From 117534b3ee4e71f66b79fa873df4413888b82d85 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Wed, 6 Sep 2023 19:52:28 +0800 Subject: [PATCH] Fix CVE-2023-3649,CVE-2023-2906,CVE-2023-4511,CVE-2023-4513 (cherry picked from commit 5b19e6cbe88eb30c730c291ce3dec9ea182b002f) --- CVE-2023-2906.patch | 36 +++++++ CVE-2023-3649.patch | 227 ++++++++++++++++++++++++++++++++++++++++++ CVE-2023-4511.patch | 80 +++++++++++++++ CVE-2023-4513-1.patch | 39 ++++++++ CVE-2023-4513-2.patch | 32 ++++++ wireshark.spec | 10 +- 6 files changed, 423 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-2906.patch create mode 100644 CVE-2023-3649.patch create mode 100644 CVE-2023-4511.patch create mode 100644 CVE-2023-4513-1.patch create mode 100644 CVE-2023-4513-2.patch diff --git a/CVE-2023-2906.patch b/CVE-2023-2906.patch new file mode 100644 index 0000000..1d56a77 --- /dev/null +++ b/CVE-2023-2906.patch @@ -0,0 +1,36 @@ +From 0b874ad0f50f71a5b780cb915ea62f8625112402 Mon Sep 17 00:00:00 2001 +From: Jaap Keuter +Date: Thu, 27 Jul 2023 20:21:19 +0200 +Subject: [PATCH] CP2179: Handle timetag info response without records + +Fixes #19229 + +(cherry picked from commit 44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d) +--- + epan/dissectors/packet-cp2179.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-cp2179.c b/epan/dissectors/packet-cp2179.c +index 30f53f84946..70fe0332843 100644 +--- a/epan/dissectors/packet-cp2179.c ++++ b/epan/dissectors/packet-cp2179.c +@@ -721,11 +721,14 @@ dissect_response_frame(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, int + proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_numsets, tvb, offset, 1, ENC_LITTLE_ENDIAN); + + num_records = tvb_get_guint8(tvb, offset) & 0x7F; ++ offset += 1; ++ ++ if (num_records == 0 || numberofcharacters <= 1) ++ break; ++ + recordsize = (numberofcharacters-1) / num_records; + num_values = (recordsize-6) / 2; /* Determine how many 16-bit analog values are present in each event record */ + +- offset += 1; +- + for (x = 0; x < num_records; x++) + { + cp2179_event_tree = proto_tree_add_subtree_format(cp2179_proto_tree, tvb, offset, recordsize, ett_cp2179_event, NULL, "Event Record # %d", x+1); +-- +GitLab + diff --git a/CVE-2023-3649.patch b/CVE-2023-3649.patch new file mode 100644 index 0000000..5ee4a68 --- /dev/null +++ b/CVE-2023-3649.patch @@ -0,0 +1,227 @@ +From 75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Sat, 24 Jun 2023 00:34:50 -0400 +Subject: [PATCH] iscsi: Check bounds when extracting TargetAddress + +Use tvb_ functions that do bounds checking when parsing the +TargetAddress string, instead of incrementing a pointer to an +extracted char* and sometimes accidentally overrunning the +string. + +While we're there, go ahead and add support for IPv6 addresses. + +Fix #19164 + +(backported from commit 94349bbdaeb384b12d554dd65e7be7ceb0e93d21) +--- + epan/dissectors/packet-iscsi.c | 146 +++++++++++++++++---------------- + 1 file changed, 75 insertions(+), 71 deletions(-) + +diff --git a/epan/dissectors/packet-iscsi.c b/epan/dissectors/packet-iscsi.c +index 031f07e5aa6..3b5d64de9fd 100644 +--- a/epan/dissectors/packet-iscsi.c ++++ b/epan/dissectors/packet-iscsi.c +@@ -20,8 +20,6 @@ + + #include "config.h" + +-#include +- + #include + #include + #include +@@ -29,6 +27,7 @@ + #include "packet-scsi.h" + #include + #include ++#include + #include + #include + +@@ -514,70 +513,81 @@ typedef struct _iscsi_conv_data { + dissector for the address/port that TargetAddress points to. + (it starts to be common to use redirectors to point to non-3260 ports) + */ ++static address null_address = ADDRESS_INIT_NONE; ++ + static void +-iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, char *val, guint offset) ++iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, guint offset) + { +- address *addr = NULL; ++ address addr = ADDRESS_INIT_NONE; + guint16 port; +- char *value = wmem_strdup(pinfo->pool, val); +- char *p = NULL, *pgt = NULL; +- +- if (value[0] == '[') { +- /* this looks like an ipv6 address */ +- p = strchr(value, ']'); +- if (p != NULL) { +- *p = 0; +- p += 2; /* skip past "]:" */ +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } ++ int colon_offset; ++ int end_offset; ++ char *ip_str, *port_str; ++ ++ colon_offset = tvb_find_guint8(tvb, offset, -1, ':'); ++ if (colon_offset == -1) { ++ /* RFC 7143 13.8 TargetAddress "If the TCP port is not specified, ++ * it is assumed to be the IANA-assigned default port for iSCSI", ++ * so nothing to do here. ++ */ ++ return; ++ } + +- /* can't handle ipv6 yet */ ++ /* We found a colon, so there's at least one byte and this won't fail. */ ++ if (tvb_get_guint8(tvb, offset) == '[') { ++ offset++; ++ /* could be an ipv6 address */ ++ end_offset = tvb_find_guint8(tvb, offset, -1, ']'); ++ if (end_offset == -1) { ++ return; + } +- } else { +- /* This is either a ipv4 address or a dns name */ +- int i0,i1,i2,i3; +- if (sscanf(value, "%d.%d.%d.%d", &i0,&i1,&i2,&i3) == 4) { +- /* looks like a ipv4 address */ +- p = strchr(value, ':'); +- if (p != NULL) { +- char *addr_data; +- +- *p++ = 0; +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } + +- addr_data = (char *) wmem_alloc(pinfo->pool, 4); +- addr_data[0] = i0; +- addr_data[1] = i1; +- addr_data[2] = i2; +- addr_data[3] = i3; +- +- addr = wmem_new(pinfo->pool, address); +- addr->type = AT_IPv4; +- addr->len = 4; +- addr->data = addr_data; ++ /* look for the colon before the port, if any */ ++ colon_offset = tvb_find_guint8(tvb, end_offset, -1, ':'); ++ if (colon_offset == -1) { ++ return; ++ } + +- if (!ws_strtou16(p, NULL, &port)) { +- proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, +- tvb, offset + (guint)strlen(value), (guint)strlen(p), "Invalid port: %s", p); +- } +- } ++ ws_in6_addr *ip6_addr = wmem_new(pinfo->pool, ws_in6_addr); ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, end_offset - offset, ENC_ASCII); ++ if (ws_inet_pton6(ip_str, ip6_addr)) { ++ /* looks like a ipv6 address */ ++ set_address(&addr, AT_IPv6, sizeof(ws_in6_addr), ip6_addr); ++ } + ++ } else { ++ /* This is either a ipv4 address or a dns name */ ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, colon_offset - offset, ENC_ASCII); ++ ws_in4_addr *ip4_addr = wmem_new(pinfo->pool, ws_in4_addr); ++ if (ws_inet_pton4(ip_str, ip4_addr)) { ++ /* looks like a ipv4 address */ ++ set_address(&addr, AT_IPv4, 4, ip4_addr); + } ++ /* else a DNS host name; we could, theoretically, try to use ++ * name resolution information in the capture to lookup the address. ++ */ + } + ++ /* Extract the port */ ++ end_offset = tvb_find_guint8(tvb, colon_offset, -1, ','); ++ int port_len; ++ if (end_offset == -1) { ++ port_len = tvb_reported_length_remaining(tvb, colon_offset + 1); ++ } else { ++ port_len = end_offset - (colon_offset + 1); ++ } ++ port_str = tvb_get_string_enc(pinfo->pool, tvb, colon_offset + 1, port_len, ENC_ASCII); ++ if (!ws_strtou16(port_str, NULL, &port)) { ++ proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, ++ tvb, colon_offset + 1, port_len, "Invalid port: %s", port_str); ++ return; ++ } + + /* attach a conversation dissector to this address/port tuple */ +- if (addr && !pinfo->fd->visited) { ++ if (!addresses_equal(&addr, &null_address) && !pinfo->fd->visited) { + conversation_t *conv; + +- conv = conversation_new(pinfo->num, addr, addr, ENDPOINT_TCP, port, port, NO_ADDR2|NO_PORT2); ++ conv = conversation_new(pinfo->num, &addr, &null_address, ENDPOINT_TCP, port, 0, NO_ADDR2|NO_PORT2); + if (conv == NULL) { + return; + } +@@ -589,30 +599,24 @@ iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, + static gint + addTextKeys(packet_info *pinfo, proto_tree *tt, tvbuff_t *tvb, gint offset, guint32 text_len) { + const gint limit = offset + text_len; ++ tvbuff_t *keyvalue_tvb; ++ int len, value_offset; + + while(offset < limit) { +- char *key = NULL, *value = NULL; +- gint len = tvb_strnlen(tvb, offset, limit - offset); +- +- if(len == -1) { +- len = limit - offset; +- } else { +- len = len + 1; +- } +- +- key = tvb_get_string_enc(pinfo->pool, tvb, offset, len, ENC_ASCII); +- if (key == NULL) { +- break; +- } +- value = strchr(key, '='); +- if (value == NULL) { ++ /* RFC 7143 6.1 Text Format: "Every key=value pair, including the ++ * last or only pair in a LTDS, MUST be followed by one null (0x00) ++ * delimiter. ++ */ ++ proto_tree_add_item_ret_length(tt, hf_iscsi_KeyValue, tvb, offset, -1, ENC_ASCII, &len); ++ keyvalue_tvb = tvb_new_subset_length(tvb, offset, len); ++ value_offset = tvb_find_guint8(keyvalue_tvb, 0, len, '='); ++ if (value_offset == -1) { + break; + } +- *value++ = 0; ++ value_offset++; + +- proto_tree_add_item(tt, hf_iscsi_KeyValue, tvb, offset, len, ENC_ASCII|ENC_NA); +- if (!strcmp(key, "TargetAddress")) { +- iscsi_dissect_TargetAddress(pinfo, tvb, tt, value, offset + (guint)strlen("TargetAddress") + 2); ++ if (tvb_strneql(keyvalue_tvb, 0, "TargetAddress=", strlen("TargetAddress=")) == 0) { ++ iscsi_dissect_TargetAddress(pinfo, keyvalue_tvb, tt, value_offset); + } + + offset += len; +@@ -2943,7 +2947,7 @@ proto_register_iscsi(void) + }, + { &hf_iscsi_KeyValue, + { "KeyValue", "iscsi.keyvalue", +- FT_STRING, BASE_NONE, NULL, 0, ++ FT_STRINGZ, BASE_NONE, NULL, 0, + "Key/value pair", HFILL } + }, + { &hf_iscsi_Text_F, +-- +GitLab + diff --git a/CVE-2023-4511.patch b/CVE-2023-4511.patch new file mode 100644 index 0000000..ef31fa4 --- /dev/null +++ b/CVE-2023-4511.patch @@ -0,0 +1,80 @@ +From d3068e8d2e80908ab284c2bcc96d3ff7f8a5c1ae Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Thu, 10 Aug 2023 05:29:09 -0400 +Subject: [PATCH] btsdp: Keep offset advancing + +hf_data_element_value is a FT_NONE, so we can add the item with +the expected length and get_hfi_length() will adjust the length +without throwing an exception. There's no need to add it with +zero length and call proto_item_set_len. Also, don't increment +the offset by 0 instead of the real length when there isn't +enough data in the packet, as that can lead to failing to advance +the offset. + +When dissecting a sequence type (sequence or alternative) and +recursing into the sequence member, instead of using the main +packet tvb directly, create a subset using the indicated length +of the sequence. That will properly throw an exception if a +contained item is larger than the containing sequence, instead of +dissecting the same bytes as several different items (inside +the sequence recursively, as well in the outer loop.) + +Fix #19258 + + +(cherry picked from commit ef9c79ae81b00a63aa8638076ec81dc9482972e9) +--- + epan/dissectors/packet-btsdp.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c +index 66265d6ef92..34d8ee80b89 100644 +--- a/epan/dissectors/packet-btsdp.c ++++ b/epan/dissectors/packet-btsdp.c +@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree, + offset += len - length; + } + +- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA); ++ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA); + if (length > tvb_reported_length_remaining(tvb, offset)) { + expert_add_info(pinfo, pitem, &ei_data_element_value_large); +- length = 0; +- } +- proto_item_set_len(pitem, length); +- if (length == 0) ++ proto_item_append_text(pitem, ": MISSING"); ++ } else if (length == 0) + proto_item_append_text(pitem, ": MISSING"); + + if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value); +@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + gint bytes_to_go = size; + gint first = 1; + wmem_strbuf_t *substr; ++ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size); ++ gint next_offset = 0; + + ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative, + tvb, offset, size, ENC_NA); +@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + first = 0; + } + +- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid, ++ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset, ++ attribute, service_uuid, + service_did_vendor_id, service_did_vendor_id_source, + service_hdp_data_exchange_specification, service_info, &substr); + if (size < 1) { + break; + } + wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_finalize(substr)); +- offset += size ; ++ next_offset += size; + bytes_to_go -= size; + } + +-- +GitLab + diff --git a/CVE-2023-4513-1.patch b/CVE-2023-4513-1.patch new file mode 100644 index 0000000..5f29a38 --- /dev/null +++ b/CVE-2023-4513-1.patch @@ -0,0 +1,39 @@ +From 863f6c3dc760ab770a7b31b33e9c769868e4289b Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Thu, 10 Aug 2023 01:19:21 -0400 +Subject: [PATCH] wmem: Fix leak in block_fast when realloc'ing jumbo blocks + +In block fast wmem_allocator is used, keep the double linked +list of jumbo blocks accurate by pointing the prev pointer of +the old head (if it exists) to the newly allocated jumbo block. + +This prevents a leak if a jumbo block which is not the most +recently added jumbo block is realloc'ed. If the prev pointer +isn't set properly, then all the jumbo blocks added afterwards +will be lost from the list and leaked. + +Fix #19259 + + +(cherry picked from commit d086f2733bc611eb310aafec51bd28d44166fa42) +--- + wsutil/wmem/wmem_allocator_block_fast.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/wsutil/wmem/wmem_allocator_block_fast.c b/wsutil/wmem/wmem_allocator_block_fast.c +index bdb8c2f75dc..117e9df6193 100644 +--- a/wsutil/wmem/wmem_allocator_block_fast.c ++++ b/wsutil/wmem/wmem_allocator_block_fast.c +@@ -97,6 +97,9 @@ wmem_block_fast_alloc(void *private_data, const size_t size) + size + WMEM_JUMBO_HEADER_SIZE + WMEM_CHUNK_HEADER_SIZE); + + block->next = allocator->jumbo_list; ++ if (block->next) { ++ block->next->prev = block; ++ } + block->prev = NULL; + allocator->jumbo_list = block; + +-- +GitLab + diff --git a/CVE-2023-4513-2.patch b/CVE-2023-4513-2.patch new file mode 100644 index 0000000..eacd070 --- /dev/null +++ b/CVE-2023-4513-2.patch @@ -0,0 +1,32 @@ +From 016af38af0a27b14c8e2fb4fb3e2c4811bb0211b Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Thu, 10 Aug 2023 02:47:58 -0400 +Subject: [PATCH] btsdp: Finalize wmem_strbuf + +The allocated wmem_strbuf isn't used after this, so it can +be finalized to save a bit of memory. + +Related to #19259 + + +(cherry picked from commit 7fecc31427e0ec5e55ac2611df94678940c1df7d) +--- + epan/dissectors/packet-btsdp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c +index a60b3051b4d..66265d6ef92 100644 +--- a/epan/dissectors/packet-btsdp.c ++++ b/epan/dissectors/packet-btsdp.c +@@ -3543,7 +3543,7 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + if (size < 1) { + break; + } +- wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr)); ++ wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_finalize(substr)); + offset += size ; + bytes_to_go -= size; + } +-- +GitLab + diff --git a/wireshark.spec b/wireshark.spec index 369e7d9..9bdbf5c 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.14 -Release: 2 +Release: 3 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -22,6 +22,11 @@ Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch Patch7: wireshark-0007-cmakelists.patch Patch8: CVE-2023-3648.patch +Patch9: CVE-2023-3649.patch +Patch10: CVE-2023-2906.patch +Patch11: CVE-2023-4513-1.patch +Patch12: CVE-2023-4513-2.patch +Patch13: CVE-2023-4511.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -196,6 +201,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Wed Sep 06 2023 wangkai <13474090681@163.com> - 1:3.6.14-3 +- Fix CVE-2023-3649,CVE-2023-2906,CVE-2023-4511,CVE-2023-4513 + * Thu Jul 27 2023 liningjie - 1:3.6.14-2 - Fix CVE-2023-3648 -- Gitee