BAD_FILE;\ - *err_info = g_strdup("nstrace: record header crosses page boundary");\ - return FALSE;\ - }\ -+ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ - /* Check sanity of record size */\ - if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ - *err = WTAP_ERR_BAD_FILE;\ -@@ -1186,6 +1186,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, - - case NSPR_ABSTIME_V10: - { -+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) -+ return FALSE; - nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; - if (pletoh16(&fp->nsprRecordSize) == 0) { - *err = WTAP_ERR_BAD_FILE; -@@ -1199,6 +1201,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, - - case NSPR_RELTIME_V10: - { -+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) -+ return FALSE; - nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; - if (pletoh16(&fp->nsprRecordSize) == 0) { - *err = WTAP_ERR_BAD_FILE; -@@ -1216,6 +1220,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, - - default: - { -+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) -+ return FALSE; - nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; - if (pletoh16(&fp->nsprRecordSize) == 0) { - *err = WTAP_ERR_BAD_FILE; -@@ -1500,14 +1506,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, - - #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ - do {\ -- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ - /* Make sure the record header is entirely contained in the page */\ -- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ -+ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ - *err = WTAP_ERR_BAD_FILE;\ - *err_info = g_strdup("nstrace: record header crosses page boundary");\ - g_free(nstrace_tmpbuff);\ - return FALSE;\ - }\ -+ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ - (rec)->rec_type = REC_TYPE_PACKET;\ - (rec)->block = wtap_block_create(WTAP_BLOCK_PACKET);\ - TIMEDEFV##ver((rec),fp,type);\ -@@ -1615,7 +1621,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, - g_free(nstrace_tmpbuff); - return FALSE; - } -- - hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; - if (nspr_getv20recordsize(hdp) == 0) { - *err = WTAP_ERR_BAD_FILE; --- -GitLab - diff --git a/CVE-2023-2879.patch b/CVE-2023-2879.patch deleted file mode 100644 index b47d631c4ff3f8f2e2014cab60441c282df3bb14..0000000000000000000000000000000000000000 --- a/CVE-2023-2879.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3412780abd6f44ff1613cd1472c867b8372de24c Mon Sep 17 00:00:00 2001 -From: John Thacker -Date: Sat, 13 May 2023 21:45:16 -0400 -Subject: [PATCH] GDSDB: Make sure our offset advances. - -add_uint_string() returns the next offset to use, not the number -of bytes consumed. So to consume all the bytes and make sure the -offset advances, return the entire reported tvb length, not the -number of bytes remaining. - -Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f - -Fixes #19068 - - -(cherry picked from commit 118815ca7c9f82c1f83f8f64d9e0e54673f31677) ---- - epan/dissectors/packet-gdsdb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c -index 13ba8b37628..e2dd332ca85 100644 ---- a/epan/dissectors/packet-gdsdb.c -+++ b/epan/dissectors/packet-gdsdb.c -@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o - int ret_offset = offset + length; - if (length < 4 || ret_offset < offset) { - expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length); -- return tvb_reported_length_remaining(tvb, offset); -+ return tvb_reported_length(tvb); - } - return ret_offset; - } --- -GitLab - diff --git a/SIGNATURES-3.6.11.txt b/SIGNATURES-3.6.11.txt deleted file mode 100644 index f0154c6059f9a44e4989cf396ab60526cbdb259a..0000000000000000000000000000000000000000 Binary files a/SIGNATURES-3.6.11.txt and /dev/null differ diff --git a/SIGNATURES-3.6.14.txt b/SIGNATURES-3.6.14.txt new file mode 100644 index 0000000000000000000000000000000000000000..2cae2909aed6cce50245238a0a2e0c6b1fe80c51 Binary files /dev/null and b/SIGNATURES-3.6.14.txt differ diff --git a/wireshark-3.6.11.tar.xz b/wireshark-3.6.14.tar.xz similarity index 77% rename from wireshark-3.6.11.tar.xz rename to wireshark-3.6.14.tar.xz index 1065315c627bdb78f2bcd829e368b7028c0ae648..1655c0b1f789c1249c6634b12067c64d2cb4ae6f 100644 Binary files a/wireshark-3.6.11.tar.xz and b/wireshark-3.6.14.tar.xz differ diff --git a/wireshark.spec b/wireshark.spec index 896a170af7f7617a88a99eb0fa38dc98c4d7a202..317406d22dd8a90c580bc54cdcbada4b2935b7e8 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -4,8 +4,8 @@ Summary: Network traffic analyzer Name: wireshark -Version: 3.6.11 -Release: 4 +Version: 3.6.14 +Release: 1 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -21,16 +21,6 @@ Patch4: wireshark-0004-Restore-Fedora-specific-groups.patch Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch Patch7: wireshark-0007-cmakelists.patch -Patch8: CVE-2023-1161.patch -Patch9: CVE-2023-1992.patch -Patch10: CVE-2023-1993.patch -Patch11: CVE-2023-1994.patch -Patch12: CVE-2023-0668.patch -Patch13: CVE-2023-2855.patch -Patch14: CVE-2023-2856.patch -Patch15: CVE-2023-2857.patch -Patch16: CVE-2023-2858.patch -Patch17: CVE-2023-2879.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -205,6 +195,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Thu Jun 15 2023 wangkai <13474090681@163.com> - 1:3.6.14-1 +- Update to 3.6.14 for fix CVE-2023-0667,CVE-2023-2952 + * Tue May 30 2023 yaoxin - 1:3.6.11-4 - Fix CVE-2023-0668,CVE-2023-2855,CVE-2023-2856,CVE-2023-2857,CVE-2023-2858 and CVE-2023-2879